# Binary Padding Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and the appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designated or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed. **Example:** I will use a simple Python Script to make an EXE file bigger than what it normally is and try to evade some defenses, a simple demo here is that usually these AV products have a limit to file scanning if 15MB files so let us make it a little bigger. ![](/files/-MRhsIlJsFnnSbHtsvtb) Above you see the payload with a 7kb file size, very fast to detect and scan ![](/files/-MRhsJWE9vtw6G5sYfoG) With the tool I selected my payload and gave it the option of being 20 MB in file size ![](/files/-MRhsKFyrxbYZ5ub8EzF) Let's see the file size ![](/files/-MRhsL5bY_DaiEyQSTaN) Now I will move the payload to the Workstation and check that its original functionality hasn't changed ![](/files/-MRhsLssKSvHJ68RvM7d) Nope This demo is just to understand that by padding and making our executable bigger AV Scanners don't check these files properly or simply skip them. It can be a bunch of garbage strings and bytes but it won't affect our payloads functionality. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t0127-obfuscated-files-or-information/binary-padding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.