This tool is used to exfiltrate data from anti-virus. Data can be used later as a fingerprint for detecting anti-virus sandbox environments.
The tool is based on AVLeak white paper and written in Python and C.
To use the tool, you need :
- An isolated Windows 10 VM
- Python 3.8 (You can download it from Microsoft Store)
- One of the anti-virus available
At the moment, only two anti-virus are available with the tool.
- Kaspersky
- Windows Defender
Once you have installed Python, the anti-virus and pull the tool, you can use the command :
python3 agent.py --leak --newYou only need to choose the wanted anti-virus and the data to exfiltrate.
It's really important to use the option --new the first time the tool is used.
If you wish to change the malware's set, use the command :
python3 agent.py --malware -s path/to/malw/directoryIt will create a new malware's set and update the malware table respectively.
!!! You need to use this command when using a different anti-virus than Kaspersky or when you change the selected anti-virus !!!
If you wish to add more test scenarios, you need to follow the following steps :
- Copy one of the existing directory and rename it
- Remove every file and folder in the subdirectory "cmake-build-debug"
- Edit the file "poc.c"
- Recover the data you want to exfiltrate
- Call the method leak(data, size of data)
- Edit the file "agent.py" to add it to the list of program choice