Jump to content

Obfuscation of a custom ".exe" PE


steevel69007
 Share

Recommended Posts

Hi,

I'm Steeve and i'm new on this forum

I wrote a keylogger in c# language compiled as an .exe file (perfectly working but detected by AV). Then I try to make it efficient and stealth.

I choose following 'methodology' :

- Create the ".exe" PE (recognized by AV)

- Encode the ".exe" file (with several encoding methods) in order to bypass AV

- Put the encoded ".exe" in an auto-extractible archive with command lines (auto start in register, lanch itself for for first launch)

- Encode the archive with the same method

- Join the encoded archive with a file

- Encode again

First question : is my methodology is good ?

Then, i tried to encode with msfvenom using following command line :

msfvenom -p -< /root/Desktop/myfile.exe > root/Desktop/myencodedfile.exe -f exe -i 20 -a x86_64 --platform windows -e x86/shikata_ga_nai

Msfvenom succeed with encoding, AV doesn't detect malware anymore but when i launch the PE (on a win 7 x64), it does nothing, stays a few seconds in the taskmgr and disappear... With no error window...

So I thought it was a buffer overflow crash due to invalid characters as x00, xff, x0a, x0d.

Then I tried following :

msfvenom -p -< /root/Desktop/myfile.exe > root/Desktop/myencodedfile.exe -f exe -i 20 -a x86_64 --platform windows -e x86/shikata_ga_nai -b '\x00\xff\x0a\x0d'

But encoder returns an error due to bad characters.

I need help with that.

Thanks.

Link to comment
Share on other sites

Staging could be a way to get it working. Depending how the first stager is coded, it can be loaded with a reflective dll.

I was experimenting with A/V evasion, but haven't had much luck. I wrong some code that for now just XOR'ed the payload to hide it from AV. The XOR works fine, but when using the memcpy method on the buf that is XOR decrypted, A/V triggers.

Some how, A/V is keeping track of the buf that is XOR'ed and then checks if its copied with memcpy. Have not found a way to bypass that... :sad:

Link to comment
Share on other sites

Thanks guys for your answers,

For the question asked :

- My original file is coded in C#

- The file is done a local deployment (not remote attack). I want to test it on one of my computers who runs on win 7 x64. So i don-t use shellcode as metasploit does. I just used msfvenom for his encoding capabilities. I remember msfencode could encode his own payloads but also custom provided files. The idea is similar with traped attached files you can find in custom mails... But no need to mail because... it's my own computer !!!

- For DLL injection, the application will start one time but will be unable to start at every machine start because is bufferd in memory.

I think maybe msfvenom is not an appropriate tool to do that. I saw windows app that seems to be able to obfuscate in this way but I don't trust because there are not good security tools working on W (with a good update rating).

Thanks

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...