Creating a (Almost) Fully Undetectable EXE Using Kali & GCC
First, I want to give credit to the author where I first found how to do this: Astr0baby's Blog. This article was dated, so I took the script on his page and reworked it to make it work today. (I also included the way to make it hide the cmd line popup.)
- Kali (or another Linux distro)
- Metasploit (Framework, Express, or Pro)
- GCC (I use the Windows version on MinGW on Wine)
- A basic understanding of how to set up Metasploit's multi/handler
Note: If you do not have the Windows version of MinGW installed, this Post can show you how I do it.
It's no secret that AV sandboxes our executables, verifies their signatures, and uses other methods to determine whether our "legit" file is malicious or not. (Norton goes a step further and makes sure it doesn't connect to an unknown source without permission.) So how do we get around this?
In this how-to, I'm going to show you my method for AV evasion that uses the msfpayload and msfencode commands to create an executable file. Then we will run the code through some custom commands and "filler" variables to make it less detectable to AV.
Be aware: Metasploit is doing away with msfpayload and msfencode in the coming months, so msfvenom is going to be used instead. If you can modify this process to incorporate msfvenom, please get with me about it. I would love to keep this updated.
There are three things you need to do before you run the commands following.
- Update Kali:
sudo apt-get update
- Create a "ShellCode" folder in the metasploit root folder:
- Create an "out" folder in the root folder:
I made the executable in the /root/out folder to keep things neat when creating multiple files. This is optional, but will require some editing of the commands if you choose not to place the finished .exe files there.
Below is the code for creating the executable. This was originally just something for me to play with, so it may look a bit messy. Change the IP, port, enumber (encoder iterations), and seed variables as much or as little as you need to fit your scenario.
Be sure that the ShellCode folder is empty prior to running this.
Just in case you're reading this and have never started a Metasploit multi/handler module, here's how you do it:
set LHOST xx.xxx.xxx.xx
set LPORT 4444
set ExitOnSession false
Be sure your LHOST is the local IP address, even if you are making the executable connect to an external IP.
As stated before, this is a rework of an external article. I have made it into something more usable to me and also added the hidden command window strings that Astr0baby left out on his blog.
I have found this to be effective on multiple Windows OS's using most antivirus softwares and it bypasses it 9/10 times. Be aware that Norton Antivirus will recognize the file ONLY after it's executed and block a "meterpreter/reverse_tcp" attack. One way I've (kind of) gotten around this is to use meterpreter/reverse_https in the executable and listener. It still asks the user if they want to allow the connection, but doesn't call it malicious.
So, give it a shot. If you like it, I'm glad I could help. If you have ways to improve it, PM me. I would love to improve on this!
Ok. so with some of you having problems getting this to work, I decided to make this a script rather Copy/Paste.
The new repo is here:
Download on GitHub
I hope this helps!