Page 8 of 12 FirstFirst ... 678910 ... LastLast
Results 71 to 80 of 114

Thread: [script] for AV evasion

  1. #71
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @jnpa123 Comodo firewall blocks everything unless you add an exception (which I find very annoying) and I think avast sandboxes everything that doesn't have a nice software signature (Comodo sandboxes it too) So you can't really do anything about this. I think most AV's sandbox files without a signature.

    btw I find Comodo to be a real pain. It doesn't flag the file as malware but ones it's running and you try to spawn a shell or whatever the behavior monitoring catches it.
    If anyone has ideas on how to bypass this ??

    @judas1337 The script tries to find metasploit in /pentest/exploits/framework3. I think that on backtrack metasploit is now located in /pentest/exploits/framework.
    change the directory in this line to your metasploit directory or if the script is located in your metasploit directory you could just remove this line :
    Code:
    os.chdir("/pentest/exploits/framework3")
    I'll update the script.
    Last edited by LHYX1; 06-08-2012 at 07:03 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  2. #72
    Just burned his ISO
    Join Date
    Dec 2011
    Posts
    2

    Default Re: [script] for AV evasion

    Cool script, but I don't understand how JunkA and JunkB are being used. It creates some junk characters, but where in the script are they being used?

  3. #73
    Junior Member
    Join Date
    Aug 2011
    Posts
    34

    Default Re: [script] for AV evasion

    using ShellCodeExec Alphanum Shellcode created through SET is possible to bypass the avast auto sandbox, no success bypassing comodo though
    when i get on vacation ill try to look deeper into that
    btw, as you're already going to update the script maybe you could change the use of malloc in structure.c to prevent the DEP issue.
    i sucessfully used this:
    unsigned char* exec = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2 ,0x1000,0x40);
    unsigned char* unpack = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2, 0x1000,0x40);
    i didnt test if it affects the detection ratio, i dont think it does.

  4. #74
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    4

    Default Re: [script] for AV evasion

    Quote Originally Posted by LHYX1 View Post
    @jnpa123 Comodo firewall blocks everything unless you add an exception (which I find very annoying) and I think avast sandboxes everything that doesn't have a nice software signature (Comodo sandboxes it too) So you can't really do anything about this. I think most AV's sandbox files without a signature.

    btw I find Comodo to be a real pain. It doesn't flag the file as malware but ones it's running and you try to spawn a shell or whatever the behavior monitoring catches it.
    If anyone has ideas on how to bypass this ??

    @judas1337 The script tries to find metasploit in /pentest/exploits/framework3. I think that on backtrack metasploit is now located in /pentest/exploits/framework.
    change the directory in this line to your metasploit directory or if the script is located in your metasploit directory you could just remove this line :
    Code:
    os.chdir("/pentest/exploits/framework3")
    I'll update the script.

    thanks bro. it´s working.

  5. #75
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: [script] for AV evasion


  6. #76
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    5

    Default Re: [script] for AV evasion

    Quote Originally Posted by judas1337 View Post
    i get an error?


    Traceback (most recent call last):
    File "./crypter.py", line 89, in <module>
    a = open(payload_raw,"rb")
    IOError: [Errno 2] No such file or directory: 'temp.raw'

    how can i fix this?

    Thank you.
    I get this same error, changed the path to /pentest/exploits/framework2 as it is for BT5r2, still get the error. Moved the script to /pentest/exploits/framework2 and removed the reference in the script and still get the same error. Any ideas?

  7. #77
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: [script] for AV evasion

    @Cooker The junk a and b are getting used here:

    Code:
    code = open_structure % (junkA,outArray,junkB,key,length,devide)
    b.write(code)
    They are inserted into a byte array in structure.c:
    Code:
    char junkA []= %s;
    unsigned char payload[] = %s;
    char junkB []= %s;
    I do this to make the backdoor file as random as possible.

    @jnpa123 I'll add this to the script.
    Code:
    unsigned char* exec = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2 ,0x1000,0x40);
    unsigned char* unpack = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2, 0x1000,0x40);
    But could you explain this a little but further ? How exactly does this bypass DEP ?
    you set the flAllocationType to MEM_COMMIT.
    And then you set flProtect to PAGE_EXECUTE_READWRITE.
    So you are able to specify the type of memory protection that should be used for the VirtualAlloc function ? Am I correct ?


    @Ech3l0n I'm running an older version of BT so I don't know the metasploit directory in BT5 R2.
    Just get a fresh copy of the script or change the directory to "/opt/framework3/msf3". I think this is the same in all the versions of BT.
    Last edited by LHYX1; 06-10-2012 at 11:20 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  8. #78
    Junior Member
    Join Date
    Aug 2011
    Posts
    34

    Default Re: [script] for AV evasion

    Quote Originally Posted by LHYX1 View Post
    But could you explain this a little but further ? How exactly does this bypass DEP ?
    you set the flAllocationType to MEM_COMMIT.
    And then you set flProtect to PAGE_EXECUTE_READWRITE.
    So you are able to specify the type of memory protection that should be used for the VirtualAlloc function ? Am I correct ?
    Correct
    Memory allocated with malloc function is always marked as Non-executable, by using the VirtualAlloc funciton with the PAGE_EXECUTE_READWRITE protection you can allocate executable memory.
    There are other ways to bypass DEP, i just think this is the easiest way in this case. You could for example keep the malloc function and then use VirtualProtect to change its protection.

  9. #79
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    5

    Default Re: [script] for AV evasion

    Quote Originally Posted by LHYX1 View Post
    @Ech3l0n I'm running an older version of BT so I don't know the metasploit directory in BT5 R2.
    Just get a fresh copy of the script or change the directory to "/opt/framework3/msf3". I think this is the same in all the versions of BT.
    Thanks for the help, I was pointing the script to the wrong location. For my install of BT5_R2_64bit it was "/opt/metasploit/msf3" Nice job with opening a handler in MSF, and adding the PDF option, working well for me! Thanks again.

    Ech3l0n

  10. #80
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    5

    Default Re: [script] for AV evasion

    Hi, I've tried it on a Windows 7 machine which runs "BitDefender total protection 2012" and unfortunately it gets caught!

Page 8 of 12 FirstFirst ... 678910 ... LastLast

Similar Threads

  1. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 General Topics
    Replies: 16
    Last Post: 05-01-2012, 09:26 PM
  2. Script for simple AV evasion (tested on AVG, Avast, Emisoft)
    By LHYX1 in forum BackTrack 5 Beginners Section
    Replies: 1
    Last Post: 07-16-2011, 02:16 PM
  3. Snort Signature Evasion with Metasploit
    By T0XIC in forum BackTrack 5 Videos
    Replies: 6
    Last Post: 07-01-2011, 12:21 PM
  4. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  5. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •