avet v2.3 releases: AntiVirus Evasion Tool
AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques.
What & Why:
- when running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
- avet is an antivirus evasion tool targeting windows machines with executable files
- assembly shellcodes can be used
- make_avet can be used for configuring the source code
- with make_avet you can load ASCII encoded shellcodes from a text file or from a web server, further it is using an av evasion technique to avoid sandboxing and emulation
- for ASCII encoding the shellcode the tool format.sh and sh_format are included
- this readme applies to Kali 2 (64bit) and tdm-gcc
– switch to Mingw-Crosscompiler
– add Dockerfile which encapsulates Metasploit and Avet
– 23 new Sandbox Evasions
– setup script can download dependencies
Compile shellcode into the .exe file and use -F as an evasion technique. Note that this example will work for most antivirus engines. Here -E is used for encoding the shellcode as ASCII.
Usage without -E. The ASCII encoder does not have to be used, here is how to compile without -E. In this example, the evasion technique is quite simple! The shellcode is encoded with 20 rounds of shikata-ga-nai, often enough that does the trick. This technique is pretty similar to a junk loop. Execute so much code that the AV engine breaks up execution and let the file pass.
Great to notice that still for 64bit payload no further evasion techniques have to be used. But -F should work here too.
load from a file: Here the ASCII encoder is needed. The executable will load the payload from a text file, which is enough for most AV engines to let the payload execute.
Load with Internet Explorer: This is a bit tricky and might not work on the first shot. The executable will start Internet Explorer and download the ASCII encoded shellcode. Then the shellcode will be read from the cache directory and if found executed. This was tested with Windows 7 only.
Copyright (C) govolution