Hello readers !
I am Hadi , a 17 years old security enthusiast .
While I was playing with Kaspersky Lab 2017 free version, I tried various shellcodes from Metasploit Framework , unfortunalety Kaspersky Antivirus detected them all but I discovered a way to evade Kaspersky’s Shellcode detection ..
Basically let’s try with a shellcode wrapper which uses ‘Windows.h’ library and VirtualAlloc() function ( which allocate new memory and store our shellcode in it ,in this way we will not have issues with Data Execution Protection .. ) in this write-up I will use ‘windows/x64/exec’ shellcode to spawn a calc.exe :-) . I’m Using GCC for Windows Platform to compile our shellcode in an executable format .
the source code of the C file is here https://pastebin.com/PmbFhtN6
Let’s compile our shellcode and check the results with Kaspersky AV
Oh no ! Kaspersky detected and deleted our wonderful shellcode ( PS : sorry for the language )
Now , let’s try without the shellcode just with the VirtualAlloc() function and recompile the code like here https://pastebin.com/REzUqAjT
Sweet ! Our executable which contain just the shellcode wrapper without the shellcode is not detected :-)
So , We can conclude than Kaspersky is only interested by metasploit shellcodes not by shellcode wrapper .. I think Kaspersky has a sort of database to recognize Metasploit shellcodes .
To evade this detection , I remembered msfvenom’s no-operation option for shellcodes ( with -n option we can tell to msfvenom how many junk bytes to add to our shellcode like ‘\x90' and plenty other instructions and junk bytes are completly random .. ) for example if we want to add 2000 junk bytes we specify ‘-n 2000 ‘ like that :
msfvenom --payload=windows/x64/exec CMD=calc.exe -b ‘\x00’ -f c -n 2000
Let’s check results :
Horayyy ! Our shellcode is not detected by Kaspersky AV
Let’s try the shellcode :
Game 0ver !