I’ve seen a lot of blogpostings lately which proclaim that Metasploit payloads encrypted with one of the available encryptors and written into an executable file are somewhat “magically” capable of bypassing AV software (these posts usually contain a couple of VirusTotal links to demonstrate the point). The main scenario considered (from what I gather) is the following: you prepare a connect-back shell and then you convince the target of your penttest to run it (you email it to them, you put it on an USB stick, etc) and you get access to their machine. The AV aspect comes into the picture when you consider that the target has such software running on their system.
So I said: detecting it can’t be that hard! And generated all the combination of payloads and encoders (plus some triple encoded ones – since this also seems to be considered “a better way” to hide the payloads) and written up the following python script using pefile and pydasm:
import pefile, pydasm import sys, glob, operator, re def countFInstr(buffer): offset = 0 fpoint = 0 rx = re.compile("0x[0-9a-f]+") while offset < len(buffer): i = pydasm.get_instruction(buffer[offset:], pydasm.MODE_32) instr = pydasm.get_instruction_string(i, pydasm.FORMAT_INTEL, 0) if (instr and rx.search(instr)): fpoint += 1 if not i: offset += 1 else: offset += i.length return fpoint def scan(filename): try: pe = pefile.PE(filename, fast_load=True) except pefile.PEFormatError: return False execSectionSize = 0 foundRWXSection = False rw = 0x40000000 | 0x80000000L for section in pe.sections: if (0 == section.Characteristics & 0x20000000): continue execSectionSize += section.SizeOfRawData if (rw == section.Characteristics & rw): # print section.Name buffer = section.get_data(section.VirtualAddress, 128) # for c in buffer: print "%#x" % ord(c), # print "" # print countFInstr(buffer) if (countFInstr(buffer) < 16): return False if (len(buffer) < 128): return False foundRWXSection = True if (not foundRWXSection): return False if (execSectionSize > 4096): return False return True sys.argv = reduce(operator.add, map(glob.glob, sys.argv)) for filename in sys.argv[1:]: print filename, " ", if scan(filename): print "Metasploit!" else: print "-"
It has a detection rate of 100% and a false positive rate of 0% (although I didn’t have access to executable files packed with more “exotic” packers which would have given me a more accurate FP rate – even so I consider that the detection method is not really prone to false positives).
So how does it work? What does it take for it to say “Metasploit”?
- The executable must have at least one section marked with Read/Write/Execute (typical for packers)
- The beginning of the given section (the first 128 bytes) must contain at least 16 instructions with hardcoded constants (immediate instructions)
- The total number of raw data loaded into executable sections must be less than 4k
But wait! – you might say – you are not detecting the actual payload! You are detecting some particular characteristics of the file which are relatively easy to change! And my reply is: correct. But discussion about the “correct” way of doing things is a philosophical one as long as the presented solution has a low FN/FP rate and is efficient. You might get into an argument about how “future proof” it is, but then again, most AV products are black-boxes and it wouldn’t be so straight forward to find the particular detection algorithm and then circumvent it.
An other thing I remarked is that the given code doesn’t try to defend against emulators (for example by doing multiple loops, calling different windows API’s, etc). While the code is sufficiently complicate to create a problem for IDS’s, AV software which has emulation capability (and almost all of the “big guys” and even many of the smaller guys do) will go trough the decryptor like a hot knife trough butter.
So why then doesn’t AV detect these executables? Because they occur in very low numbers, and unfortunately today AV is a numbers game.
Please, the next time you p0wn the client with a metasploit-payload-executable, don’t say “AV is worthless”. Rather say: “this demonstrates what an undetected malware can do, so you should use multiple layers of defense”.
Picture taken from fazen's photostream with permission.