Signature Evasion
Last updated
Was this helpful?
Last updated
Was this helpful?
Signature based detection (also known as static detection) is the simplest type of Antivirus detection, which is based on predefined signatures of malicious files. Simply, it uses pattern-matching techniques in the detection, such as finding a unique string, CRC (Checksums), sequence of bytecode/Hex values, and Cryptographic hashes (MD5, SHA1, etc.).
It then performs a set of comparisons between existing files within the operating system and a database of signatures. If the signature exists in the database, then it is considered malicious. This method is effective against static malware.
When AV is identifying a signature, whether manually or automated, we must employ an iterative process to determine what byte a signature starts at. By recursively splitting a compiled binary in half and testing it, we can get a rough estimate of a byte-range to investigate further.
An example output of GoCheck:
Once we identify the specific bytes that are detected by the antivirus (AV) software, we can implement obfuscation techniques
(Go) is a golang implementation of . It takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on.
(C#) takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen.
(C#) will leverage the AMSI engine and scan functions against a provided PowerShell script and report any specific sections of code it believes need to be alerted on.
(Powershell) can decompresses Windows Defender Antivirus signatures, and allows to reverse engineering the Microsoft's Defender signature database.
Using from Sysinternals, we can check if a string is in Microsoft's signature database:
