Secondary Categories: 02-Malware
Description:
Most AV and EDR use some form of static analysis to determine if the the program is malicious or not. Some methods used for analyzing payloads is the use the following:
- Checksums
- Strings
- Byte Sequences
Bypass
There are seveal ways to bypass static analysis by doing the the following:
- Changing function names
- Removing comments and ASCII Art
- Encrypting shellcode
- Unique variable names
- Appending strings to the end of the payload that may not be used by the program but will make the EDR or AV think its safe. Such as using string from known safe exe files
IMPORTANT When encrypting shellcode it can give the payload a high entropy and for different EDR and AV a payload with a really high entropy can trigger EDR to flag the payload as malicious.
Resources:
Title | URL |
---|---|
place | holder |