For example, if you play with Kali Linux, in this distribution you can find a tool called msfvenom, Basically it generaters payloads for metasploit framework and usually these payloads are backdoors.
A great payload is meterpreter, a backdoor that gives you total control of a remote host, you can also take pics from the webcam.
Msfvenom has several encoders and you can use these encoders to crypt the payload. Now you are happy, you encrypt you payload, you create it for windows and when you put your windows executable in your windows machine, instantly your antivirus remove the file.
What's happening? You put you file on the disk, and zap! the antivirus removes it.
Nowaday antivirus recognize msfvenom even if you encrypt the payload, they recognize any msfvenom signature. What you can do is put your encrypted payload in a data file, Antiviruses usually don't scan data files, they scan only executables.
Once you have your meterpreter on a data file, you need to load it from file and execute it.
On Windows you cannot execute directly from stack or from heap memory.
You can't do something that looks like:
unsigned char *code=malloc(...);
((void(*)())code)();
You have to use VirtualAlloc to be able to execute the code. VirtualAlloc is a low level API that permits to allocate memory for execution.
char *code;
code = (char *)VirtualAlloc(
NULL, l, MEM_COMMIT,
PAGE_EXECUTE_READWRITE //Set the memory to be writable and executable
);
memcpy(code, payload, l); //Copy our payload into the executable section of memory
((void(*)())code)(); //execute the payload
That works, use gcc to compile.
Nessun commento:
Posta un commento