Question from a reader
What would you recommnend are the best code practices to help a piece of attack code or backdoor on Windows to remain undetected by personal firewalls, antiviruses and anti-malware?
While there is a lot you can do, and it depends on the OS you are running and what kind of attack code/backdoor you are trying to install, the very basic and most simple you can do is:
- Create your own
GetProcAddress()and load every API you use at runtime and only when you need it. Unload it immediately after use. Sometimes this helps bypass the API hooks that some personal security software have on the Win APIs and it helps hide the true functionality of the code from antiviruses and anti-malware.
- Try to piggy back on open internet connections to exfil your data, for example the old-time tested code injection (not a DLL injection) into a web browser that is running, a program like Word when it checks for updates, etc. If it's done right, a simple code injection can remain undetected from most personal security software. Even corporate ones.
- Insert your binary to the list of trusted binaries on the Windows firewall, it's easy. Microsoft gives you a very handy API for it. Then try to also add the binary to any personal firewall or corporate firewall client the user is running on the system. That can be done in many ways, the best one I found was a simple interception of the warning dialog as it is about to be displayed and just click on the Allow or OK buttons. It's surpringly easy to do. Another way would be to find the list of trusted programs (usually in the registry) and add them there.
- Bypass the horrid UAC, it's not that hard.
- Try to get your binary to run as SYSTEM (perform a privilege escalation) or if you can run it as a Windows Service.
There are many more things you can do on Windows, but these are the very minimum. Keep an eye on the blog in the next coming months, we'll start a new page with tips that will include code snippets.