Rinilyn Posted February 3, 2018 Share Posted February 3, 2018 (edited) i have an executable im trying to make it as undetectable as much as possible and make it persistent. There are a lot of apps on the internet and i don't want to waste too much time on useless self claimed cryptors. Can you guys recommend anything? Do you know anything on kali i can do? i couldnt understand powersploit much. it is working with metasploit. All i want is to make an offline file FUD without need for reverse connections or listeners. It runs on the system and that is all i need. Edited February 3, 2018 by Rinilyn Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted February 5, 2018 Share Posted February 5, 2018 Trying to figure out exactly what you are asking seeing you say you have an exe you are trying to make FUD and you do not understand Powersploit. If you have an exe you made yourself and trying to obfuscate it or something then question is do you have the source? Also, do you know its architecture too? Is it .NET and if so is it 32bit or 64bit, if it is unmanaged is it 32bit or 64bit? If you have the source then changing the code around to do the same thing could obfuscate it enough to not be seen but do not use online scanners. Go download a free one on a test machine and test it there. Avast is a good one to test against, though it is very good so..yeah. If you have no source but know its architecture then you have a choice. If it is .NET then you can load it reflectively with powershell. Powersploit's DLLInjection module shows this though is a little different with exes as you have to find the entry point and execute it. (if it takes parameters, you have to feed it the parameters as it wants them ie string[]..even if you have no parameters but exe can take some you need to give it those object types empty). If it is unmanaged. ReflectivePEInjection loading is what you will need where you can keep the exe from hitting the drive and load directly from memory. The process (even if it is yourself) has to match the architecture of the executable though. If it is 32bit, you will need to launch a 32bit version of Powershell instance, if it is 64bit then you will need to launch the 64bit version of Powershell to inject it right. The process you are injecting into must also have matching bit version. Persistence will be tougher if your exe is detectable. You will need to encrypt it to leave behind somewhere on the system. The actual loader will be the one that is fired off and it will grab the encrypted file, decrypt it in memory and inject. Be warned, unmanaged code injection is seen sometimes by Avast. Quote Link to comment Share on other sites More sharing options...
sanjay baghela Posted February 14, 2018 Share Posted February 14, 2018 If you have no source but know its architecture then you have a choice. If it is .NET then you can load it reflectively with powershell. Powersploit's DLLInjection module shows this though is a little different with exes as you have to find the entry point and execute it. (if it takes parameters, you have to feed it the parameters as it wants them ie string[]..even if you have no parameters but exe can take some you need to give it those object types empty). aaliyah mendes Quote Link to comment Share on other sites More sharing options...
Rinilyn Posted February 14, 2018 Author Share Posted February 14, 2018 (edited) i appreciate the support guys, i posted this while using a hex editor app and trying to add or change the stuff that triggers the AV. i don't think i can yet understand what yall trying to explain. Sometime later ill lock myself in my room and see what else i can do. Only issue i still have is AV that block suspicious behavior before happening. Now thats the real challenge. Either stop the AVs or i dont know..make multiple cmd do simple tiny jobs that wouldnt get flaged. Again, thanks guys Edited February 14, 2018 by Rinilyn Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.