Home page logo

metasploit logo Metasploit mailing list archives

Re: Payload AV evasion thoughts...
From: John B <johnb.electric () gmail com>
Date: Mon, 18 Apr 2011 20:12:42 -0400

On Mon, Apr 18, 2011 at 11:16 AM, HD Moore <hdm () metasploit com> wrote:

On 4/18/2011 8:09 AM, John B wrote:
Combine that with code to make it portable across all systems then add a
encoding stub and we can create unique payloads every time with out the need
for templates (with the assumption that the templates are the main way of
detecting payloads).

I will continue to work on some full examples but anyone with asm
experience who could create some dynamic encoders with Metasm would really
be helpful.

The current encoder actually does this today; it uses metasm to compile
a slightly randomized (via jumps and nops) stub. The main problem is we
use a stub to create a RWX segment, that we copy the real shellcode to,
which is then executed. The AVs generally catch the stub to create the
RWX segment, NOT the actual shellcode. The reason for this is encoding,
you can't encode the stub, since the stub has to be RWX. A bit of a
chicken and egg and making the segment itself RWX triggers even more


Thats why I was toying with the idea of completely dynamic payloads, not
just the stub added to the template. If they detect the template, or the
detect the extra RWX section added to a custom template, by bypassing the
template or dynamically creating the template with random sections, imports,
size, strings.  I'm not 100% on the current process but from examining the
win32pe functions it seems as though your adding the shellcode to the
encoder stub and putting this in a RWX section that is added to the stock
template or custom template, leading to AV's detecting the modified section.

I may not be clear on how Metasm compiles complete PE's but wouldn't
skipping the shellcode altogether and writing  the payload wrapped in an
encoder written in assembly compiled through Metasm bypass the need for the
extra RWX section?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]