Support me here ❤️

🪄Understand AVs static detection (and basic obfuscation)

Now, we have a stub designed to basically run in memory raw shellcode extracted from an MSFVenom executable. As previously explained, even if (thanks to the custom stub) the file signature is unknown by antiviruses, it will obviously be flagged by Windows Defender, let's understand why. Beacause i don't wanted to download the file 378478274728828828472983839829 times on my virtual machine and for demonstration purposes, i disabled Windows Defender realtime monitoring and used GoCheck. Gocheck is a tool that take a file, cut it in multiple small pieces and submit it to Windows Defender, this tools let us easily identify what is flagged in a file. let's launch it on our executable.

Gocheck show us a flagged sequence in our executable, and after a quick comparsion we quicly identify that the hardcoded shellcode is problematic.

It appears beacause, AVs don't only do file signature check but also pattern comparsion, they search patterns in files and compare them with file patterns of know threats. As the MSFVenom shellcode is hardcoded in the code and then readable, windows defender can easily identify it. Fuck, that would have been too easy, right? But we can easily change this pattern with the magic of encoding and caracter substitution.

Let create a ROT1 function. ROT1 is a very basic algorithm that iterate all caracters by 1 (a becomes b, c becomes d, 1 becomes 2, etc...) let's implement this in golang:

Yeah, one line.

The code is a little bit longer than that (the full code is available here) but as you can see, the logic is quite simple:

  • Apply the rot1 algorythm on the previously generated shellcode

  • Replace the hardcoded shellcode in the stub by the ROT1 version

  • Create a function to decrypt it at runtime before the in-memory execution

Let replace our shellcode by the rot1 version in our stub and add a decryption function to the code (full code available here):

Then build it and deliver it to our target:

As you can see, as each hardcoded byte has been incremented of one and decremented only in memory, it don't match the MSFVenom pattern anymore, so no pattern is recognizable by Windows Defender, and the executable still works as expected.

Conclusion:

The technique described above obviously won't work on more sophisticated security solutions like EDRs and will be harder to implement with more advanced payloads (like staged ones), but i think it is important to understand the signature based ans pattern-matching mecanisms of the basics anti-virus solution, and how AVs are deprecated nowadays. Just a little example of the power of obfuscation against shitty minimalist security solutions. One byte to rule them all....

PreviousCreate your own basic Go stubNextWindows API confidence abuse basics

Last updated