Have you ever wanted to put meterpreter in an exe file but were annoyed by antivirus detecting it? Here is a way to bypass AV detection by applying the method described in "Code segment encryption" article.
by Emeric Nasi
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
As a security professional, I often have to audit the security of a system and demonstrate what malwares could do. A very simple way to do that is to use Metasploit Meterpreter. For those who doesn’t know Meterpreter (the Meta_Interpreter), it is a very advanced payload provided by the Metasploit framework. It provides all features one needs to own a system (privilege elevation, system shell, keylogger, dump password, network routing, disable AV, control webcam, etc).
I often need to generate an autonomous executable which includes this payload. The problem is that the classical way to generate Meterpreter executable is detected by AntiVirus and it is a pain (and not really realistic) to have to disable them. This article describes a way to bypass AV detection of Meterpreter by applying the "Code segment encryption" article.
II. Classic way to generate Meterpreter executable
Normally the classic way to generate a Meterpreter executable is to use tools provided by Metasploit. The Msfpayload tool can be used for that. For example:
msfpayload windows/meterpreter/bind_tcp LPORT=80 X > met.exe
Here the X option is used to generate executable file.
The MsfPayload tool can also be combined with MsfEncode to generate encoded shellcodes. For example:
msfpayload windows/meterpreter/bind_tcp LPORT=80 R | ./msfencode -c 21 -t exe > met.exe
This MsfEncode technique is often presented as a way to bypass AntiVirus analysis, this is however not true anymore. A good number of AntiVirus are able to recognized encoded shellcodes from Metasploit. Also some AntiVirus may have generated signature for executable generated with the X option of msfPayload (this is just a supposition tough).
Another reason why I do not like this method : I prefer to have non-encoded stagers. When I use reverse connection payloads, I want to be able to dynamically patch the shellcode distant IP address and port in the running executable. This isn’t easy if the shellcode is encoded.
For these reasons I prefer to build my own executable file which embeds the shellcode.
III. Put Meterpreter shellcode in C source
III.1 Generate shellcode
In a first step we are going to generate the Meterpreter shellcode. We are going to use the C option of MsfPayload which generates C source code.
msfpayload windows/meterpreter/bind_tcp LPORT=80 C > met.c
If you look inside the met.c file you will see shellcode buffers in C language. The stager is the first shellcode (the small one), it is the one we need to create the network connection. The full Meterpreter shellcode will be downloaded after connection is established. We will copy the stager in our source.
III.2 Source code
In this very basic example, we tell the application that our shellcode is a function and we call that function.
We now have our own executable running Meterpreter, however this is not enough to bypass AV (the shellcode will be easily recognized in the generated binary file). This is why we are going to use section encryption technique explained in code segment encyption article
IV. Bypass AV
We are going to encrypt both the executable code (what is in main function) and the data (the shellcode).
IV.1 Encrypt source code
The source code is normally in the .text section. Since encrypting the whole .text section can be considered to be a malware for some AV, I will just encrypt the code needed to launch the shell code using a new code section, .code.
Note that the old main function is now called shellLaunch. Since we encrypt only part of the .text section we can just define a new main function that will contain the decryptor part.
IV.2 Encrypt shellcode
The shellcode is an array, it will be located in the .data section. Since we only want to encrypt a portion of .data section we will need to create a new data segment for that (.codedata). We will then merge the .codedata in to the .code section. The .code section being the section encrypted by cryptor in the Encrypt code segment article.
I also use .codedata as a constant section, this will allow to encrypt strings you could want to print.
IV.3 Complete source code including decryptor
Here is the complete C source code including the .Stub segment and the decryptor routine.
IV.4 Other considerations
The result of the encryption is enough to bypass the AV such as Avira, McAffee, Norton or Avast.
This is however not enough to bypass AntiVirus which loads the software in memory such as Microsoft Defender. This kind or AV will run their target in a virtual environment , that means the code will be self decrypted, and after that the AV will recognize the shellcode signature. This was actually something quite surprising for me to see, for this case at least: Microsoft had a "better" security product.
There are some ways to bypass this category of AV, for example by using a decryptor that takes some time to decrypt. If the decryptor method is coded in a way that you need to wait a few seconds before shellcode is decrypted, the AV will abandon the scan after a while.There are several ways to do it, for example using special time challenge decryption algorithm. A simple Sleep will not do the trick and be ignored by the AV.
Another way to bypass this AV technique is to detect the software is running in a sandbox environment and to trick the AV if it is the case.
I wrote a paper on this subject with description of fully undetectable methods. You can find it here