A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in a month or so.
20. Heuristic Scanning Scan the file Person using AV Run it in a sandbox Monitor system calls & activity and relay info to a risk analysis engine Does it look suspicious? Unknown file Unknown file Risk analysis engine
28. Polymorphism hwfeidedwefef dfewfewfewfe grvervklmwefwe welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r Encrypted portion Encryption + decryption engine with key Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Decrypt the main code run Do evil things to the computer If (decrypted) { EvilStuff(); } Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Change the encrytion + decryption engine, And change the key Kjlkmdckldklcm Sdclknmewnge Sdklmroivnslkw Kmewvionjrewg Wenmgrerjnkng spowgnjrekjwe Bah bah key=11 Encrypt the main code with new key and engine
29. Metamorphism 0x74 0x68 0x69 0x73 0x20 0x69 0x73 0x20 0x70 0x77 0x6e 0x7a 0x6f 0x72 0x20 0x63 0x6f 0x64 Virus (hex view) Runs and does evil stuff void main() { EvilFunction(); } void main() { EvilFunction(); UselessFunction(); } Takes its own source code and adds stuff A useless piece is added (like a NOP slide) Recompiled with new code 0x7a 0x6f 0x6d 0x67 0x20 0x64 0x69 0x73 0x20 0x69 0x00 0x00 0x00 0x00 0x00 0x73 0x20 0x6e A new binary is produced
30. Oligomorphism welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r [engine] key=??? Encrypted portion Decryptor/Key Pieces If (decrypted) { EvilStuff(123); } key=a+c/b If (decrypted) { EvilStuff(321); } key=b+c^d If (decrypted) { EvilStuff(213); } key=b%2 +c A B C D