Main source site: UPX Packer
Presentation of how to bypass win32/nix Antivirus
This article is an "how to" related to a situation that I have met during a technical audit by a third party company.
Let say that I am a nice Pentest consultant with plenty of experience, but maybe my soul is not the one of a hacker or I am not specialised in all the matters that I am auditing. Sure it's most of the time the case.
For the frequency, I should recognize that I am a bit late, that's why I'll pay my dues with several articles this month to fill the gap.
Let say that I am a nice Pentest consultant with plenty of experience, but maybe my soul is not the one of a hacker or I am not specialised in all the matters that I am auditing. Sure it's most of the time the case.
For the frequency, I should recognize that I am a bit late, that's why I'll pay my dues with several articles this month to fill the gap.
I- Tools or not tools
There are different possible approaches to that kind of problem. From time to time there won't be a best solution, it will mainly rely on your capabilities.
Should I use tools or not? If I don't use dedicated tools how can I surround that with my skills?
Let say that a good technical approach would be to analyze the target and thus to assess the technics used by the antivirus aimed to detect malware/hackware/viruses/trojans etc...
For that you can check the comparisons regularly published to precise whether an antivirus or another is able to detect such behaviour or such code. Comparison matrix sample.
Some tests will go deeper to help each other to understand where an antirus is efficient and where it's not.
As a conclusion, you can decide to use a trageted surrounding method (with scripts, shell to hide your tools, 0day exploits...), but in most cases especially for auditors, what will be relevant is that you are able to choose a method that will work in the wide.
Should I use tools or not? If I don't use dedicated tools how can I surround that with my skills?
Let say that a good technical approach would be to analyze the target and thus to assess the technics used by the antivirus aimed to detect malware/hackware/viruses/trojans etc...
For that you can check the comparisons regularly published to precise whether an antivirus or another is able to detect such behaviour or such code. Comparison matrix sample.
Some tests will go deeper to help each other to understand where an antirus is efficient and where it's not.
As a conclusion, you can decide to use a trageted surrounding method (with scripts, shell to hide your tools, 0day exploits...), but in most cases especially for auditors, what will be relevant is that you are able to choose a method that will work in the wide.
a- Compiler
Compiler, an easy simple word for those developers. But not all people dealing with IT are developers. Assuming that you are not afraid by such approach, if you can find the source code of the tools you want to render stealth, just try to compile them on your own with your own tools and compiler, maybe trying to add just some comments while respecting the author copyright.
For example I recently met a nasty antivirus who tried to prevent me from using the Pass-the-hash toolkit. Bad boy !
I just downloaded the source code, installed Microsoft Visual Studio 9.0 free edition for visual C++ 9.0 express and recompiled the tool on my own. Off course, to recompile the tool, I add to make some modifications such as replace deprecated functions, convert some variables for Unicode compatibility...etc.
After that, I was able to use the tools like a charm with my antivirux working at the same time.
Hey, guy, I am not a coder will you say ! Ok, I understand and in that case, there is a simple method which allows a clicker to achieve the same goal.
This approach is a packer one. What's a packer?
A packer will most of the time allow you to compress the size of your executable program while trying not to add time to execute it. One famous packer is UPX which will help you to compress and so modify an exe keeping it executable as is.
This way to surround antivirus works part of the time depending on how the exe is packed or compiled. For example, it doesn't work for PS tools with most antiviruses.
For example I recently met a nasty antivirus who tried to prevent me from using the Pass-the-hash toolkit. Bad boy !
I just downloaded the source code, installed Microsoft Visual Studio 9.0 free edition for visual C++ 9.0 express and recompiled the tool on my own. Off course, to recompile the tool, I add to make some modifications such as replace deprecated functions, convert some variables for Unicode compatibility...etc.
After that, I was able to use the tools like a charm with my antivirux working at the same time.
b- Packer
Hey, guy, I am not a coder will you say ! Ok, I understand and in that case, there is a simple method which allows a clicker to achieve the same goal.
This approach is a packer one. What's a packer?
A packer will most of the time allow you to compress the size of your executable program while trying not to add time to execute it. One famous packer is UPX which will help you to compress and so modify an exe keeping it executable as is.
This way to surround antivirus works part of the time depending on how the exe is packed or compiled. For example, it doesn't work for PS tools with most antiviruses.
II- Conclusion
Even if you try to create your own version of a program, for the VB trojan/viruses GUI creators it won't work as soon as they are known by antiviruses.
For other programs, you will have to try to personalize as much as possible your tools to make them stealth.
If you just use common tools for example, my nice auditor who had managed to launch an exploit against one of our servers and who had gained a command access was stuck with his tools since they were all detected by the server antivirus. Whereas a nice script with modified tools would have suffice.