fix - bypass KAV about mortar HOT 8 CLOSED

tnx yeah I fixed the typos problem, regarding the KAV detection for loader.exe, I think that's could happen in some cases as KAV is good in mem scan but I am sure for DLL release will not be able to detect! have you tried?

from mortar.

tnx yeah I fixed the typos problem, regarding the KAV detection for loader.exe, I think that's could happen in some cases as KAV is good in mem scan but I am sure for DLL release will not be able to detect! have you tried?

hi I try this just now but the result might let you down , it can still be scanned after a few seconds . May be we need find an other way to evade mem scan .at the end you did a great job ：）and
thanks reply!

from mortar.

I think it is fine, everything can be bypassed, could you please share me the following information

• KAV version +database version
• x64 or x68
• can you try to change the following values at this line https://github.com/0xsp-SRD/mortar/blob/main/Lib/runner.pas#L180 in the source code into

ReadProcessMemory(PI.hProcess, Pointer(CONT.rdx + $10), @Addr, 8, Ret);

and compile it EXE or DLL and forward the results again

from mortar.

hi, I modified the code as you said and get the same result . i can not find database version and just a
Update time . i get the kav Advanced Suite trial version from here https://www.kaspersky.co.in/downloads

from mortar.

KAV has been defeated successfully, do the following :

• put the encrypted bin.enc in your current user path for example c:\users\tester
• use any dll injector (reflective loader/ dll injection / side loading )
• choose cmd.exe process to inject and successfully get bypass
  here is the video of bypass
  https://video.0xsp.com/conversations/eb396ad5-f9f1-5afa-b171-30b812c8a9de

from mortar.

Hello lawrenceamer, hope you are well.
I have a question, how can I call the export function "dec" and execute it when I injected the dll into "cmd.exe" process, or what is the technique, the reflective injector you are used to do that.
because when I injected the dll into the cmd.exe process it is just injected and didn't execute "dec" function to run the ".enc" payload and get my shell.

from mortar.

Hi @Jack-Reve, try to call your decrypt function in agressor.lpr (e.g. in line 214). based on my understanding you need to call it manually, since the dll has no DllMain entry point and only two export functions. After that, open a cmd, cd to the folder where your bin.enc is saved and inject the agressor.dll into this cmd.

@lawrenceamer this way I was able to bypass Sophos, maybe you want to add it to your list in README.md ;)

from mortar.

@goofsec thanks. You may also try the following technique to bypass KAV and others @Jack-Reve

• put the bin.enc on the user folder e.g c:/users/tester/
• Open any dll injector tool
• select x64 process want to inject with the aggressor
• bypass the memory scan

from mortar.