I need to use a .NET shellcode inside a c++ unmanaged process. Let me be clear the shellcode is not malicious by any means, I just need it to load .NET code in an unmanaged process.
Antivirus won't let me and it keeps putting it in quarantine. So I wrote a crypter that uses a stub.exe which adds a section, uses a xor like algorithm to "encrypt the main .exe (in which the shellcode resides) and then inside the stub there is the loader so when the stub.exe loads then it will load the main exe. That way, I was able to bypass Windows Defender but not Avast antivirus.
So my first thought was that the extra section raises the alarm, so I modified the crypter to allocate space inside .data section of the stub.exe and put the main exe there, (modified the loader as well). Again I am okay with Windows Defender but Avast is still putting it in quarantine. But the signature of the "malware type" changed it to "zbot [tr]" or something like that.
Finally, I used a compression algorithm to add an extra layer of protection, and the results were the same.
Avast seems to be very aggressive.
I was able to bypass it using AES. Is this a good solution? I don't think so. I ended up writing a 1000-line FUD crypter in order to be able to use a legitimate program. But I'll take it, I guess.
