D
DioProcess

File Bloating

Ring 3

Inflate file size by appending null bytes or random data to bypass AV/EDR scanner file size limits.

AV Evasion Technique

File bloating is used to evade antivirus scanners that skip files above certain size thresholds. Use only for authorized security testing.

Overview

Many antivirus and EDR products have file size limits for performance reasons. Files above a certain size (often 100-500MB) are skipped or only partially scanned. File bloating exploits this by appending data to make the file exceed these limits while keeping the executable functional.

Methods

Append Null Bytes (0x00)Default

Appends zero bytes to the end of the file. Most compressible and fastest to generate. Some scanners may detect patterns of null bytes.

Random Data (0xFF)

Appends 0xFF bytes which simulate embedded binary resources. Less compressible and harder to detect as padding. Takes slightly longer to generate.

Algorithm

crates/ui/src/components/utilities_tab.rs
async fn bloat_file(
    source: &Path,
    output: &Path,
    size_mb: usize,
    use_null_bytes: bool,
) -> Result<(), std::io::Error> {
    // 1. Copy source file to output location
    std::fs::copy(source, output)?;
    
    // 2. Open output file in append mode
    let mut file = OpenOptions::new()
        .write(true)
        .append(true)
        .open(output)?;
    
    // 3. Create 1MB buffer of chosen byte
    let fill_byte = if use_null_bytes { 0x00 } else { 0xFF };
    let chunk = vec![fill_byte; 1024 * 1024]; // 1 MB
    
    // 4. Write chunks until target size reached
    for _ in 0..size_mb {
        file.write_all(&chunk)?;
    }
    
    // 5. Flush and close
    file.flush()?;
    Ok(())
}

UI Controls

  • Source file picker — Browse for any file (typically .exe or .dll)
  • Output file picker — Save As dialog for destination path
  • Method selector — Dropdown: "Null Bytes (0x00)" or "Random Data (0xFF)"
  • Size input — 1-2000 MB (default: 200)
  • Bloat File button — Disabled with "Bloating..." while processing
  • Status feedback — Success/error with auto-dismiss

Known Scanner Limits

Common file size limits observed in various security products:

Product TypeTypical LimitRecommended Bloat
Consumer AV100-200 MB250 MB
Enterprise EDR200-500 MB600 MB
Cloud Sandbox50-100 MB upload150 MB
Email Gateway25-50 MB attachment75 MB

Why It Works

  • PE/ELF structure — Executable headers define section boundaries; appended data is ignored by loaders
  • Performance trade-off — Scanning large files impacts system performance
  • Memory limits — Some scanners load entire files into memory
  • Cloud upload — Large files exceed upload bandwidth limits

Detection

File bloating can be detected by:

  • • Comparing PE section sizes to actual file size
  • • High entropy analysis (null bytes = very low entropy at end)
  • • Overlay detection in PE parsing
  • • YARA rules matching trailing zero/0xFF patterns

Use Cases

  • • Testing AV/EDR file size handling
  • • Red team payload delivery
  • • Security research on scanner behavior
  • • Bypass cloud sandbox upload limits