You could try using a rootkit, there's already a thread on the forum about that. Hope it helps
Hiding from AV
Gentlemen,
I am working in a remote supervision procedure. Basically, the steps are:
1.- Pop a box using meterpreter
2.- Upload a packed VNC backdoor, modify registry accordingly
3.- Sit and watch the remote desktop
(Meterpreter built-in VNC seems to run at very slow frame rates, however this is a LAN exercise)
I do know how to get the shell, prepare the backdoor, set registry changes, create a firewall rule to allow the executable ...
Now, I want it to be undetectable from AV's. Again, I know how to do this for a particular AV by hex modifying the program, as per
Defeating Virus Signatures
or by just compressing it.
Do any of you know a (simpler) method to hide an executable from most AV's in one shot?
Killing the AV is not an option here.
For the suspicious minds, I own a security company and I was born in the 60s. What I intend here is to show some clients (non technical profiles) why they should invest in security by using a real world example.
That's why I don't want to go through the tedious hiding process for each and every AV they may use.
Thanks.
You could try using a rootkit, there's already a thread on the forum about that. Hope it helps
You could manually pack and/or crypt it.
Open it up in a dissasembler and add in the following:
a JMP to a sub program called uncrypt
a subprogram called uncrypt that takes a buffer equal to that of your program, fills it with said program, then uncrypts it (for simple stuff a bitshift may work), then JMPs to the beggining of that program.
Of course, this wont work if it is being detected by hauristics, but this will stop signature scanning since that is typicly on the byte boundry, a simple 2 bit shift will usually work.
If I understood you correctly, your advice is quite similar to the method linked here above.
By modifying a byte, you trick AV's flagging a file hash.
However for those based on signatures, different AV's flag different strings, so it is not very effective unless you look for those particular signatures and change them. And you can't modify all of them in a single executable or it won't run.
Anyway, thank you for your tip.
Actually you obviously misunderstood me, my way would change EVERY byte in the file. To make it run like this:
Shifts Bits of a buffer containing your program, this is to reverse the previously "crypted" lines of... well crap, into a working program.
Run the decrypted program.
So instead of...Hacking Program String Here
The AV scans would see.... ghiuagiabbviub buabviuab
Sorry. You got my attention now.
Scans won't detect it, but at execution time, after decryption, the signatures will be there so real-time guard will catch it. Right ?
Where may I find info on this set-up ?
Not to appear rude but i have doubts about this request.
For example I am assuming the said clients have security already if the VNC backdoor is getting picked up by their AV?
Not to appear rude but I don't care about your doubts.Not to appear rude but i have doubts about this request.
And yes, everyone and their dog running Windows have antivirus. My customers are no exception.
You own a security company and you don't know how to bypass AV? I call BS. 2 points.
1. If you're a punk employee trying to show how smart you are, it's a felony. That's not a slap on the wrist, that's prison for several years where you'll probably get raped and will never hold another real job in your life.
2. This is sooooooo f'ing easy that I'm not going to tell you how to do it.
Peace
So then the question is what exactly, you want to know how to make an exe not detected by antiviruses in order to what... sell them security products?Originally Posted by prowl3r
I could point you in the right direction but maybe you'll abruptly paraphrase that too.
Posting Permissions