steevel69007 Posted March 25, 2016 Share Posted March 25, 2016 Hi, I'm Steeve and i'm new on this forum I wrote a keylogger in c# language compiled as an .exe file (perfectly working but detected by AV). Then I try to make it efficient and stealth. I choose following 'methodology' : - Create the ".exe" PE (recognized by AV) - Encode the ".exe" file (with several encoding methods) in order to bypass AV - Put the encoded ".exe" in an auto-extractible archive with command lines (auto start in register, lanch itself for for first launch) - Encode the archive with the same method - Join the encoded archive with a file - Encode again First question : is my methodology is good ? Then, i tried to encode with msfvenom using following command line : msfvenom -p -< /root/Desktop/myfile.exe > root/Desktop/myencodedfile.exe -f exe -i 20 -a x86_64 --platform windows -e x86/shikata_ga_nai Msfvenom succeed with encoding, AV doesn't detect malware anymore but when i launch the PE (on a win 7 x64), it does nothing, stays a few seconds in the taskmgr and disappear... With no error window... So I thought it was a buffer overflow crash due to invalid characters as x00, xff, x0a, x0d. Then I tried following : msfvenom -p -< /root/Desktop/myfile.exe > root/Desktop/myencodedfile.exe -f exe -i 20 -a x86_64 --platform windows -e x86/shikata_ga_nai -b '\x00\xff\x0a\x0d' But encoder returns an error due to bad characters. I need help with that. Thanks. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted March 25, 2016 Share Posted March 25, 2016 This looks like fun. What if was staged. Get the keylogging function from a remote location so it never hits the hard drive? Quote Link to comment Share on other sites More sharing options...
dustbyter Posted March 25, 2016 Share Posted March 25, 2016 Staging could be a way to get it working. Depending how the first stager is coded, it can be loaded with a reflective dll. I was experimenting with A/V evasion, but haven't had much luck. I wrong some code that for now just XOR'ed the payload to hide it from AV. The XOR works fine, but when using the memcpy method on the buf that is XOR decrypted, A/V triggers. Some how, A/V is keeping track of the buf that is XOR'ed and then checks if its copied with memcpy. Have not found a way to bypass that... Quote Link to comment Share on other sites More sharing options...
i8igmac Posted March 25, 2016 Share Posted March 25, 2016 I have read articles about XOR being detected religiously. the method you come up with should be unique, what if you simply base64 encode the key log function, I would assume saving the file to the hard drive will not set up any Flags. Quote Link to comment Share on other sites More sharing options...
steevel69007 Posted March 25, 2016 Author Share Posted March 25, 2016 Thanks guys for your answers, For the question asked : - My original file is coded in C# - The file is done a local deployment (not remote attack). I want to test it on one of my computers who runs on win 7 x64. So i don-t use shellcode as metasploit does. I just used msfvenom for his encoding capabilities. I remember msfencode could encode his own payloads but also custom provided files. The idea is similar with traped attached files you can find in custom mails... But no need to mail because... it's my own computer !!! - For DLL injection, the application will start one time but will be unable to start at every machine start because is bufferd in memory. I think maybe msfvenom is not an appropriate tool to do that. I saw windows app that seems to be able to obfuscate in this way but I don't trust because there are not good security tools working on W (with a good update rating). Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.