var unreadAlerts = '1';
You have one unread private message from dkota titled Welcome to the Forum!

AV aversion tips
#1
some of the stuff im making keeps popping hot. Any AV aversion and obfiscation tips.
UwU
Report
#2
heyTakka Wrote: some of the stuff im making keeps popping hot. Any AV aversion and obfiscation tips.

Assuming by `stuff` you mean ransomware, then adding intermittent encryption to it might aid in reducing detection.
If you have any questions, please PM dkota
Reply Quote //
#3
One tips,Malware has the big size.
Reply Quote // Report
#4
prince97 Wrote:
heyTakka Wrote: some of the stuff im making keeps popping hot. Any AV aversion and obfiscation tips.

Assuming by `stuff` you mean ransomware, then adding intermittent encryption to it might aid in reducing detection.

Some other stuff too but yes. thanks for tip ill see what i can do.
UwU
Reply Quote // Report
#5
Find a good crypter service. It will obfuscate your malware to the point that AV will not find it. As soon as some AV starts detecting your code you just run it though again.
Reply Quote // Report
#6
kljyhtgrfedfghnjkl;
Reply Quote // Report
#7
heyTakka Wrote: some of the stuff im making keeps popping hot. Any AV aversion and obfiscation tips.

LEMMECHECK
Reply Quote // Report
#8
if not said yet...padding binaries in ridiculous way can cheat some av (crowdstrike and similar).    90MB +more can bypass some version of agent
Reply Quote // Report
#9
AderTodd9 Wrote: if not said yet...padding binaries in ridiculous way can cheat some av (crowdstrike and similar).    90MB +more can bypass some version of agent

Good point. If you make the binary large enough they cannot upload it to virustotal. 
Reply Quote // Report
#10
heyTakka Wrote: some of the stuff im making keeps popping hot. Any AV aversion and obfiscation tips.

Perhaps try cutting out bits and pieces of what's "popping hot" until you find a more manageable subset of what's causing the unintended behaviour and then working on fixing that? Large encrypted sections can be suspicious, so writing a en/decrypt algo to spread out your encrypted first-stage across multiple sections, for instance? Also accessing specific APIs can trigger on Windows, so try to find work-arounds and the like?

Biggest thing is to not copy other folks' code. Do it yourself and develop incrementally.

This is getting a bit long-in-the-tooth, but here's a detailed breakdown of how windows defended used to work. It's a pdf:

https://i.blackhat.com/us-18/Thu-August-...ulator.pdf
Reply Quote // Report


Quick Reply
Message
Type your reply to this message here.





Users browsing this thread: purely_cabbage
var thread_deleted = "0"; if(thread_deleted == "1") { $("#quick_reply_form, .new_reply_button, .thread_tools, .inline_rating").hide(); $("#moderator_options_selector option.option_mirage").attr("disabled","disabled"); }