For every penetration testing task, meterpreter is an of import in addition to powerful tool, soundless i of the big issues that nosotros demand to bargain amongst when using is Antivirus detection.
There are numerous posts on the Internet on how you lot tin overstep inward undetectable for static analysis in addition to code emulation detection vectors, however, these methods won't touching heuristic/dynamic analysis.
In this postal service I'll explicate a pace past times pace agency to:
meterpreter uses a technique called Reflective DLL Injection, which allows inward a nutshell to accept the ability of shellcode inward a DLL format.
Shellcode accept the particularity of beingness able to resolve its dependencies in addition to of beingness Position Independent Code, you lot exactly pose it inward memory, dot EIP to it, in addition to it works.
Reflective DLL Injection plant inward the same fashion but amongst a lot to a greater extent than power, you lot pose the DLL inward memory, dot EIP to its entry dot in addition to it works. It does then past times self dependency resolution in addition to past times implementing the relocation table.
This technique is used past times meterpreter to force modules amongst the advanced logic over the network to memory, which makes it possible to write it inward C instead of assembly, reduces its fingerprint on disk, makes it to a greater extent than evasive in addition to real extendible.
For to a greater extent than information on Reflective DLL Injection, delight depository fiscal establishment stand upwards for these resource:
https://www.defcon.org/images/defcon-20/dc-20-presentations/King/DEFCON-20-King-Reflective-Injection-Detection.pdf
https://github.com/stephenfewer/ReflectiveDLLInjection
http://buffered.io/posts/building-meterpreter-is-easy/
This volition allow us to recollect the next files:
For this item signature, nosotros volition solely endure interested in:
To debug our meterperter, brand certain to work the Debug compilation vogue which volition allow us to access the output of dprintf using DbgView from Sysinternals.
Once the DLLs are compiled, you'll demand to re-create them to /data/meterpreter, nosotros won't demand to accept a unlike executable every fourth dimension you lot recompile the DLLs every bit they are pushed over the network in addition to don't alter the initial executable.
For our debugging needs, we'll solely demand dpritinf, MessageBox in addition to DbgView.
If nosotros inspect the code of the function, it is allocating 2 retentiveness regions, copying hard-coded shellcode.
We volition add together forthwith to a greater extent than verbose messages in addition to dissever the unlike actions amongst Sleeps to ameliorate pinpoint the issue.
The mo run indicates that the Antivirus is triggered past times the execution of the shellcodes.
The kickoff shellcode is inward accuse of switching to 64bit past times modifying the code segment value in addition to the mo shellcode creates a remote thread.
The assembly origin code path is indicated inward the meterpreter origin code, nosotros tin forthwith laid upwards the assembly in addition to rebuild the meterpreter in addition to exam it again.
Well it works, exactly added a MessageBox at the halt to illustrate that it plant !
There are numerous posts on the Internet on how you lot tin overstep inward undetectable for static analysis in addition to code emulation detection vectors, however, these methods won't touching heuristic/dynamic analysis.
In this postal service I'll explicate a pace past times pace agency to:
- Identify the trigger of a heuristic signature
- Explain the basics of meterpreter
- Suggest a unproblematic correction to overstep inward undetectable
The Heuristic Signature:
The scenario is the following, nosotros accept a meterpreter compaction over a Windows seven 64bit car amongst AVG complimentary Antivirus. The initial meterpreter executable has been modified to evade the initial detection (static in addition to emulation), but when nosotros attempt to migrate to explorer.exe, our procedure is killed in addition to the Antivirus signals a suspicous activity.Meterpreter Basics:
Saying meterpreter is an incredible tool is an understatement. There are roughly elements that nosotros demand to know earlier nosotros dive into debugging the trigger of heuristic signature.meterpreter uses a technique called Reflective DLL Injection, which allows inward a nutshell to accept the ability of shellcode inward a DLL format.
Shellcode accept the particularity of beingness able to resolve its dependencies in addition to of beingness Position Independent Code, you lot exactly pose it inward memory, dot EIP to it, in addition to it works.
Reflective DLL Injection plant inward the same fashion but amongst a lot to a greater extent than power, you lot pose the DLL inward memory, dot EIP to its entry dot in addition to it works. It does then past times self dependency resolution in addition to past times implementing the relocation table.
This technique is used past times meterpreter to force modules amongst the advanced logic over the network to memory, which makes it possible to write it inward C instead of assembly, reduces its fingerprint on disk, makes it to a greater extent than evasive in addition to real extendible.
For to a greater extent than information on Reflective DLL Injection, delight depository fiscal establishment stand upwards for these resource:
https://www.defcon.org/images/defcon-20/dc-20-presentations/King/DEFCON-20-King-Reflective-Injection-Detection.pdf
https://github.com/stephenfewer/ReflectiveDLLInjection
Compiling meterpreter in addition to Debugging :
OJ has done bully piece of work explaining in addition to enhancing the ease of compilation of meterpreter, I'll recommend checking out his post:http://buffered.io/posts/building-meterpreter-is-easy/
This volition allow us to recollect the next files:
- metsrv.{x86,x64}.dll
- ext_server_stdapi.{x86,x64}.dll
- ext_server_priv.{x86,x64}.dll
To debug our meterperter, brand certain to work the Debug compilation vogue which volition allow us to access the output of dprintf using DbgView from Sysinternals.
Once the DLLs are compiled, you'll demand to re-create them to /data/meterpreter, nosotros won't demand to accept a unlike executable every fourth dimension you lot recompile the DLLs every bit they are pushed over the network in addition to don't alter the initial executable.
For our debugging needs, we'll solely demand dpritinf, MessageBox in addition to DbgView.
Stepping through the code:
Now that nosotros accept roughly debug info, nosotros tin start pinpointing what is triggering the heuristic signature. Our initial run led us to the role inject_via_remotethread_wow64 function:If nosotros inspect the code of the function, it is allocating 2 retentiveness regions, copying hard-coded shellcode.
We volition add together forthwith to a greater extent than verbose messages in addition to dissever the unlike actions amongst Sleeps to ameliorate pinpoint the issue.
The mo run indicates that the Antivirus is triggered past times the execution of the shellcodes.
The kickoff shellcode is inward accuse of switching to 64bit past times modifying the code segment value in addition to the mo shellcode creates a remote thread.
Bypassing the Antivirus:
The work of hardcoded shellcode could potentially endure used to trigger the signature, then let's attempt changing this code past times but adding roughly nops.The assembly origin code path is indicated inward the meterpreter origin code, nosotros tin forthwith laid upwards the assembly in addition to rebuild the meterpreter in addition to exam it again.
Well it works, exactly added a MessageBox at the halt to illustrate that it plant !
