Results 1 to 2 of 2

Thread: Questions about evading AV software with Python

  1. 06-08-2012, 10:21 AM #1
    Cooker
    Cooker is offline
    Just burned his ISO
    Join Date
    Dec 2011
    Posts
    2

    Default Questions about evading AV software with Python

    This blog post mentions some ways of evading AV software, but I don't understand what they mean by wrapping an executable in a python script and inserting it into a good executable. Is that any different from metasploit's templates you can use for payloads?

    Also what do they mean by exporting it to a Python Array? You can't run Poison Ivy from a Python array.


    The evasion technique is pretty simple, wrap the executable into a python script (you can also use perl and Ruby) then insert it into a good executable or export to a new one.

    Poison Ivy - Straight export to Python Array. Pretty sad that it worked actually. This is where I had hoped to create some alerts that I would have had to suppress.

    LHYX1 has a great Python script for evading AV, is there anything else you can do with Python to evade AV?
  2. 06-19-2012, 08:11 AM #2
    thaijames
    thaijames is offline
    Junior Member
    Join Date
    Jan 2010
    Posts
    40

    Default Re: Questions about evading AV software with Python

    From what I understand, virus software has basically white listed anything that is python. I think that because just like java, they can't tell one python from the other to determine if it is malicious or not. They would have to ban all java and python.

    So the theory is that by putting shellcode in the python script, you can evade anti-virus. You can go one step further and use py-installer and create an executable from your python script so that it can be run on the victim's computer. (without python installed)

    Yes you can run run poison Ivy as a python array. I have not tried it, but that was the reason behind it.

    Exporting to a python array is simply exporting a bunch of code that you can copy and paste into your python script. You will need a python script that can load shell code.

    So your task if you choose to accept it:

    1. export shell code from poison ivy
    2. find a python script that can run the python shell code generated from poison ivy to connect back to poison ivy command center.
    3. get the above working standalone
    4. use Py-Installer to create an executable from the above.
    5. Automate all the above using a python script
    And of course report back here on your progress so that we can help and learn from your experiences.
    http://www.backtrack-linux.org/forum...ilies/wink.png




    Quote Originally Posted by Cooker View Post
    This blog post mentions some ways of evading AV software, but I don't understand what they mean by wrapping an executable in a python script and inserting it into a good executable. Is that any different from metasploit's templates you can use for payloads?

    Also what do they mean by exporting it to a Python Array? You can't run Poison Ivy from a Python array.





    LHYX1 has a great Python script for evading AV, is there anything else you can do with Python to evade AV?
« Previous Thread | Next Thread »

Similar Threads

  1. python-pip?
    By thorin in forum Tool Requests
    Replies: 0
    Last Post: 11-24-2010, 04:07 PM
  2. Python Help
    By hinoshori in forum Beginners Forum
    Replies: 2
    Last Post: 03-18-2010, 08:32 PM
  3. Tunnel VPN over 443 and evading IDS
    By theberries in forum OLD Programming
    Replies: 19
    Last Post: 01-27-2009, 11:05 AM
  4. Evading NIDS
    By kanto.86 in forum OLD Pentesting
    Replies: 1
    Last Post: 06-13-2008, 09:31 AM
  5. Few questions about software and sidebars...
    By zarraza in forum OLD BT3beta General
    Replies: 13
    Last Post: 01-25-2008, 05:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules