A couple questions about r77, AV and Windows Defender exclusions

[uncidal]

Hey, so I have 2 questions:

1. I have noticed that even when a file is hidden by prefix, Windows Defender is still able to find and detect the file, which was expected, but does the same apply to other external AVs? Like BitDefender, Avast, MalwareBytes, Norton, etc? To avoid the issue above, my program automatically adds exclusions in Windows Defender to these locations to prevent it from scanning them using cmd and powershell, which leads me to the next question.
2. I am pretty sure that Windows Defender does not detect the r77 stager startup, but if it somehow manages to detect it in the future, what application, or what directory should I add to the Windows Defender exclusions? I assume it would be to the powershell.exe location, or the dllhost.exe location, or the winlogon.exe location, but I am not sure.

[bytecode77]

1.) Windows Defender does not detect r77, but some AV's may detect r77 now, or in the future. r77 is designed to be as evasive as possible, but when AV vendors write YARA rules to detect r77 specific behavior, it may get detected. Afterall, r77 is running in user-space and is not able to hide from kernel mode.

2.) r77 does not write any files to the disk. There is no location and no file to exclude, as everything happens in-memory. From the powershell process all the way to the dllhost.exe process, which is the r77 service. There is also no DLL file on the disk, because r77 is using reflective DLL injection. This fileless concept is the absolute basis that is required to make it undetectable.

Additionally, EDR hooks are removed and AMSI is bypassed at the powershell stage. If I notice any particular detection vectors in additon to that, I may implement more evasion techniques.

[uncidal]

Hey, I think you misunderstood my first question, or maybe I was not clear enough. I didn't mean if AV can detect r77, but if AV can detect a file hidden with r77. Like lets say I have a program called program.exe, it is detected as a virus by all AVs. What if I turn off AV on my pc, install r77, and then rename the program.exe to $77-program.exe, so it is hidden to every process. What happens when I turn AVs on again? Because I noticed with windows defender, even when a program is hidden by prefix $77, windows defender was still able to find it and detect it, is it like this for other AVs aswell?

A little bonus question about PEunion 4: I am a total noob when it comes to crypting, but will I be able to create my own stub? And then use PEunion to crypt my application with my custom stub, and if it gets detected I can just write a new stub? (i dont fully understand stubs/crypters so this question might not make sense)

[bytecode77]

Antivirus software detects files hidden by r77. The reason is simple: AV software is not injected with r77 - you can see that in the Test Console. If you want to inject any DLL into the process of an AV, access will be denied. And if r77 is not injected, the AV software will see the file, even if it's hidden in Explorer.

Regarding the question about PEunion: You already said "I'm a total noob when it comes to crypting" ;) So, you will probably not be able to create your own stub. Writing crypters, rootkits, etc. requires a lot of knowledge and skills...

[uncidal]

Antivirus software detects files hidden by r77. The reason is simple: AV software is not injected with r77 - you can see that in the Test Console. If you want to inject any DLL into the process of an AV, access will be denied. And if r77 is not injected, the AV software will see the file, even if it's hidden in Explorer.

Ah alright, thanks for the answer.

So, you will probably not be able to create your own stub.

Challenge accepted.