avet v2.1 releases: AntiVirus Evasion Tool
AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques.
What & Why:
- when running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
- avet is an antivirus evasion tool targeting windows machines with executable files
- assembly shellcodes can be used
- make_avet can be used for configuring the source code
- with make_avet you can load ASCII encoded shellcodes from a text file or from a web server, further it is using an av evasion technique to avoid sandboxing and emulation
- for ASCII encoding the shellcode the tool format.sh and sh_format are included
- this readme applies to Kali 2 (64bit) and tdm-gcc
+++ KNOWN ISSUES +++
– DKMC integration still not working properly, probably due to corrupt shellcode.
– when built as a service, debug logging into file does not work. this is probably a permission problem.
+++ CHANGES +++
– enacted build script naming reform, so that the most prominent feature is mentioned first in the script name
– added RC4 encoder/decoder
– pe_to_shellcode integration, which enables using .exe files as input by converting them into callable shellcode
– added ability to execute cmd/powershell command payloads at sample startup. these payloads are compatible with the built-in data retrieval methods.
– added static_from_here retrieval method to specify static inputs directly in the build script
– added ability to supply arguments for evasion techniques directly in the build script, e.g. specifying fopen file target
– added bitsadmin data retrieval method
– added environmental checks for sandbox evasion: checking VM MAC, number of CPU cores, checking VM registry keys
– example build scripts for new features
– general bugfixes and improvements
Compile shellcode into the .exe file and use -F as an evasion technique. Note that this example will work for most antivirus engines. Here -E is used for encoding the shellcode as ASCII.
Usage without -E. The ASCII encoder does not have to be used, here is how to compile without -E. In this example, the evasion technique is quite simple! The shellcode is encoded with 20 rounds of shikata-ga-nai, often enough that does the trick. This technique is pretty similar to a junk loop. Execute so much code that the AV engine breaks up execution and let the file pass.
Great to notice that still for 64bit payload no further evasion techniques have to be used. But -F should work here too.
load from a file: Here the ASCII encoder is needed. The executable will load the payload from a text file, which is enough for most AV engines to let the payload execute.
Load with Internet Explorer: This is a bit tricky and might not work on the first shot. The executable will start Internet Explorer and download the ASCII encoded shellcode. Then the shellcode will be read from the cache directory and if found executed. This was tested with Windows 7 only.
Copyright (C) govolution