Page 1 of 5 123 ... LastLast
Results 1 to 10 of 50

Thread: Hiding from AV

  1. #1
    prowl3r
    Guest

    Default Hiding from AV

    Gentlemen,

    I am working in a remote supervision procedure. Basically, the steps are:

    1.- Pop a box using meterpreter
    2.- Upload a packed VNC backdoor, modify registry accordingly
    3.- Sit and watch the remote desktop

    (Meterpreter built-in VNC seems to run at very slow frame rates, however this is a LAN exercise)


    I do know how to get the shell, prepare the backdoor, set registry changes, create a firewall rule to allow the executable ...

    Now, I want it to be undetectable from AV's. Again, I know how to do this for a particular AV by hex modifying the program, as per

    Defeating Virus Signatures

    or by just compressing it.

    Do any of you know a (simpler) method to hide an executable from most AV's in one shot?

    Killing the AV is not an option here.

    For the suspicious minds, I own a security company and I was born in the 60s. What I intend here is to show some clients (non technical profiles) why they should invest in security by using a real world example.

    That's why I don't want to go through the tedious hiding process for each and every AV they may use.

    Thanks.

  2. #2
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    You could try using a rootkit, there's already a thread on the forum about that. Hope it helps

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    You could manually pack and/or crypt it.

    Open it up in a dissasembler and add in the following:

    a JMP to a sub program called uncrypt
    a subprogram called uncrypt that takes a buffer equal to that of your program, fills it with said program, then uncrypts it (for simple stuff a bitshift may work), then JMPs to the beggining of that program.

    Of course, this wont work if it is being detected by hauristics, but this will stop signature scanning since that is typicly on the byte boundry, a simple 2 bit shift will usually work.

  4. #4
    prowl3r
    Guest

    Thumbs down

    If I understood you correctly, your advice is quite similar to the method linked here above.

    By modifying a byte, you trick AV's flagging a file hash.

    However for those based on signatures, different AV's flag different strings, so it is not very effective unless you look for those particular signatures and change them. And you can't modify all of them in a single executable or it won't run.

    Anyway, thank you for your tip.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Actually you obviously misunderstood me, my way would change EVERY byte in the file. To make it run like this:

    Shifts Bits of a buffer containing your program, this is to reverse the previously "crypted" lines of... well crap, into a working program.

    Run the decrypted program.



    So instead of...Hacking Program String Here
    The AV scans would see.... ghiuagiabbviub buabviuab

  6. #6
    prowl3r
    Guest

    Default

    Sorry. You got my attention now.

    Scans won't detect it, but at execution time, after decryption, the signatures will be there so real-time guard will catch it. Right ?

    Where may I find info on this set-up ?

  7. #7
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    Not to appear rude but i have doubts about this request.
    For example I am assuming the said clients have security already if the VNC backdoor is getting picked up by their AV?

  8. #8
    prowl3r
    Guest

    Default

    Not to appear rude but i have doubts about this request.
    Not to appear rude but I don't care about your doubts.

    And yes, everyone and their dog running Windows have antivirus. My customers are no exception.

  9. #9
    _jond
    Guest

    Default

    You own a security company and you don't know how to bypass AV? I call BS. 2 points.

    1. If you're a punk employee trying to show how smart you are, it's a felony. That's not a slap on the wrist, that's prison for several years where you'll probably get raped and will never hold another real job in your life.
    2. This is sooooooo f'ing easy that I'm not going to tell you how to do it.


    Peace

  10. #10
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    Quote Originally Posted by prowl3r View Post
    Not to appear rude but I don't care about your doubts.

    And yes, everyone and their dog running Windows have antivirus. My customers are no exception.
    So then the question is what exactly, you want to know how to make an exe not detected by antiviruses in order to what... sell them security products?

    I could point you in the right direction but maybe you'll abruptly paraphrase that too.

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •