ANTIVIRUS EVASION /Metasploit Loader (III): loader64.exe (x64_64 bits)
- Layout for this exercise:
- This exercise is based in the previous one:
http://www.whitelist1.com/2018/02/metasploit-loader-i-loaderexe-x8632-bits_27.html
1 - Adapting the source code to the x64_64 bits architecture
- The goal of this exercise is to adapt previous example of Windows 10 x86_32 bits to the x64_64 bits architecture.
- The technical explanation of why and how to modifiy the source code for the new architecture is here:
https://github.com/rsmudge/metasploit-loader
https://dev.metasploit.com/pipermail/framework/2012-September/008664.html
- For the x86_32 bits architecture:
- For the x64_64 bits architecture:
- To sum it up, the x64_64 bits architecture uses 10 Bytes for the RDI register: a \x48 hexadecimal must be prepended, keeping the bytes of the x86_32 bits case (BF 78 56 34 12), and ending up with \x00s.
- Editing main64.c to reflect these changes:
- The first change is to amplify the buffer up to 10 Bytes. The old code:
- The new code:
- The second change is to prepend with 0x48. The old code:
- The new code:
- Also, updating the buffer expansion from 5 to 10, as before. Old code:
- New code:
- Finally, the whole altered section looks like this:
- Cross-compiling with mingw32 (version for x64_64 bits):
- A new executable loader64.exe is created:
2 - Running the payload at the victim side
- Setting a simple web server at Kali:
- Downloading the executable loader64.exe to Windows 10:
- Setting up a Metasploit handler session at Kali machine:
- However, when running loader64.exe at Windows 10 the file stops working:
- Also, a Meterpreter session is created but it dies after a few instants:
- Why does this handler session fail?
- The reason is that the payload was established for the x86_32 bits architecture, what is not correct because in this exercise we are dealing with x64_64 bits:
- So, the payload must be replaced with the version for x64_64 bits (let's notice the /x64):
- Repeating the whole process now the attack is successful. Establishing a Metasploit handler session on Kali:
- Running loader64.exe from the victim Windows 10 x64_64 bits:
- Finally the meterpreter session is successfully generated:
4 - Checking the Anti Virus evasion rate
- Checking loader64.exe against Virus Total a rate of 95.5% of evasion success is achieved:
- Checking loader64.exe against No Distribute, a rate of 100% of evasion success is achieved: