Tuesday, May 31, 2011

Remote DLL injection and Antivirus Evasion

Great post written by Mubix, that explains a really interesting technique to bypass an Antivirus running in a Windows host.

Mubix points out to a DLL written by Didier Stevens that will suspend a process and its threads after a delay.  The idea behind is sending the Antivirus process to sleep in order to avoid detection during the pentest.

I understand that the DLL must be uploaded to the host before it is loaded onto the memory process and,  perhaps, this can be used by the Antivirus to flag the DLL before we have a chance to load it. I wonder if this also can be done by Meterpreter without writing to disk.

No comments:

Post a Comment