Antivirus REDucer for Antivirus REDteaming. Avred tries to provide as much context and information about each match as possible when identifying which portions of a file an antivirus has identified.
Avred is a new tool that breaks down how antivirus programs work and shows exactly which parts of a file cause antivirus alerts.
This tool not only finds these “hotspots,” but it also gives more information about each match, which helps RedTeamers hide their tools better. By using Avred, cybersecurity experts can learn more about how antivirus programs work, which helps them improve their security strategies.
It is mainly used to make it easier for RedTeamers to obfuscate their tools.
Check it out: avred.r00ted.ch
Slides: HITB Slides: Cracking The Shield.pdf
Compared to ThreatCheck, Avred has multiple features:
Most antivirus engines rely on strings or other bytes to recognize malware. This project helps to automatically recover these signatures (matches).
The difference between similar projects is:
$ ./avred.py --file app/upload/DripLoader.exe
[...]
DripLoader.exe size: 93184 ident: PE EXE 64
ScannerInfo: zero-sections,section-scan
Matches:
id:0 offset:12991 len:195
Section: .text
Hexdump:
00012991 48 81 C4 98 13 00 00 C3 CC CC CC CC CC CC CC C3 H...............
000129A1 4D 8B C2 49 C7 C2 01 00 00 00 4D 33 D2 49 C7 C2 M..I......M3.I..
000129B1 0A 00 00 00 4C 8B D1 33 C0 4D 2B C2 83 C0 18 4D ....L..3.M+....M
000129C1 33 C0 0F 05 C3 48 83 C1 0A 33 C0 4C 8B D1 83 C0 3....H...3.L....
000129D1 3A 49 83 EA 0A 48 83 E9 0A 0F 05 C3 49 83 C2 1C :I...H......I...
000129E1 33 C0 4C 8B D1 49 83 EA 01 83 C0 50 49 83 C2 01 3.L..I.....PI...
000129F1 0F 05 C3 4C 8B E1 4C 8B EA 4D 8B F0 4D 8B F9 4C ...L..L..M..M..L
00012A01 8B D1 48 33 C0 05 C1 00 00 00 0F 05 48 83 F8 00 ..H3........H...
00012A11 74 8D 49 8B CC 49 8B D5 4D 8B C6 4D 8B CF 4C 8B t.I..I..M..M..L.
00012A21 D1 48 33 C0 05 BD 00 00 00 0F 05 48 83 F8 00 0F .H3........H....
00012A31 84 6A FF FF FF 49 8B CC 49 8B D5 4D 8B C6 4D 8B .j...I..I..M..M.
00012A41 CF 4C 8B D1 48 33 C0 05 BC 00 00 00 0F 05 48 83 .L..H3........H.
00012A51 F8 00 0F ...
[...]
Requires: python 3.8
Install python deps:
pip3 install -r requirements.txt
If you get the error ImportError: failed to find libmagic. Check your installation
try:
pip3 install python-magic-bin==0.4.14
Install radare2:
PATH
(e.g. on windows)First, we need a windows instance with an antivirus. We use avred-server as interface to this antivirus on a Windows host.
Lets install and configure avred-server on windows VM 1.1.1.1:9001
. Follow install instructions on avred-server README.
Once you have this and its working properly (use curl 1.1.1.1:9001/test
), you can setup avred:
config.yaml
(eg "amsi": "1.1.1.1:9001"
)./avred.py --file test.ps1 --server amsi
It should look like this:
$ r2 -v
radare2 5.7.2 0 @ linux-x86-64 git.
commit: 5.7.2 build: 2022-07-02__14:15:22
$ cat config.yaml
server:
amsi: "http://1.1.1.1:8001/"
$ curl http://1.1.1.1:8001/test
{"benign detected":false,"malicous detected":true,"msg":"working as intended"}
$ ./avred.py --file test.ps1 --server amsi
[INFO ][2023/03/09 18:33][avred.py: 71] main() :: Using file: test.ps1
[INFO ][2023/03/09 18:33][avred.py: 90] scanFile() :: Handle file: test.ps1
[INFO ][2023/03/09 18:33][avred.py:115] scanFile() :: Using parser for PLAIN
[ERROR ][2023/03/09 18:33][avred.py:172] scanFile() :: test.ps1 is not detected by amsi
[INFO ][2023/03/09 18:33][avred.py:180] scanFile() :: Found 0 matches
[INFO ][2023/03/09 18:33][avred.py:206] scanFile() :: Wrote results to test.ps1.outcome
As a web server:
$ python3 avredweb.py --listenip 127.0.0.1 --listenport 8080
If you dont want that every user is able to see every uploaded file, set password in config.yaml
in key password
, use username admin
.
From command line:
$ python3 avred.py --server amsi --file app/upload/evil.exe
I am team NO-DB. Only files.
File nomenclature:
file.exe
: The file you want to scanfile.exe.log
: All log output of the scanning (with --logtofile
)file.exe.outcome
: Pickled Outcome data structure with all further informationfile.exe.pdb
: If you have debug symbolsFor the webapp, files are uploaded to app/uploads/
.
Build:
$ podman build -t avred
run:
$ podman run -p 9001:5000 -e "server=http://1.1.1.1:8001" --name avred -d avred
run with upload directory mounted:
$ podman run -p 9001:5000 -e "server=http://1.1.1.1:8001" -v $HOME/avred-uploads:/opt/avred/app/upload/ --name avred -d avred
Coverage:
python3 -m coverage run -m unittest -> .coverage
python3 -m coverage report -> stdout
python3 -m coverage html -> ./htmlcov/index.html
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…