steevel69007
-
Posts
3 -
Joined
-
Last visited
Posts posted by steevel69007
-
-
Hi,
I'm Steeve and i'm new on this forum
I wrote a keylogger in c# language compiled as an .exe file (perfectly working but detected by AV). Then I try to make it efficient and stealth.
I choose following 'methodology' :
- Create the ".exe" PE (recognized by AV)
- Encode the ".exe" file (with several encoding methods) in order to bypass AV
- Put the encoded ".exe" in an auto-extractible archive with command lines (auto start in register, lanch itself for for first launch)
- Encode the archive with the same method
- Join the encoded archive with a file
- Encode again
First question : is my methodology is good ?
Then, i tried to encode with msfvenom using following command line :
msfvenom -p -< /root/Desktop/myfile.exe > root/Desktop/myencodedfile.exe -f exe -i 20 -a x86_64 --platform windows -e x86/shikata_ga_nai
Msfvenom succeed with encoding, AV doesn't detect malware anymore but when i launch the PE (on a win 7 x64), it does nothing, stays a few seconds in the taskmgr and disappear... With no error window...
So I thought it was a buffer overflow crash due to invalid characters as x00, xff, x0a, x0d.
Then I tried following :
msfvenom -p -< /root/Desktop/myfile.exe > root/Desktop/myencodedfile.exe -f exe -i 20 -a x86_64 --platform windows -e x86/shikata_ga_nai -b '\x00\xff\x0a\x0d'
But encoder returns an error due to bad characters.
I need help with that.
Thanks.
-
My name is Steeve
Favourite game: Chess
Favourite OS: Debian
Favourite console: none !!!
Nationality: French
Accent: Bad english
Sex: Male
Race: White European
Height: 1m75
Build: god-like, of course
Favourite band: Jimi Hendrix Experience
Favourite book: 9 princes of Alber
Favourite author: Roger Zelazny
Favourite movie: Once upon a time in America
Favourite director: Pasolini
Favourite TV Show: Shameless
Favourite actor: Al Pacino
Favourite actress: Kate Blanchet
Favourite Pinup:
Favourite Comedian: Monty Pyhton
Other hobbies: Programming, boxing
Car: none
Occupation: Worker
Obfuscation of a custom ".exe" PE
in Security
Posted
Thanks guys for your answers,
For the question asked :
- My original file is coded in C#
- The file is done a local deployment (not remote attack). I want to test it on one of my computers who runs on win 7 x64. So i don-t use shellcode as metasploit does. I just used msfvenom for his encoding capabilities. I remember msfencode could encode his own payloads but also custom provided files. The idea is similar with traped attached files you can find in custom mails... But no need to mail because... it's my own computer !!!
- For DLL injection, the application will start one time but will be unable to start at every machine start because is bufferd in memory.
I think maybe msfvenom is not an appropriate tool to do that. I saw windows app that seems to be able to obfuscate in this way but I don't trust because there are not good security tools working on W (with a good update rating).
Thanks