avred: AntiVirus REDucer for AntiVirus REDteaming

by ddos · Published · Updated

avred

AntiVirus REDucer for AntiVirus REDteaming.

Avred is being used to identify which parts of a file are identified by an Antivirus and tries to show as much possible information and context about each match.

This includes:

  • Section names of matches
  • Verification of matches
  • Augmentation of matches as disassembled code or data references

It is mainly used to make it easier for RedTeamers to obfuscate their tools.

Comparison to ThreatCheck

Compared to ThreatCheck, avred has multiple features:

  • Shows all matches (not just one)
  • Verifies the matches to make sure they work
  • Shows more information about matches
  • Shows the relevance of the match, so you can target the weakest one

Background

Most antivirus engines rely on strings or other byte sequences to recognize malware. This project helps to automatically recover these signatures (matches).

The difference to similar projects is:

  • Knowledge of internal file structures.
    • Can extract vbaProject.bin and modify it
    • Knows about PE sections and scans each one individually
    • Knows .NET streams
  • Supports any Antivirus (thanks to AMSI server via HTTP)
  • Shows detailed information about each match (disassembly etc.)
  • Verifies the matches

Supported files:

  • PE (EXE) files, r2 disassembly
  • PE .NET files, dncil disassembly
  • Word files, pcodedmp disassembly

Install & Use

Copyright (C) 2024 dobin