[Improvement] Add AV bypass functions

[OxMarco]

It could be very useful to add runtime memory encryption/decryption methods, anti vm/debugging as well as AV disguise through polymorphic encryption and/or PE mutation. You can take a look at my repository SuperVirus and at this one https://github.com/DarthTon/Polychaos but there are many more on here to take inspiration from Addition: https://github.com/JLospinoso/gargoyle for memory evasion

[richkmeli]

yes i think so too! i'm working on it! thanks and I'll check those repos!

[OxMarco]

The key elements to take into account when dealing with AV evasion are:

1. API hooks: the AV software hooks all "suspicious" API calls such as VirtualProtect functions to perform heuristical analysis of unknows software, you should intercept those hooks and remove/bypass them;
2. Memory encryption: apart from poly/meta-morphic engines, overriding malloc/calloc functions to include a built-in stack encryption is a nice feature, especially if the key is dinamically generated;
3. Random mutations: if changing the code structure can help to deal with static analysis, the overall "functionality" remains the same, so here comes the turning point, introduce randomly activating payloads/util functions, to disguise attackers