Advanced antivirus evasion techniques

[AzraelSepultura]

I've been learning all kinds of things I thought I'd never be able to do in the last few weeks, thanks to the inspiration BackTrack has given me to explore security issues. I learned how to write a batch file that runs a reverse meterpreter payload from a looping vbscript hidden in an alternate data stream, set an autorun entry in the registry for it, and install a legit program all at the same time with IExpress.

Thanks for keeping my brain moving! But then, the unthinkable happened *GASP*.

My antivirus, Avast! released an update that now detects all metasploit payloads regardless of how many times it's encoded, which encodings were used, or what order in which they were applied.

Using the process of elimination, and a HEX editor (HxD) I have pinpointed the exact location of the antivirus signature: Offset (h) 00001646

Changing this one value, "D6" kills the executable.

I've tried running Immunity Debugger to see what is at the address, but I'm having an embarrassing problem. I'm not a programmer, and the addresses in Immunity Debugger apparently aren't of the same format. Even if I could find out what was there, I'm reasonably sure I wouldn't know how to change it and still have a functioning .exe work.

What do the pros do in a situation like this? Any recommended reading material?

Alright, so after doing some more research myself, I came across the Mut's Shmoocon presentation on evading signature based antivirus solutions, and I believe I have a lay understanding of what's going on there.

On further reading, I discovered that when making a stand-alone .exe of a Meterpreter payload, the actual exploit is in the rdata section of the file, so applying the technique he laid out verbatim in his presentation doesn't seem like it would work to me. Does the same technique apply, just modified to account for the location of the payload?

I grabbed a copy of LordPE, and I've tried adding 1000 hex bytes to the size of the text section in the header, making it writable, then filling the 1000 hex bytes in with HxD hex editor. At this point the file should work if done correctly, but it returns the error that it's not a valid w32 application. Tried adding the bytes to the rdata section. Still no dice. Maybe I fudgefingered something?

I'm afraid I'm over my head. Any pointers would be appreciated. I'm always willing to learn.

[Archangel-Amael]

This really is not the place to learn such. However someone may be able to point you in the right direction.

[Dudeman02379]

Are you adding the 1000 bytes to the text section to add your own encoder/decoder code? If I remember correctly Mut's uses Xor encoding in the demo you are referring to. If so why add to the text section? Why not use LordPE to just add a new section that is 1000 bytes and then fill that section with HxD? At that point you should be able to execute the file without the error message. Then there are a few ways to redirect execution to your new section.

[AzraelSepultura]

I was trying to add the bytes to the text section because, like a monkey with a machinegun, I don't really know what I'm doing yet. I've never tried to modify an executable before, nor have I ever used a debugger... However, I learn best by tinkering around with things until I figure out how to use them.

Thanks for the idea to just create another section in the executable, that seems much easier than what I've been fooling around with.

Also switched to using Ollydbg. Now I can follow the addresses, because they match what I see in HxD. So, now I've got 70% of what I need to know to continue. I just have to figure out how to navigate to the different sections in Ollydbg before I can practice re-directing the execution flow :/

[KMDave]

Just look at the size of the sections and the base address of the exe file.