On-Disk Detection: Bypass AV’s/EDR’s using syscalls with legacy instruction, series of instructions and random nop instructions

Hi everyone, today I am going to explain some techniques to bypass AV/EDR’s static as well as dynamic detection. The main focus is to bypass on-disk detection of binary which is using direct syscalls. As a red teamer and security guy, I always try to find new stealthy methods to bypass security controls. My offensive approach can help blue team to mitigate these threats. As I always mention one thing in my blogs that “Offense is the best defense”. Before starting I want to recall that I have mentioned some techniques in my previous blog to bypass AV/EDR security solutions like random procedures names, strong encryption, direct syscalls and API hashing.

Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder

Now I am going to explain on-disk detection and how to bypass this detection. Syscalls are really hard topic and with the help of SysWhispers2 you can simply generate ASM/H pair and can use in your project. I am going to explain how to use syswhispers2 because you can see detail instructions on syswhispers2 repository.

When I were doing my homework, after compiling my binary caught by Microsoft Windows defender. After touching the disk defender was catching my binary.

On-Disk detection of my binary

Although I am using direct syscalls still defender was catching my binary. Then I though maybe I am using well-know Metasploit created shellcode that’s why defender is catching my implant. Then I used strong AES encryption to avoid static detection of my binary.

AES Encryption

But after touching the disk Microsoft defender was still able to detect it. After some work, I understood that Microsoft defender might be looking for “syscall” instructions in my binary. I found the string “syscall” in my binary using objdump.

objdump --disassemble -M intel Disk_Part.exe | findstr "syscall"

Syscall Instruction in my binary

This is the reason defender was catching my binary. So In this blog, I am going to explain some techniques which can be used to bypass on-disk detection.

Techniques:-

1. Legacy Instruction (int 2Eh)
2. Series of Instructions
3. Random Instruction (nop)

Legacy Instruction

I wrote a C++ code which is doing process injection using direct syscalls. I am using msfvenom generated shellcode with AES encryption and injecting it into explorer.exe using syscalls. I always use random names of functions and variables to avoid static detection.

PoC Code

I used syswhispers2 to generate ASM/H pairs for direct syscalls. Firstly, I want to show the general structure of syscall stub.

General Pattern of Syscall Instruction

This is pattern of all syscalls defined in ntdll.dll. Syscall instruction in this stub might be interesting for AV/EDR’s to detect this approach. So I used “int 2Eh” legacy instruction to invoke syscalls rather than using “syscall” instruction to avoid on-disk detection of my binary.

int 2Eh rather than syscall

This techniques is good to bypass on-disk detection of binary which is using syscalls. Maybe in some cases AV/EDR’s don’t detect “syscall” instruction but make it more stealthy you can still use “int 2Eh”.

int 2Eh in binary

Series of Instructions

Detection could be done by looking for the “mov r10,rcx” instruction and then inspect the next instruction to determine if it was a syscall, since this allowed to inspect the syscall number. I didn’t face this thing in my homework or during malware development but still I am going to explain this technique to bypass on disk detection.

I added series of instruction in asm file created by syswhispers2. To bypass these type of detection I am using series of instructions. I am not moving “r10,rcx” directly, I am firstly moving “r15,rcx” than “r14,r15” and so on to bypass the detection which is done by using syscalls instruction pattern. The OS doesn’t really care so long as there’s a syscall number in eax when it transitions to the kernel.

Series of Instructions

Random Instruction (nop)

Another technique to bypass on disk detection. I am adding “nop” instructions in my asm file. This techniques also can help to avoid pattern base detection of syscalls. You can add multiple nop instruction before invoking syscalls. These nop instructions will not effect to you code but these are really helpful to bypass detections which maybe done on pattern of general syscalls instructions.

nop instructions in asm file

Execution

After applying all above mentioned techniques, I compiled my binary and executed in the presence of Microsoft Windows Defender the result was more obvious for me. I was able to bypass static and dynamic analysis of defender.

Execution of binary

Than I decided to check my binary against multi AV/EDR’s. I uploaded my file on “antiscan.me” but no AV/EDR’s were able to detect my binary. My binary was cleaned and not flagged any AV/EDR.

https://antiscan.me/scan/new/result?id=Y8WUdCOS3KA6

CONCLUSION

This blog is explaining some techniques to bypass on-disk detection and the detection which could be done by identifying and monitoring the pattern of syscalls. In my upcoming blog, I would love to add more stealthy techniques to make my implant more stealthy.

AUTHOR:-

Usman Sikander

Cyber Security Engineer

Refernces:

GitHub - Offensive-Panda/on-disk-detection-bypass: Direct syscalls Injection to bypass AV/EDR

Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder

AV/EDR Evasion Using Direct System Calls (User-Mode vs kernel-Mode)