Bypass all anti-viruses by Encrypted Payloads with C#

Bypass all anti-viruses by Encrypted Payloads with C#

Note: This Article Published: (November 24, 2016).

Some people asked me about how you can bypass all AV anti-viruses?

My answer is: very simple. But this is Secretly Technique and the most Pentester or hackers never share that for other people. They have their reason for that like me and I can tell you the most reason is because their methods and codes After share will detect by Anti-viruses Companies very soon.But I want to share one method for you all with C# programming and Encryption method.

Before I begin to describe that first I want to tell you all don’t ask me about where you can find C# Source Code for this document because in this link you can find that .

https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp

But if you have knowledge about Pentesting and Kali Linux and Metasploit Payloads for Backdoors also if you have knowledge for programming after this Document you can find more Source code in internet for do it.

Firstly: you should know about Antivirus and signature base Applications like AV.

Secondly: you should know about Linux base systems and Attacker Side by Kali Linux or other Linux OS for Pentest.

Thirdly: you should know about Windows Programming in this case C#.Net Programming.

In this case for this Document I focus to Programming by C# only and I am sorry I can’t teach everything in one document.

Remember : every Pentest Teams or Red Teams for bypassing your Security Defense Tools Like Antivirus or Firewalls Need to know how can bypass these applications in Layer 7 so this is very important for doing by them in Projects like Whitehat or Pentest Projects and Blackhat hacking attack so if your team or you have more than one technique for bypassing AV this is good point for you or your team also I want to tell you all this is not difficult for doing, trust me.

Bypassing AV by C# Encrypted payload Step by step:

Step 1:

as you can see in picture 1 I made Backdoor Payload with C type in kali linux and you can see we have hex code for backdoor.Why we use “reverse_tcp” payloads because this is best payload for bypassing Firewall with Incoming Block rules.

Step 2 :

you should encrypt this payload with one algorithm like “XOR or other Encryption methods” by one time or more than one time .

How ?

I made simple C# application with secret ;) algorithm for encryption but I want to tell you can find more Source code for doing it don’t worry.

As you can see in picture 2 I made C# code by vs.net 2015 but you can do it by all version of VS.NET.

in the picture 2 you can see one notepad file with payload.txt name, this file is our payload was creating when I used msfvenom tool in step 1.

In this step you should replace value for Payload Variable {0xfc , ….} by that payload.txt file on source code.

Step 3:

In picture 3 you can see output for this application also our encrypted Payload.

As you can see in picture 3 our encrypted payload started with “217,119,88….,82,12,210” Now we have one encrypted Payload it is means you can use that in backdoor.exe files safely because this payload Undetectable by Anti-viruses and only you have KEY for encrypt or decrypt this payload.

Step 4:

Now I need one C# code for Execute this Encrypted Payload in target computer .

As you can see in picture 4 I made this source code for execute Encrypted Payload by C# and in this source code I should replace value for Payload_Encrypted Variable by Encrypted payload like picture 3 also I should replace KEY value by KEY value I used in step 2 source code .

Note: your KEY in step 2 and step 4 is same it is means your KEY for Encryption and Decryption should be same.

In my source code in step 4 , I made code for getting Encrypted Payload by Arguments in command line so I can execute this exe file by typing encrypted payload like a string argument in command line like picture 5.

Example : C:\> backdoor.exe “217,119,88,…….,82,12,210”

In this time encrypted payload will decrypt and execute in memory in target computer and if you have finished All steps correctly then you have meterpreter session by backdoor in kali linux in the attacker side like picture 5:

As you can see in picture 6 my anti-virus can’t detect this backdoor with encrypted payload.

Finally you can see all anti-viruses bypassed by this Technique .

anyway , i made one Forensics tool for Realtime detecting Meterpreter payloads in memory ;) with that Realtime Scanner you can find this backdoor in memory too you can find that in this link :

https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection

Related Video :

https://www.youtube.com/watch?v=j6pwSemHfTY

Source Code for Video : https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp/tree/master/Ebook%20-%20Chapter%202%20-%20Making%20Encrypted%20Meterpreter%20Payload%20by%20C-Sharp.NET

Related Article :

Bypassing Anti-viruses with transfer Backdoor Payloads by DNS traffic

https://www.linkedin.com/pulse/bypassing-anti-viruses-transfer-backdoor-payloads-dns-mohammadbagher

Antivirus and Signature Based Detection Methods Doesn’t Work for Defense (Bypassing AVs again by NativePayload_Reverse_tcp Ver 2.0)

https://www.linkedin.com/pulse/antivirus-signature-based-detection-methods-doesnt-mohammadbagher?trk=pulse_spock-articles

Detecting Meterpreter Undetectable Payloads by Scanning Memory

https://www.linkedin.com/pulse/detecting-meterpreter-undetectable-payloads-scanning-mohammadbagher?published=t

--

--

--

Security Researcher , Pentester

Love podcasts or audiobooks? Learn on the go with our new app.

How to stay secure in an always-connected IoT vulnerable world

{UPDATE} Kronno Zomber Hack Free Resources Generator

Breach of a DevOps pipeline and the lessons learned

FTO® Update: Key Details Ahead Of This Week’s Göztepe And Universidad de Chile Launches

HIPPA vs. GDPR: major acts regulating health data protection

Let your Dinos earn you $$ when you are having a cup of tea🍵

Step by step Guide on How to participate in CoinExGem IFO on IFswap

SynAssets High Security Guaranteed

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Damon Mohammadbagher

Damon Mohammadbagher

Security Researcher , Pentester

More from Medium

Ancora

BridgeSwap

Introducing Sandra Bay Shifters #sandrabayshifters