Page 4 of 12 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 114

Thread: [script] for AV evasion

  1. #31
    Junior Member L21ZIFER's Avatar
    Join Date
    Nov 2011
    Posts
    47

    Default Re: [script] for AV evasion

    @e3HQ67S, No - I did not experience such a life-pan heuristic on my testing machines with their AVs. I think it's more a question of the actual AV, which is in use.

    @LHYX1, The greater question now is, how to put that code (or bind it to) a PDF or an image? I looked over your code a little and thought of implementing /windows/fileformat/adobe_pdf_embedded_exe as the eighth choice. Would it be OK with you, if I'd mod your code a little to publish it afterwards right here? (If I'll do it). That way, a binded PDF-File could be put out right after the encoding.
    Last edited by L21ZIFER; 03-31-2012 at 10:03 AM.

  2. #32
    Just burned his ISO
    Join Date
    Mar 2012
    Posts
    3

    Default Re: [script] for AV evasion

    Quote Originally Posted by L21ZIFER View Post
    [FONT=Verdana]@e3HQ67S, No - I did not experience such a life-pan heuristic on my testing machines with their AVs. I think it's more a question of the actual AV, which is in use.
    Just curious, which AV did you use to test?

  3. #33
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @L21ZIFER That's a great idea. Post your adjustments and I'll update the script. Then we'll put both our names on the script
    I don't really think you can hide an exe file in an image though. You will need to find an exploit for something like this.

    @e3HQ67S I know there are some advanced AV's that track every move the payload makes. They will execute it but ones you try to spawn a shell or whatever, they will popup a message that says: Hey this process shouldn't start cmd.exe as a new process. Comodo is an example of such an AV. I haven't found a way to bypass this yet. If you have any ideas please let us know
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  4. #34
    Just burned his ISO
    Join Date
    Mar 2012
    Posts
    3

    Default Re: [script] for AV evasion

    Quote Originally Posted by LHYX1 View Post
    @e3HQ67S I know there are some advanced AV's that track every move the payload makes. They will execute it but ones you try to spawn a shell or whatever, they will popup a message that says: Hey this process shouldn't start cmd.exe as a new process. Comodo is an example of such an AV. I haven't found a way to bypass this yet. If you have any ideas please let us know
    Yeah I'm kind of curious how heuristic engines differ by vendor. AVG's functions similar to how you describe Comodo working. And it's been driving me nuts trying to bypass it. Basically every behavior you'd want or need to do with a meterpreter shell sets off alarms. I'd also love to figure out how to get around these things, short of simply disabling them.

  5. #35
    Junior Member L21ZIFER's Avatar
    Join Date
    Nov 2011
    Posts
    47

    Default Re: [script] for AV evasion

    @LHYX1,
    I managed to implement the whole extension, but problem is, the PDF gets detected by every AV.

  6. #36
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @L21ZIFER It's probably the exploit itself that get's detected.

    @e3HQ67S I think if you really want to bypass this, you will need to code your own payload or maybe if you could inject it into a trusted running process ?
    I'll think about this.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  7. #37
    Junior Member L21ZIFER's Avatar
    Join Date
    Nov 2011
    Posts
    47

    Default Re: [script] for AV evasion

    Doublepost
    Last edited by L21ZIFER; 04-01-2012 at 01:08 PM.

  8. #38
    Junior Member L21ZIFER's Avatar
    Join Date
    Nov 2011
    Posts
    47

    Default Re: [script] for AV evasion

    @LHYX1, the edited version of your code works like this:

    01. PDF Binder shows up as choice 8
    02. The encoded backdoor.exe gets written as usual (in crypter.py)
    03. The PDF Export question shows up, besides applet attack and apache attack (see crypter.py)
    04. PDF gets binded with self-generated backdoor and exported.

    And AVs don't buy it.
    I lost the original edit I made on your code, but I have one (of my edited) code in backup.
    So, before I put it out, I better test it in practice.

  9. #39
    Member melissabubble's Avatar
    Join Date
    Aug 2011
    Location
    c:\
    Posts
    85

    Default Re: [script] for AV evasion

    hey LHYX1, I've been looking for a binder. Easy-binder is for windows and wine doesn't want to start it. Do you know of any for linux that are good?

  10. #40
    Junior Member L21ZIFER's Avatar
    Join Date
    Nov 2011
    Posts
    47

    Default Re: [script] for AV evasion

    @LHYX,
    here is my edited version of your code.

    Here are the few coding-changes:

    • - New attack form added to the menu
      Code:
      ....
      8) windows/fileformat/adobe_pdf_embedded_exe [+ 5)]
      It will bind a PDF to the meterpreter/reverse_tcp backdoor (this backdoor will be generated right from crypter.py as before and is for that reason stealthy)


    • - Right after the encoding-process the PDF gets binded to the .exe and needs an original PDF at /root/Desktop/original.pdf, this path is hard coded. I currently have no big Python-experience, I tried to make the original.pdf-path user-generated, but there were problems so I did it this way.


    • - After the binding-process the embedded PDF gets moved to /root/Desktop. Again, hard coded.


    As I mentioned it before, the final malicious PDF gets detected by AVs. That is a big problem and I didn't have enough time to work that out. But maybe it is only a little tweak.
    File allegati File allegati

Page 4 of 12 FirstFirst ... 23456 ... LastLast

Similar Threads

  1. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 General Topics
    Replies: 16
    Last Post: 05-01-2012, 09:26 PM
  2. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 Beginners Section
    Replies: 1
    Last Post: 07-16-2011, 02:16 PM
  3. Snort Signature Evasion with Metasploit
    By T0XIC in forum BackTrack 5 Videos
    Replies: 6
    Last Post: 07-01-2011, 12:21 PM
  4. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  5. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •