Thursday, July 31, 2014

Bypassing Antivirus Heuristic detection of Meterpreter



For every penetration testing task, meterpreter is an important and powerful tool, however one of the big issues that we need to deal with when using is Antivirus detection.
There are numerous posts on the Internet on how you can make it undetectable for static analysis and code emulation detection vectors, however, these methods won't impact heuristic/dynamic analysis.

In this post I'll explain a step by step way to:
  • Identify the trigger of a heuristic signature
  • Explain the basics of meterpreter
  • Suggest a simple correction to make it undetectable

The Heuristic Signature:

 The scenario is the following, we have a meterpreter shell over a Windows 7 64bit machine with AVG free Antivirus. The initial meterpreter executable has been modified to evade the initial detection (static and emulation), but when we try to migrate to explorer.exe, our process is killed and the Antivirus signals a suspicous activity.

Meterpreter Basics:

Saying meterpreter is an incredible tool is an understatement. There are some elements that we need to know before we dive into debugging the trigger of heuristic signature.
meterpreter uses a technique called Reflective DLL Injection, which allows in a nutshell to have the power of shellcode in a DLL format.
Shellcode have the particularity of being able to resolve its dependencies and of being Position Independent Code, you just put it in memory, point EIP to it, and it works.
Reflective DLL Injection works in the same fashion but with a lot more power, you put the DLL in memory, point EIP to its entry point and it works. It does so by self dependency resolution and by implementing the relocation table.
This technique is used by meterpreter to push modules with the advanced logic over the network to memory, which makes it possible to write it in C instead of assembly, reduces its fingerprint on disk, makes it more evasive and very extendible.
For more information on Reflective DLL Injection, please check these resource:

https://www.defcon.org/images/defcon-20/dc-20-presentations/King/DEFCON-20-King-Reflective-Injection-Detection.pdf
https://github.com/stephenfewer/ReflectiveDLLInjection

Compiling meterpreter and Debugging :

OJ has done great work explaining and enhancing the ease of compilation of meterpreter, I'll recommend checking out his post:

http://buffered.io/posts/building-meterpreter-is-easy/

This will allow us to retrieve the following files:

For this particular signature, we will only be interested in:
  • metsrv.{x86,x64}.dll
  • ext_server_stdapi.{x86,x64}.dll
  • ext_server_priv.{x86,x64}.dll

To debug our meterperter, make sure to use the Debug compilation mode which will allow us to access the output of dprintf using DbgView from Sysinternals.



Once the DLLs are compiled, you'll need to copy them to /data/meterpreter, we won't need to have a different executable every time you recompile the DLLs as they are pushed over the network and don't change the initial executable.

For our debugging needs, we'll only need dpritinf, MessageBox and DbgView.

Stepping through the code:

Now that we have some debug info, we can start pinpointing what is triggering the heuristic signature. Our initial run led us to the function inject_via_remotethread_wow64 function:


If we inspect the code of the function, it is allocating two memory regions, copying hard-coded shellcode.
We will add now more verbose messages and separate the different actions with Sleeps to better pinpoint the issue.


The second run indicates that the Antivirus is triggered by the execution of the shellcodes.

The first shellcode is in charge of switching to 64bit by modifying the code segment value and the second shellcode creates a remote thread.



Bypassing the Antivirus:

The use of hardcoded shellcode could potentially be used to trigger the signature, so let's try changing this code by simply adding some nops.


The assembly source code path is indicated in the meterpreter source code, we can now build the assembly and rebuild the meterpreter and test it again.



Well it works, just added a MessageBox at the end to illustrate that it works !






4 comments:

  1. Thanks for linking to my post. Meterpreter has quite a few internals that are recognisable based on signatures. I have a few more ideas around how to bypass this kind of stuff, including dynamically modifying things like the hard-coded shellcode (encoding, adding stuff to mix it up, etc. I also want to remove the string-based command identifiers, but that's a big and scary job.

    If you're interested in some other stuff that meterpreter now does check out http://buffered.io/posts/3-months-of-meterpreter/

    As far as RDI goes, it does way more than just handle relocations :) It moves the image into another area of memory, correctly lays out sections, manually wires up the IAT and adjusts for relocations. It's effectively a mini PE loader. Very cool stuff. Stephen Fewer is awesome.

    I spoke a bit about this at 44con this month, slides are here http://www.slideshare.net/44Con/44con-meterpreter-internalsv2 in case you're interested. Grab the pptx so you can see the animations :)

    Cheers!
    OJ

    ReplyDelete