Bypassing Anti-Viruses with Thread Injection Technique + C# Delegate & ETW

Bypassing Anti-Viruses with Thread Injection Technique + C# Delegate & ETW

as you can in these Pictures, I used very simple C# code for Thread Injection Method also in this code API Function Called via “C# Delegate” Technique.

Research Result for some Avs was very good as you can see ESET, McAfee bypassed also I tested this method for some other Avs like Windows Defender which bypassed too.

Picture 1: McAfee Bypassed (last update: 3/17/2020)

as you can see I had shell without any problem.

now I want to talk about ESET, this Av in the last year had very good steps to protect Process in memory (monitoring process memory) but in this case bypassed by C# code as you can see in the next Pictures 2 & 3.

Picture 2: ESET Bypassed (last update: 5/29/2020)

this is very classic technique for Thread Injection into Target Process for more information about this method you can read these articles:

link 1:

link 2:

I will Publish C# code for this in the next [chapter-14] of eBook “Bypassing Avs by C# Programming” soon. In this chapter I will talk about C# Delegate Technique also Thread Injection Method by C# etc

But in this Page I want to talk about one Important Point about ESET and other Avs.

In the next pictures 3 & 4 you can see Meterpreter Payload Injected to “Notepad.exe” process by “NativePayload_TId.exe” code & this Injection “Not Detected” by AV but when I used shell command then payload in Notepad.exe (in-Memory) detected by ESET very good.

Picture 3: Shell code detected by ESET (last update: 5/29/2020)
Picture 4: in memory shell detected by ESET (last update: 5/29/2020)

Important point is this Payload Detected but C# Injector Code in this case “NativePayload_TId.exe” was not Detected by AV.

In step1 of attack I used four “API Function” to create Remote Thread in target Process in this case “Notepad.exe” in this step AV should detect this but for reasons Not Detected.

Now in step2 of attack Meterpreter Shell Code Detected (in Memory) by ESET very good but only in Log file We have “Notepad.exe” process as you can see we don’t have C# Code so this is why this Code still is hidden from some Avs in this case ESET.

Maybe because signature for C# code was not detected by av so ESET anti-virus thinks this code is ok, maybe but after detect that shell code AV should read event logs to find injector process or any dll or something like that . (we should try to find out how this Notepad process Infected in-memory?)

ETW & Remote Thread Injection Method

in this case (Event Trace for Windows) ETW can help us to find out which Processes was Injector for that Thread/s into “Notepad.exe”,

as you can see with this C# code “ETWMonThread.cs” you can Detect all Injected Threads to Processes very simple.


With this ETW code you can find all injected Threads by Thread Monitoring (real-time) also with this code you can Terminate/stop that Thread which was for Meterpreter Process and finally with ETW you can See which Process was Injector to which Process (in this case notepad.exe).

Picture 5: ETWMonThread.cs (TID:900 Injected to PID:4108 by Malware Process PID:4632)

Video ETWMonThread.cs [step by step]:

as you can see this ETW is very useful thing for Thread Monitoring also is useful to show Injected Threads also Injector Processes… (Sometimes) and I think Some Anti-viruses need to use this ETW or something like this always…

Last Update: 1 Jun 2020




Security Researcher , Pentester

Love podcasts or audiobooks? Learn on the go with our new app.

CS373 Spring 2022: Anthony Modica

CRUD operation in ASP.NET core MVC using Entity Framework core code first approach

Publishing your iOS app into the App Store

Starting with Flutter: File paths

How to add some CSS image magic to your backgrounds

Write an Azure Function to Query Active Logs

Algorithm Interview Questions 11

The Most Despised App on Reddit Ran a Wildly Successful Reddit Campaign

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Damon Mohammadbagher

Damon Mohammadbagher

Security Researcher , Pentester

More from Medium

Malicious VS Code plugins: Initial access & persistence

Features of Remote Desktop Protocol

Features of Remote Desktop Protocol

CSR/SSR links

“Dark Park” & Pizzeria Picco (Downtown Larkspur, CA)