Bypassing AVs by C# Managed Code (Reverse Shell) | By Damon Mohammadbagher

Bypassing AVs by C# Managed Code (Reverse Shell)

In this article I want to talk about simple C# source code which is very useful to bypassing “almost all” AVs (signature based Avs). I do not want to talk about code line by line but this code is very simple to use also you can find this code everywhere probably in (MSDN, Programming Websites, Github), etc.

This code will send “Cmd.exe” output to attacker system via “Tcp” on any port you want without encryption but if you want to use encryption then you should write little bit more Code also in attacker side you need to use C# Server-Side code for decryption.

But in this case I used “Netcat” without encryption so this is very simple.

I used this code to test some Avs like Kaspersky v19 , ESET v12, v13 , Comodo , Trend-Micro v16 & Windows Defender… with last Updates and “all of them Bypassed”. It means I had Shell without any Detection by Avs so this is my “Goal” to Bypass AVS other things Does not matter in this case/time.

Note: I think in this code only this section of code is very important

_Tiger.StartInfo.FileName = “CMD.EXE”

In this section you will call “cmd.exe” and some of Avs probably will Detect this code as Malware Code/behavior.

C# Code :

In this video you can see how this code Worked step by step:


Now I want to show you some of my AV tests with Pictures:

Picture 1: ESET v13 Bypassed

Picture 2: Windows Defender Bypassed

in the Next Pictures for bypassing Kaspersky v19 and Trend-Micro v16 I used another Tool but code almost is same in this case:

Picture 3: Kaspersky v19 bypassed

Picture 4: Trend-Micro v16 bypassed

As you can see these (AVs) are still useless and they are bypassed simply.

Note: After one week this code Detected by ESET v13 with (last update:11/28/2019)

Picture 5: Code Detected by Eset v13 (last update:11/28/2019).

hmmm OK, Now i want to show you, how can do this "BINGO" again , in this time i used my own code without using previous Code "NativePayload_ReverseShell.cs" (v1) and again in this time i used C# Codes only (without using/call Windows API) .

I made two "New versions" C# Shell Code via Some Other Techniques which i used other C# Classes and Methods for Shell and they worked very well too like (v1) and almost all AVs bypassed by these new Shell Codes simply.

in the next Picture you can see one of them which is "version 3" and ESET v13 (last update 11/28/2019) bypassed again by this new [C#] Managed shell code "Very Simple".

Picture 6: ESET v13 (last update:11/28/2019) Bypassed "Again".

also i tested this code via "netcat" too:

Picture 7: ESET v13 (last update:11/28/2019) Bypassed "Again".

February 21, 2020
Notify of

Oldest Most Voted
Inline Feedbacks
View all comments
3 years ago

thank you!

3 years ago

Cool information , thanks . Hey , you got stuff for Android ? iOS ? Keyloggers ? What other undetected exploits you own ?

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013