I'm actually posting this as a reply to this thread:
http://evilzone.org/tutorials/bypassing-antivirus-scanner/No metasploit-generated payload can effectively bypass all AV's most unfortunately...
Why?
It's all in the way metasploit generates its EXEs.
A common misconception is that the antivirus engines are actually detecting the shellcode, and therefore, the best way to avoid antivirus detection is to pick an encoder that the antivirus engine cannot handle, or encode many times.
First, let’s see how Metasploit generates EXE’s. The relevant code is in lib/msf/util/exe.rb in the self.to_win32pe function. First the payload is placed within a “win32_rwx_exec” block:
# Copy the code to a new RWX segment to allow for self-modifying encoders
payload = win32_rwx_exec(code)
The function is defined later in the file:
# This wrapper is responsible for allocating RWX memory, copying the
# target code there, setting an exception handler that calls ExitProcess
# and finally executing the code.
def self.win32_rwx_exec(code)
This function writes a set of assembly instructions consisting mostly of the block_api code that forms the majority of the Metasploit win32 shellcode, while randomly inserting nop instructions and opcodes to jmp over randomly generated bytes. These assembly instructions will look up and call the VirtualAlloc function to allocate RWX memory, copy the target code there and execute the code.
Ignoring the inject block for now (the same principles apply; less random code and code is just in a new section rather than replacing old code) the function then finds the executable (.text) section. Then it lists the addresses that will be modified by the loader into an array called mines:
# We need to make sure our injected code doesn't conflict with the
# the data directories stored in .text (import, export, etc)
mines = []
pe.hdr.opt['DataDirectory'].each do |dir|
next if dir.v['Size'] == 0
next if not text.contains_rva?( dir.v['VirtualAddress'] )
mines << [ pe.rva_to_file_offset(dir.v['VirtualAddress']) - off_beg, dir.v['Size'] ]
end
It then finds, out of the remaining blocks, an executable block of sufficient size to store the payload with room to spare. Then it creates a sled of nops, and somewhat randomizes the entry point to land in them. At the end of the nops is a relative jump to the payload:
# Pad the entry point with random nops
entry = generate_nops(framework, [ARCH_X86], rand(200)+51)
...
# Relative jump from the end of the nops to the payload
entry += "\xe9" + [poff - (eidx + entry.length + 5)].pack('V')
Then it randomly changes 25% of the remaining executable bytes and the timestamp, and fixes the checksum.
Proof?
Try this:
echo -n | msfencode -e generic/none -t exe > test.exeBasically it generates an exe without any payload at all! Nonetheless, ...
it is still flagged as a treat by most AV's.....
