Some basic functions for dynamic analysis antivirus evasion from the blog in the link below.

Checking number of system processors.

SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;
if (howManyProcessors < 2) return false;

Checking amount of GB in disk.

HANDLE hDevice = CreateFileW(L"\\\\.\\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
DISK_GEOMETRY pDiskGeometry;
DWORD bytesReturned;
DeviceIoControl(hDevice, IOCTL_DISK_GET_DRIVE_GEOMETRY, NULL, 0, &pDiskGeometry, sizeof(pDiskGeometry), &bytesReturned, (LPOVERLAPPED)NULL);
DWORD diskSizeGB;
diskSizeGB = pDiskGeometry.Cylinders.QuadPart * (ULONG)pDiskGeometry.TracksPerCylinder * (ULONG)pDiskGeometry.SectorsPerTrack * (ULONG)pDiskGeometry.BytesPerSector / 1024 / 1024 / 1024;
if (diskSizeGB < 100) return false;

Checking amount of RAM.

MEMORYSTATUSEX memoryStatus;
memoryStatus.dwLength = sizeof(memoryStatus);
GlobalMemoryStatusEx(&memoryStatus);
DWORD RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024;
if (RAMMB < 2048) return false;

0xPat_blog

nooice!

(August 6, 2022, 05:25 PM)JustUser1001 Wrote: Some basic functions for dynamic analysis antivirus evasion from the blog in the link below.


Checking number of system processors.

SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;
if (howManyProcessors < 2) return false;

Checking amount of GB in disk.

HANDLE hDevice = CreateFileW(L"\\\\.\\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
DISK_GEOMETRY pDiskGeometry;
DWORD bytesReturned;
DeviceIoControl(hDevice, IOCTL_DISK_GET_DRIVE_GEOMETRY, NULL, 0, &pDiskGeometry, sizeof(pDiskGeometry), &bytesReturned, (LPOVERLAPPED)NULL);
DWORD diskSizeGB;
diskSizeGB = pDiskGeometry.Cylinders.QuadPart * (ULONG)pDiskGeometry.TracksPerCylinder * (ULONG)pDiskGeometry.SectorsPerTrack * (ULONG)pDiskGeometry.BytesPerSector / 1024 / 1024 / 1024;
if (diskSizeGB < 100) return false;

Checking amount of RAM.

MEMORYSTATUSEX memoryStatus;
memoryStatus.dwLength = sizeof(memoryStatus);
GlobalMemoryStatusEx(&memoryStatus);
DWORD RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024;
if (RAMMB < 2048) return false;


0xPat_blog

Than you for the info

Could you give some more context? I can use this in my c++ to prevent antivirus detection?

(August 30, 2022, 09:55 AM)trollinator321 Wrote: Could you give some more context? I can use this in my c++ to prevent antivirus detection?

All is in the blog that is linked, but mainly you can just create functions out of this and run them in main function. I am not sure if it will work though. To bypass antivirus you should combine this with static evasion and some other individual for program dynamic evasion functions.

This will only make the detections on VirusTotal/Antiscan to be low, but in a real time use it will not bypass a single antivirus.

ok, thanx for the explanation

Thank you for sharing, I'll go see what's in the blog

Thanks for sharing. But keep in mind that adding too much sandbox detection techniques, can by itself also result in a detection! ;)

(September 29, 2022, 08:25 PM)Persistent Wrote: This will only make the detections on VirusTotal/Antiscan to be low, but in a real time use it will not bypass a single antivirus.

I know that It might not work and you seem to exprienced with hacking (based on your badge).
Can you give us some advice on what might work better? (Sorry if this response sounds a little aggressive, but believe that wasn't the purpose of it).