Bypassing antivirus is always a cat and mouse game, and we’re always trying to stay ahead. I recently had a conversation with Justin Elze (@justinelze) on twitter about his version of WCE getting flagged by McAfee Antivirus.
When I was working on smbexec I knew the wce executable would touch disk and did research to find out how I might be able to get a step ahead in bypassing antivirus vendors. What I found was, for the wce universal binary, the base EXE had resources inside which were run on the target system. Essentially the base EXE was a wrapper that would review the architecture of the target system (32/64) and then launch the proper resource embedded. Essentially what this means is that even though the base EXE is obfuscated and can bypass antivirus, you may not have the same luck bypassing antivirus with the actual resources when they execute. Enter CFF Explorer and crypter for bypassing antivirus.
more here......https://www.pentestgeek.com/2014/07/15/bypassing-antivirus-crypter-cff-explorer/
Image may be NSFW.When I was working on smbexec I knew the wce executable would touch disk and did research to find out how I might be able to get a step ahead in bypassing antivirus vendors. What I found was, for the wce universal binary, the base EXE had resources inside which were run on the target system. Essentially the base EXE was a wrapper that would review the architecture of the target system (32/64) and then launch the proper resource embedded. Essentially what this means is that even though the base EXE is obfuscated and can bypass antivirus, you may not have the same luck bypassing antivirus with the actual resources when they execute. Enter CFF Explorer and crypter for bypassing antivirus.
more here......https://www.pentestgeek.com/2014/07/15/bypassing-antivirus-crypter-cff-explorer/
Clik here to view.
