Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Payload AV evasion thoughts...
From: HD Moore <hdm () metasploit com>
Date: Mon, 18 Apr 2011 10:16:30 -0500

On 4/18/2011 8:09 AM, John B wrote:
Combine that with code to make it portable across all systems then add a encoding stub and we can create unique 
payloads every time with out the need for templates (with the assumption that the templates are the main way of 
detecting payloads).

I will continue to work on some full examples but anyone with asm experience who could create some dynamic encoders 
with Metasm would really be helpful.

The current encoder actually does this today; it uses metasm to compile
a slightly randomized (via jumps and nops) stub. The main problem is we
use a stub to create a RWX segment, that we copy the real shellcode to,
which is then executed. The AVs generally catch the stub to create the
RWX segment, NOT the actual shellcode. The reason for this is encoding,
you can't encode the stub, since the stub has to be RWX. A bit of a
chicken and egg and making the segment itself RWX triggers even more
signatures.


-HD

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]