.

AV bypass

<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Sun Oct 02, 2011 12:25 pm

AV bypass

We had quite a lively discussion a while ago about methods of making meterpreter payloads capable of bypassing AV.  I've been researching further and saw a nice write up of a technique that uses a DLL to write shellcode directly into an executable in memory.  When the executable's shellcode has been updated, it runs the shellcode.  This is the link to the article and accompanying code.  Has anyone else seen this?

I've managed to compile dummyApp.exe file and it's payloadLib.dll but the DLL fails miserably when trying to execute VirtualProtectEx.  The line of code that throws up an error is:

  Code:
VirtualProtectEx(GetCurrentProcess() ,
                  (LPVOID)offset,
                   SIZE_PAYLOAD,
                   PTR_PROTECT_NEW,
                   &PTR_PROTECT_OLD);


The error code is 487 - "ERROR_INVALID_ADDRESS"

I've seen that some of the code in the package needs some slight tweaks.  My system is Windows XP SP3 and DEP is enabled only for essential Windows programs and services.

Thank you in anticipation for any insight into how to get this fascinating technique to work.

EDIT: after a bit more reserarch
Last edited by Ignatius on Sun Oct 02, 2011 1:46 pm, edited 1 time in total.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Oct 02, 2011 1:44 pm

Re: AV bypass

I'm an InterN0T'er
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Mon Oct 03, 2011 1:19 pm

Re: AV bypass

Thank you MaXe.

I see that they provide the software but I would like to know how things work and be able to compile then run the software myself!
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Oct 04, 2011 4:58 pm

Re: AV bypass

They described their bypass pretty well, except their "custom subroutine" or whatever they called it. But I understand you want a more technical explanation, but I don't have that on this blog.

What I'd do if I were you, would be to research how their tool works and build your own copy of it, or for that sake your own version.

If you do a bit of research, you'll see that there are numerous ways to trick Anti-Virus scanners, and blackhats for example, discover new techniques all the times.

That's pretty much all I can help with in this case, and I would spoil all the fun if I researched it for you too  :)
I'm an InterN0T'er
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Wed Oct 05, 2011 9:56 am

Re: AV bypass

Sure thing MaXe.  I think that everyone here likes the challenge of finding a problem and solving it ... or at least giving it a good thrashing before realising that it can't be solved!

I have made some progress with the code that I uncovered on packetstorm.

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software