mailing list archives
Re: Payload AV evasion thoughts...
From: HD Moore <hdm () metasploit com>
Date: Mon, 18 Apr 2011 10:16:30 -0500
On 4/18/2011 8:09 AM, John B wrote:
Combine that with code to make it portable across all systems then add a encoding stub and we can create unique
payloads every time with out the need for templates (with the assumption that the templates are the main way of
I will continue to work on some full examples but anyone with asm experience who could create some dynamic encoders
with Metasm would really be helpful.
The current encoder actually does this today; it uses metasm to compile
a slightly randomized (via jumps and nops) stub. The main problem is we
use a stub to create a RWX segment, that we copy the real shellcode to,
which is then executed. The AVs generally catch the stub to create the
RWX segment, NOT the actual shellcode. The reason for this is encoding,
you can't encode the stub, since the stub has to be RWX. A bit of a
chicken and egg and making the segment itself RWX triggers even more