Page 1 of 12 12311 ... LastLast
Results 1 to 10 of 114

Thread: [script] for AV evasion

Hybrid View

  1. #1
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default [script] for AV evasion

    Hello everybody,

    I created a python script that will obfuscate metasploit payloads so they won't get detected by AV's.
    The script creates a C file that will execute your obfuscated shellcode.
    The script:
    1)XOR's your payload
    2)adds a random byte after every byte of your shellcode
    3)adds random junk
    4)radomizes the file size
    5)strips out the debugging symbols

    So basicly signature based AV's have no chance at detecting this

    Then to bypass heuristic methods of detection:
    When you run your exe file, it deobfuscates your payload with very long for loops and I added a timer that waits a few moments.
    And then your metasploit shellcode get's executed.

    The script let's you choose to copy the exe to /var/www so you can easly download it via apache or
    you can use your undetectible exe to attack a target with the java applet method from SET.

    At the moment the script only contains a few payloads from metasploit. Feel free to add more.

    The only disadvantage the script has is that it takes about 8 seconds before you get a shell after your victim has executed the exe file.
    This is because of the timer and the for loops.

    I tested the scrript on kaspersky 2012, symantec, avg, avast and microsoft essentials.
    Novirusthanx results: http://vscan.novirusthanks.org/analy...ja2Rvb3ItZXhl/

    All the files should be placed in your metasploit directory and you should have mingw32 installed.
    Download: http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip

    Some of the ideas for the script I got from: http://spareclockcycles.org/tag/antivirus-evasion/

    I hope you like it

    EDIT: added option to create an evil pdf 04/04/2012
    Last edited by LHYX1; 04-04-2012 at 11:30 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  2. #2
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Red face Re: [script] for AV evasion

    All always many appreciate and many.many.many thanks

  3. #3
    Just burned his ISO
    Join Date
    Jan 2011
    Posts
    14

    Default Re: [script] for AV evasion

    Wow thats so cool cheers ....

  4. #4
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: [script] for AV evasion

    Clean code, easily readable. A few comments would have been nice, though.
    I'm having a "script" section on my site where I put scripts I find interesting. Would you mind me "publishing" yours (that would concist only of redirecting people on this thread ) ?

    Oh, and by the way... while no virus thx and the like are handy tools, they do give the file signature to the AV corporations, so you should avoid that (or tick the "no send" box, if available) ! I guess you knew it, but it might be good for other people to know it

    Cheers !
    Last edited by comaX; 03-05-2012 at 06:16 AM.
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  5. #5
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @ComaX I don't mind you publishing my script on your site
    Sorry, I didn't really think about comments
    I checked the box "Do not distribute this sample" when I uploaded my backdoor.exe to novirusthanx.
    I used novirusthanx because it's the only scanner with multiple engines that I know has this option.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  6. #6
    Just burned his ISO
    Join Date
    Jan 2011
    Posts
    14

    Default Re: [script] for AV evasion

    Heres another good site for scanning files doesnt share samples either . You will need to register thou but worth it you can either use the 2 free scans a day or buy more credits .

    http://elementscanner.net/
    http://myavscan.net

  7. #7
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: [script] for AV evasion

    hi,LHYX1
    works WONDERFULLY:
    I tested (apache-server-mode) versus 3 "-MYwin machine" XPSP3(IE7) VISTAsp1(IE8) WIN7(fully patched IE9) with the most important AV used in my part
    The only small thing is"system" win7 + IE9 that "tends to block the download/execute"

    thanks for your works!

  8. #8
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    Glad you like it zimmaro
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  9. #9
    Just burned their ISO
    Join Date
    Jan 2012
    Posts
    13

    Default Re: [script] for AV evasion

    Very Very Nice

  10. #10
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    3

    Default Re: [script] for AV evasion

    Very nice to bypass antivirus, I tested in a windows 7 machine + Online Armor Premium Firewall = The firewall tracks every movement of the payload xD "allow or deny?"

    Cheers.

Page 1 of 12 12311 ... LastLast

Similar Threads

  1. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 General Topics
    Replies: 16
    Last Post: 05-01-2012, 09:26 PM
  2. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 Beginners Section
    Replies: 1
    Last Post: 07-16-2011, 02:16 PM
  3. Snort Signature Evasion with Metasploit
    By T0XIC in forum BackTrack 5 Videos
    Replies: 6
    Last Post: 07-01-2011, 12:21 PM
  4. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  5. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •