PEzoNG: Advanced Packer For Automated Evasion On Windows

The ability to evade Antivirus analyses is a highly coveted goal in the cybersecurity field, especially in the case of Red Team operations where advanced external threats against a target infrastructure are performed. In this paper we present the design and implementation of PEzoNG, a framework for automatically creating stealth binaries that target a very low detection rate in a Windows environment. PEzoNG features a custom loader for Windows binaries, polymorphic obfuscation, a payload decryption process and a number of anti-sandbox and anti-analysis evasion mechanisms, including a novel user space unhooking technique. In addition, the custom loader supports a large amount of Windows executable files, and features stealth and advanced memory allocation schemes. We evaluate the effectiveness of PEzoNG by testing various malicious payloads against up to 29 commercial Antivirus solutions, and we highlight and discuss the assets and differences of PEzoNG with respect to similar tools.