Metasploit mailing list archives
Re: Payload AV evasion thoughts...
From: John B <johnb.electric () gmail com>
Date: Thu, 21 Apr 2011 05:45:30 -0400
Didn't even think of that, the encoder is modifying the section when its ran. I knew it sounded to easy in my head. Thanks for the response. John On Mon, Apr 18, 2011 at 9:01 PM, <egypt () metasploit com> wrote:
On Mon, Apr 18, 2011 at 6:12 PM, John B <johnb.electric () gmail com> wrote:On Mon, Apr 18, 2011 at 11:16 AM, HD Moore <hdm () metasploit com> wrote:On 4/18/2011 8:09 AM, John B wrote:Combine that with code to make it portable across all systems then addaencoding stub and we can create unique payloads every time with outthe needfor templates (with the assumption that the templates are the main wayofdetecting payloads). I will continue to work on some full examples but anyone with asm experience who could create some dynamic encoders with Metasm wouldreallybe helpful.The current encoder actually does this today; it uses metasm to compile a slightly randomized (via jumps and nops) stub. The main problem is we use a stub to create a RWX segment, that we copy the real shellcode to, which is then executed. The AVs generally catch the stub to create the RWX segment, NOT the actual shellcode. The reason for this is encoding, you can't encode the stub, since the stub has to be RWX. A bit of a chicken and egg and making the segment itself RWX triggers even more signatures. -HDThats why I was toying with the idea of completely dynamic payloads, not just the stub added to the template. If they detect the template, or the detect the extra RWX section added to a custom template, by bypassing the template or dynamically creating the template with random sections,imports,size, strings. I'm not 100% on the current process but from examiningthewin32pe functions it seems as though your adding the shellcode to the encoder stub and putting this in a RWX section that is added to the stock template or custom template, leading to AV's detecting the modifiedsection.I may not be clear on how Metasm compiles complete PE's but wouldn't skipping the shellcode altogether and writing the payload wrapped in an encoder written in assembly compiled through Metasm bypass the need fortheextra RWX section? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/frameworkThe problem with that approach is the encoder is what requires the RWX memory. We could skip encoding so as to avoid the RWX section but then we're back to the problem of the shellcode itself getting flagged. egypt
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... HD Moore (Apr 18)
- Re: Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... egypt (Apr 18)
- Re: Payload AV evasion thoughts... John B (Apr 21)
- Re: Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... HD Moore (Apr 18)