Develop more secure and effective antivirus solutions by leveraging antivirus bypass techniques. Antivirus software is built to detect, prevent, and remove malware from systems, but this does not guarantee the security of your antivirus solution as certain changes can trick the antivirus and pose a risk for users. This book will help you to gain a basic understanding of antivirus software and take you through a series of antivirus bypass techniques that will enable you to bypass antivirus solutions.The book starts by introducing you to the cybersecurity landscape, focusing on cyber threats, malware, and more. You will learn how to collect leads to research antivirus and explore the two common bypass approaches used by the authors. Once you've covered the essentials of antivirus research and bypassing, you'll get hands-on with bypassing antivirus software using obfuscation, encryption, packing, PowerShell, and more. Toward the end, the book covers security improvement recommendations, useful for both antivirus vendors as well as for developers to help strengthen the security and malware detection capabilities of antivirus software. By the end of this security book, you'll have a better understanding of antivirus software and be able to confidently bypass antivirus software. This book is for security researchers, malware analysts, reverse engineers, pentesters, antivirus vendors looking to strengthen their detection capabilities, antivirus users and companies that want to test and evaluate their antivirus software, organizations that want to test and evaluate antivirus software before purchase or acquisition, and tech-savvy individuals who want to learn new topics.

• Cover
• Title page
• Copyright and Credits
• Recommendation
• Contributors
• Table of Contents
• Preface
• Section 1: Know the Antivirus – the Basics Behind Your Security Solution
• Chapter 1: Introduction to the Security Landscape
  • Understanding the security landscape
  • Defining malware
    • Types of malware
  • Exploring protection systems
  • Antivirus – the basics
  • Antivirus bypass in a nutshell
  • Summary
• Chapter 2: Before Research Begins
  • Technical requirements
  • Getting started with the research
  • The work environment and lead gathering
    • Process
    • Thread
    • Registry
  • Defining a lead
  • Working with Process Explorer
  • Working with Process Monitor
  • Working with Autoruns
  • Working with Regshot
  • Third-party engines
  • Summary
• Chapter 3: Antivirus Research Approaches
  • Understanding the approaches to antivirus research
  • Introducing the Windows operating system
  • Understanding protection rings
  • Protection rings in the Windows operating system
  • Windows access control list
  • Permission problems in antivirus software
    • Insufficient permissions on the static signature file
    • Improper privileges
  • Unquoted Service Path
  • DLL hijacking
  • Buffer overflow
    • Stack-based buffer overflow
    • Buffer overflow – antivirus bypass approach
  • Summary
• Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software
• Chapter 4: Bypassing the Dynamic Engine
  • Technical requirements
  • The preparation
    • Basic tips for antivirus bypass research
  • VirusTotal
  • VirusTotal alternatives
  • Antivirus bypass using process injection
    • What is process injection?
    • Windows API
    • Classic DLL injection
    • Process hollowing
    • Process doppelgänging
    • Process injection used by threat actors
  • Antivirus bypass using a DLL
    • PE files
    • PE file format structure
    • The execution
  • Antivirus bypass using timing-based techniques
    • Windows API calls for antivirus bypass
    • Memory bombing – large memory allocation
  • Summary
  • Further reading
• Chapter 5: Bypassing the Static Engine
  • Technical requirements
  • Antivirus bypass using obfuscation
    • Rename obfuscation
    • Control-flow obfuscation
    • Introduction to YARA
    • How YARA detects potential malware
    • How to bypass YARA
  • Antivirus bypass using encryption
    • Oligomorphic code
    • Polymorphic code
    • Metamorphic code
  • Antivirus bypass using packing
    • How packers work
    • The unpacking process
    • Packers – false positives
  • Summary
• Chapter 6: Other Antivirus Bypass Techniques
  • Technical requirements
  • Antivirus bypass using binary patching
    • Introduction to debugging / reverse engineering
    • Timestomping
  • Antivirus bypass using junk code
  • Antivirus bypass using PowerShell
  • Antivirus bypass using a single malicious functionality
  • The power of combining several antivirus bypass techniques
    • An example of an executable before and after peCloak
  • Antivirus engines that we have bypassed in our research
  • Summary
  • Further reading
• Section 3: Using Bypass Techniques in the Real World
• Chapter 7: Antivirus Bypass Techniques in Red Team Operations
  • Technical requirements
  • What is a red team operation?
  • Bypassing antivirus software in red team operations
  • Fingerprinting antivirus software
  • Summary
• Chapter 8: Best Practices and Recommendations
  • Technical requirements
  • Avoiding antivirus bypass dedicated vulnerabilities
    • How to avoid the DLL hijacking vulnerability
    • How to avoid the Unquoted Service Path vulnerability
    • How to avoid buffer overflow vulnerabilities
  • Improving antivirus detection
    • Dynamic YARA
    • The detection of process injection
    • Script-based malware detection with AMSI
  • Secure coding recommendations
    • Self-protection mechanism
    • Plan your code securely
    • Do not use old code
    • Input validation
    • PoLP (Principle of Least Privilege)
    • Compiler warnings
    • Automated code testing
    • Wait mechanisms – preventing race conditions
    • Integrity validation
  • Summary
  • Why subscribe?
• About Packt
• Other Books You May Enjoy
• Index