1. Home > Virus prevention >

How to use C# to encrypt attack payloads to bypass anti-virus software

1. Preface
Someone once asked me how to bypass all anti-virus software?
My answer is: very simple. But this is a secret technique that most penetration testers or hackers will never share with others. They have various reasons like me, but the biggest reason is that once the technology is made public, antivirus companies will soon detect and block this technology. In this article, I want to share with you a C# programming and encryption method that can bypass all anti-virus software.
Before introducing the specific details, I would like to provide the C# source code used in this article.
http://github.com/DamonMohammadbagher/NativePayloadReversetcp
If you are familiar with penetration testing, Kali Linux and Metasploit backdoor payloads, and you also master certain programming skills, then after reading this article, you can Find more source code on the Internet to accomplish this task.
First of all: You need to understand anti-virus software and feature-based applications (such as anti-virus software).
Secondly: You need to understand Linux-based systems and Kali Linux or other Linux operating systems for penetration testing.
Finally: You need to understand Windows programming technology, in this article C#.Net programming technology.
In this article, I mainly introduce C# programming technology. Due to space limitations, I cannot cover everything in an article.
Remember: Every penetration test team or red team that wants to bypass security defense tools (such as anti-virus software or firewalls) needs to understand how to bypass these applications at Layer 7 (ie, application layer). This is very important in Whitehat, penetration testing projects, and black hat attacks. If your team or you personally master multiple anti-software bypass technologies, you will obviously have enough opportunities. In addition, I want to emphasize that this is not difficult to achieve.
Second, technical details
In this part, I will show you how to use C# encrypted payload to bypass anti-virus software step by step.
Step 1:
I created a C-type backdoor payload in Kali Linux, and its hexadecimal format is shown in the figure below. The reason for using the "reverse_tcp (rebound tcp)" payload is that this payload is the easiest to bypass the firewall that prohibits inbound connections.

Step 2:
You should use the "exclusive OR (XOR)" algorithm or other encryption algorithms, at least once Payload encryption.
For example, I wrote a simple C# application that uses encryption algorithms to complete encryption. There are many similar source codes, so we don’t have to worry about the code source.

As shown in the figure above, I use VS.NET 2015 to develop C# code, but all versions of VS.NET support this One code.
In the picture above, you will find a text file named payload.txt. This file is the payload I generated using the msfvenom tool in step 1.
In step 2, you should replace the payload variable {0xfc, ….} in the code with the content in the payload.txt file.
Step 3:
The output of the program is shown in the figure below, and the encrypted payload will also be output.

As shown in the figure above, our encrypted payload starts with "217,119,88....,82,12,210". Now that we have an encrypted payload on hand, you can safely use this payload in the backdoor.exe file, because anti-virus software cannot detect this payload, only you have the key to encrypt or decrypt the payload.
Step 4:
Now we need a piece of C# code to execute this encrypted payload on the target host.
As shown in the figure below, I use this piece of C# code to execute the encrypted payload. In the source code, we need to replace the Payload_Encrypted variable with the encrypted payload generated in step 3. In addition, we need to change the KEY value Replace with the key value used in step 2.
Please note: The KEY value you used in step 2 and step 4 should be the same, because the encryption key and the decryption key are the same key.

In this source code, I will generate encrypted payload based on the parameters in the command line, so I can use the command line Enter the encrypted payload in the form of a string and execute the exe program, as shown in the figure below.
The command to execute the program is as follows:

dos C:\> backdoor.exe "217,119,88,…….,82,12,210"
At this time, the encrypted payload It will be decrypted and run in the memory of the target host. If the above steps are successfully completed, then you can receive a meterpreter session in the Kali Linux system of the attacker, as shown in the following figure:

As shown in the figure below, my anti-virus software did not detect this backdoor using encrypted payload:

In fact, all anti-virus software cannot detect this kind of backdoor. The detection result is shown in the figure below:

Actually, I developed a forensics tool that can detect Meterpreter load in memory in real time. Using this real-time scanning tool, you can find this backdoor in memory. The tool download link is as follows:
http://github.com/DamonMohammadbagher/MeterpreterPayloadDetection
3. Reference materials
Use DNS The transmission backdoor bypasses anti-virus software. http://www.linkedin.com/pulse/bypassing-anti-viruses-transfer-backdoor-payloads-dns-mohammadbagher
Deficiency of anti-virus software and signature-based detection methods (use NativePayloadReversetcp version 2.0 to bypass again Anti-virus software). http://www.linkedin.com/pulse/antivirus-signature-based-detection-methods-doesnt-mohammadbagher?trk=pulse_spock-articles
[3] How to scan memory to discover undetectable Meterpreter payloads. http://www.linkedin.com/pulse/detecting-meterpreter-undetectable-payloads-scanning-mohammadbagher?published=t

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20470.html

Contact Us

Online consultation:click here to give a message