SideStep: AV evasion tool

SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included) and uses several other techniques to evade AV.

Additional information can be found here.

Feature

1. Encrypts the msfvenom generated Meterpreter shellcode using AES 128bit encryption (using the CryptoPP C++ library) with a randomly generated key. The payload is decrypted just prior to execution.
2. Randomizes all variable names and functions. The size of the names and functions is configurable.
3. Creates a function that checks the local time on the host, then loops for a configurable amount of seconds at the beginning of the program, to evade AV sandboxes. There is also the addition of a DH parameter generator which adds extra time to the startup.
4. Stuffs the executable with a configurable number of random variables that have random values of a configurable size. These variables are prior to the call to main(). This is a technique that is occasionally effective and that I picked up from the NCC Group Metasploit Evasion link above.
5. If Cygwin is present, it uses strip to remove debugging symbols and other useful reversing information.
6. If you want to use peCloak, it will then encode the assembly instructions in the executable as the last step.

Install

Requirements

Software:
Recent release of Metasploit Framework
Ruby 2.x
Windows (tested on 7, 8, and 10)
Python 2.7.x
Visual Studio (free editions should be fine – tested on 2012, 2015, and 2017)
Windows SDK
Cygwin with strip utility (if you want to strip debug symbols)
peCloak (f you want to use it – http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
Ditto (if you want to use it – https://github.com/mubix/ditto)
Mono (if you want to sign the executable – http://www.mono-project.com/download/)
SigThief (if you want to add a signature from another file – https://github.com/secretsquirrel/SigThief)

For code signing, a good example can be found here.

Download

git clone https://github.com/codewatchorg/SideStep.git

Usage

You must configure settings in conf\settings.py, and then you must at a minimum provide the Metasploit listening handler IP and port:

python sidestep.py –ip 192.168.1.1 –port 443

If using the defaults, then a source file will be generated in the .\source directory and the executable will be dropped in the .\exe directory.

peCloak Modifications

If you want to use peCloak in the last step of the executable creation, then you will need to install the pydasm and pefile Python modules. You will also need to download the SectionDoubleP Python module (found here: http://git.n0p.cc/?p=SectionDoubleP.git;a=blob_plain;f=SectionDoubleP.py;h=93717cdd0ac293548fb995a1c54094dbea6005d9;hb=8846697ecda15bc814f99d24f7f5cbf0e06466d0) and save it to the peCloak directory.

Next, you need to make the modifications to pefile that the author of peCloak references on this page. If pefile was installed as an egg file:

1. Find the egg file, typically in PythonRootDir\Lib\site-packages
2. Make a copy of the egg file and rename the extension to .zip
3. Unzip somewhere and rename the folder to the original name, but add .egg. So if the egg file was named pefile-1.2.10_139-py2.7.egg, then make that the directory name.
4. Make the necessary changes to pefile.py and remove pefile.pyc
5. Copy the unzipped folder containing the modified pefile.py back to the PythonRootDir\Lib\site-packages directory and remove the .egg file.

If it is installed as an editable Python package, then just find and edit the pefile.py as shown in the peCloak demonstration.

Notes

SideStep generates Meterpreter shellcode, randomly generates an encryption key, and then encrypts the shellcode using AES-128bit with the random key. All variables and function names are also randomly generated.

In addition, to encrypting the shellcode and assigning random names, it also generates a configurable number of random variables with configurable value lengths. Surprisingly, this can also help evade AV (read this: https://github.com/nccgroup/metasploitavevasion).

To evade AV sandboxes, I implemented a function that checks the current time and then loops until a configurable number of seconds have passed since the current time. As an added small time function, I have added support for generating 1024 or 2048bit DH parameters. I chose these methods as I’ve read that some AV hook sleep function calls.

SideStep can also be configured to strip debugging and other symbol information from the final executable and then randomly encode the assembly instructions using peCloak.

Source: https://github.com/codewatchorg/