Results 1 to 5 of 5

Thread: Advanced antivirus evasion techniques

  1. #1
    Just burned his ISO
    Join Date
    Dec 2010

    Default Advanced antivirus evasion techniques

    I've been learning all kinds of things I thought I'd never be able to do in the last few weeks, thanks to the inspiration BackTrack has given me to explore security issues. I learned how to write a batch file that runs a reverse meterpreter payload from a looping vbscript hidden in an alternate data stream, set an autorun entry in the registry for it, and install a legit program all at the same time with IExpress.

    Thanks for keeping my brain moving! But then, the unthinkable happened *GASP*.

    My antivirus, Avast! released an update that now detects all metasploit payloads regardless of how many times it's encoded, which encodings were used, or what order in which they were applied.

    Using the process of elimination, and a HEX editor (HxD) I have pinpointed the exact location of the antivirus signature: Offset (h) 00001646

    Changing this one value, "D6" kills the executable.

    I've tried running Immunity Debugger to see what is at the address, but I'm having an embarrassing problem. I'm not a programmer, and the addresses in Immunity Debugger apparently aren't of the same format. Even if I could find out what was there, I'm reasonably sure I wouldn't know how to change it and still have a functioning .exe work.

    What do the pros do in a situation like this? Any recommended reading material?

    Alright, so after doing some more research myself, I came across the Mut's Shmoocon presentation on evading signature based antivirus solutions, and I believe I have a lay understanding of what's going on there.

    On further reading, I discovered that when making a stand-alone .exe of a Meterpreter payload, the actual exploit is in the rdata section of the file, so applying the technique he laid out verbatim in his presentation doesn't seem like it would work to me. Does the same technique apply, just modified to account for the location of the payload?

    I grabbed a copy of LordPE, and I've tried adding 1000 hex bytes to the size of the text section in the header, making it writable, then filling the 1000 hex bytes in with HxD hex editor. At this point the file should work if done correctly, but it returns the error that it's not a valid w32 application. Tried adding the bytes to the rdata section. Still no dice. Maybe I fudgefingered something?

    I'm afraid I'm over my head. Any pointers would be appreciated. I'm always willing to learn.
    Last edited by Archangel-Amael; 02-28-2011 at 12:19 PM.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010

    Default Re: Advanced antivirus evasion techniques

    This really is not the place to learn such. However someone may be able to point you in the right direction.
    To be successful here you should read all of the following.
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Senior Member
    Join Date
    Jan 2010

    Default Re: Advanced antivirus evasion techniques

    Are you adding the 1000 bytes to the text section to add your own encoder/decoder code? If I remember correctly Mut's uses Xor encoding in the demo you are referring to. If so why add to the text section? Why not use LordPE to just add a new section that is 1000 bytes and then fill that section with HxD? At that point you should be able to execute the file without the error message. Then there are a few ways to redirect execution to your new section.

  4. #4
    Just burned his ISO
    Join Date
    Dec 2010

    Default Re: Advanced antivirus evasion techniques

    I was trying to add the bytes to the text section because, like a monkey with a machinegun, I don't really know what I'm doing yet. I've never tried to modify an executable before, nor have I ever used a debugger... However, I learn best by tinkering around with things until I figure out how to use them.

    Thanks for the idea to just create another section in the executable, that seems much easier than what I've been fooling around with.

    Also switched to using Ollydbg. Now I can follow the addresses, because they match what I see in HxD. So, now I've got 70% of what I need to know to continue. I just have to figure out how to navigate to the different sections in Ollydbg before I can practice re-directing the execution flow :/

  5. #5
    Moderator KMDave's Avatar
    Join Date
    Jan 2010

    Default Re: Advanced antivirus evasion techniques

    Just look at the size of the sections and the base address of the exe file.
    Tiocfaidh ár lá

Similar Threads

  1. Wireshark filter techniques for a Newbie
    By Poganka2 in forum Beginners Forum
    Replies: 1
    Last Post: 12-06-2010, 01:59 PM
  2. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM
  3. Antivirus
    By asymptote in forum OLD Newbie Area
    Replies: 4
    Last Post: 03-11-2008, 08:06 AM
  4. Replies: 7
    Last Post: 04-27-2007, 05:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts