Bypassing antivirus is always a cat and mouse game, and we’re always trying to stay ahead. I recently had a conversation with Justin Elze (@justinelze) on twitter about his version of WCE getting flagged by McAfee Antivirus.
When I was working on smbexec I knew the wce executable would touch disk and did research to find out how I might be able to get a step ahead in bypassing antivirus vendors. What I found was, for the wce universal binary, the base EXE had resources inside which were run on the target system. Essentially the base EXE was a wrapper that would review the architecture of the target system (32/64) and then launch the proper resource embedded. Essentially what this means is that even though the base EXE is obfuscated and can bypass antivirus, you may not have the same luck bypassing antivirus with the actual resources when they execute. Enter CFF Explorer and crypter for bypassing antivirus.
CFF Explorer
The Explorer Suite was created by Daniel Pistelli, and “…is a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures.”
Essentially what we are able to do is view the PE, extract the resource files, encrypt those and place them back in the PE. The great thing is CFF explorer does all the heavy lifting. All we have is extract and save, below are the steps of the process.
Extracting the Resource Files
First step is to download the wce universal binary zip file from Amplia Security and extract the files. Additionally, please note the initial size of the wce.exe file.
Start CFF explorer and click the Open button to browse to the wce file we will be working on.
Once the file loads, in the left explorer pane, select “Resource Editor” and you will notice the middle pane shows resources in the “BINARY” folder. These are the items we are going to encrypt to in hopes of bypassing antivirus.
Next you simply right-click each item listed and save to your local system by selecting the menu item Save Resource (RAW). NOTE: There are two files listed because one is 32bit and the other 64 bit.
Encrypting the Resource Files
Once you’ve saved of the resources, its now time to encrypt them for bypassing antivirus. There are several tools you can use, in this tutorial I want to highlight a really great (and free) tool called crypter, created by Christian Ammann of Null Security Its important to note that you may need an additional tool to obfuscate the 64-bit file.
Now that we have the file encrypted, its time to put it back into the original wce file. We can do this in CFF explorer with the following steps.
Updating the Executable
Go back to your CFF Explorer and right-click the file you are looking to replace. Select Replace Resource (RAW) from the menu and select your encrypted resource file.
Once the import has been completed, you need to save the file. You will now see that the file size has changed, confirming your new wce file is good to go for testing.
Now that the resource files in the wce executable file are obfuscated, now you can obfuscate the wce.exe file itself if you’d like.
Bypassing Antivirus – Other Tricks
There are a few other tricks that we do that can also help in bypassing antivirus. I like to sign my binaries since a valid cert tends to add a lot of weight to the reputation of a file when reviewed. I sign both the resource files before I place them back in the binary, and then I sign the binary itself. For the past year I have been bypassing antivirus (all different kinds) with relative ease with my encrypted and signed version of wce. The awesome thing is that this is not only relevant to wce, it can come in handy across a load of different PE’s.
Happy Hunting!
The post Bypassing Antivirus with crypter and CFF Explorer appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.