Bypassing static analysis is pretty simple, all you need to do is avoid certain words, certain patterns. It is good practise to avoid using some methods straight up from libraries by importing them Staticly. Every function you use can be seen when program is reviewed by antivirus. To avoid this, you basicly cannot use the function like you would do under normal circumstancis, but for that we need to know what a function is. Function is label, its a name we assign for address. Then, call function, our code jumps to that address and after finishing it comes back to address from where it jumped. For better understanding you can learn about jmp and call assembly instructions. This address which we call is found at compile time by compiler, by linking to system libraries. One of the most used one is kernel32.dll. So, now we know how function work, they are calls to specific addresses and if we still wants to you them, we need to find addresses dynamicly. To do so, we use two core function from kernel32.dll, GetModuleHandle which retrieves address of library and GetProcAddress which finds address of function inside library. Using this methods we can find address of function and call it, without being staticly detected. There is still a little problem, that every piece of string can be extracted from executable, so even if you use GetProcAddress with name like CreateRemoteThread, it can still be found and because of that, we can use simple xor encryption as shown in example C code. Thats all to dynamic address resolving and there isnt much to static evasion, just encypt everything that might trigger antivirus.
Suprisingly, one more antivirus detects it compare to normal encrypted paytload in which i didnt use dynamic address resolving, because VirtualProtect is not detected often, but with more problematic function like CreateRemoteThread, WaitForSingleObject, RtlMoveMemory or VirtualAlloc. Still, its decrese by 4 antivirus detecting it from normal result and in further evasion it becomes very helpful.
