The ability to evade Antivirus analyses is a highly coveted goal in the cybersecurity field, especially in the case of Red Team operations where advanced external threats against a target infrastructure are performed. In this paper we present the design and implementation of PEzoNG, a framework for automatically creating stealth binaries that target a very low detection rate in a Windows environment. PEzoNG features a custom loader for Windows binaries, polymorphic obfuscation, a payload decryption process and a number of anti-sandbox and anti-analysis evasion mechanisms, including a novel user space unhooking technique. In addition, the custom loader supports a large amount of Windows executable files, and features stealth and advanced memory allocation schemes. We evaluate the effectiveness of PEzoNG by testing various malicious payloads against up to 29 commercial Antivirus solutions, and we highlight and discuss the assets and differences of PEzoNG with respect to similar tools.
Bernardinetti, G., Di Cristofaro, D., Bianchi, G. (2022). PEzoNG: advanced packer for automated evasion on windows. JOURNAL OF COMPUTER VIROLOGY AND HACKING TECHNIQUES, 18(4), 315-331 [10.1007/s11416-022-00417-2].
PEzoNG: advanced packer for automated evasion on windows
Bernardinetti G.;Bianchi G.
2022-01-01
Abstract
The ability to evade Antivirus analyses is a highly coveted goal in the cybersecurity field, especially in the case of Red Team operations where advanced external threats against a target infrastructure are performed. In this paper we present the design and implementation of PEzoNG, a framework for automatically creating stealth binaries that target a very low detection rate in a Windows environment. PEzoNG features a custom loader for Windows binaries, polymorphic obfuscation, a payload decryption process and a number of anti-sandbox and anti-analysis evasion mechanisms, including a novel user space unhooking technique. In addition, the custom loader supports a large amount of Windows executable files, and features stealth and advanced memory allocation schemes. We evaluate the effectiveness of PEzoNG by testing various malicious payloads against up to 29 commercial Antivirus solutions, and we highlight and discuss the assets and differences of PEzoNG with respect to similar tools.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
