ANTIVIRUS EVASION /Metasploit Loader (III): loader64.exe (x64_64 bits)
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv5bLcfjawF0UcRgbasPOIJV99bBww7X7WgHidwtuBhN_-BmxVysptF-Ospp25CHrx0Wgvx_tb4yPvMvi9LGLb6hw_5xdurfNjCVQFLUggufVJFigewhha8J24chdEuXh7oPdpiuHA-LkN/s1600/screenshot.8.jpg)
- This exercise is based in the previous one:
http://www.whitelist1.com/2018/02/metasploit-loader-i-loaderexe-x8632-bits_27.html
1 - Adapting the source code to the x64_64 bits architecture
- The goal of this exercise is to adapt previous example of Windows 10 x86_32 bits to the x64_64 bits architecture.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_79w3Jpps3NzKAcY0dew3ptJIU-309mv4ggpRHHQPzdOd3_AqGc2Gy5kPnwFeOjuRpTjBpolG9YuWJ05UoLu3WmMNTh8eQPlgf2SSqMP5EyzrwetK-oavUo6fFlUg65EIgLcYbU77wmzp/s1600/screenshot.35.jpg)
- The technical explanation of why and how to modifiy the source code for the new architecture is here:
https://github.com/rsmudge/metasploit-loader
https://dev.metasploit.com/pipermail/framework/2012-September/008664.html
- For the x86_32 bits architecture:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAJ9Qms_PZ78_grdoYhXksyDjan3zMEVGzcJxT_iMdbamdYraedf21kzXqdbzS9bAlhevviDHVy57qTSEGPyIGVZhonDq3Q0RuAeN3k1zF048Bzz_DD0GWdeHQQYYSYofubEOP_jsNZljf/s1600/screenshot.12.jpg)
- For the x64_64 bits architecture:
- To sum it up, the x64_64 bits architecture uses 10 Bytes for the RDI register: a \x48 hexadecimal must be prepended, keeping the bytes of the x86_32 bits case (BF 78 56 34 12), and ending up with \x00s.
- Editing main64.c to reflect these changes:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEEkjaCIRM-hXLdNvqQpQ2xrRfZ5IcjDi1s7jE3wfLuc-D3XD1fyhMs-gqF2MOoqHqalSmOdVs6cT31oGTV4jpkQW_qQVKUXmKLCBl37F8Me4cJ5pga4euR8qP8DUaaNOVcn2qypjM1T_R/s1600/screenshot.36.jpg)
- The first change is to amplify the buffer up to 10 Bytes. The old code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPGW6cW6CAK9HowlQvNycGrI4uH13o4E5Ydq7KK638xvOsDC4spXQ59XDzApFX7gVAfm8Kz5TJUZ_bK946fbzGcVGEIxY2voc9SdHEJGJLQWLNgPCzMdmQbUAeXEtUinqS-CLnStUcZMGb/s1600/screenshot.37.jpg)
- The new code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhesKFWdV3gJqK1jeUdgG-4Pf92avUsdbNwvZcBUzUE1rNlYJBWzRv67QknNVBR7EI97h8fDHk8UUHo75uQhTZ0tSFL4YMeObdcmwrLqB5gLHUZHAWs-ei-8gx-LKSnmrKTUsOLURyFZQRp/s1600/screenshot.38.jpg)
- The second change is to prepend with 0x48. The old code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9B6we8lf4fNTBFza9GdfI8p7rO0_ZiUbcdAK7xJVouzH35ArPJLTRxDACgkiktd1ZcX4oEjx4gTaEb11_Ijb11KayHDqBV1rcPLvYhqnuiAR76TE-o2qOgH-22v8vl7PCMgrtveXtYZ1K/s1600/screenshot.39.jpg)
- The new code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjblI74L8BIN6lZ_wYb5a4irNaNqGB9Yw8oIgLJV-Emwz8auhyphenhyphen9OI7S__n7uotfDptLtAOPeCgbkfNhZ28j8VSlwukdZPBLnQCa72ayiw44jrdRMIlRgxOYJ0SLIrFirjdQAULo_4rNjkhP/s1600/screenshot.40.jpg)
- Also, updating the buffer expansion from 5 to 10, as before. Old code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaxbkcWnk12pDeypOG5EKBYfr5dhV0tA8m2W97cBgWfKveEDMdgKSJm8BPL7c0KmoD6U9oxYQkRtCHCaC_QWsxLRfEXMyFGs-Yv9voPSaOm4Q6Va8k4xeC1XGxlXwRMRWAY6jeaHc29L1F/s1600/screenshot.41.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTEyE4qlOOeYrUfNy3Bs42Kh67fbiLjfAKC_Jo3N3rGSTALw6sU6AdiY5DZwZh0qneEpimVPMfEhboTjRlqteNXZ9RsuI-FxGUN01PAn4HlZGRBA1o68pqw7ESodDHYrmUheXzTCpztLAt/s1600/screenshot.42.jpg)
- New code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju-Y2pMRa5BRcrXLekwheZPMsDXIfkekGBcJ1PN1u356RMvzUY8RnWur7gTnCc5FAc6z_iXOa0OCAS4WFckH30pcVtLjC_4mALBEzX_cKBoQhhqyNE4efieA9CW8SnM4VY8Br8qAfy2I-C/s1600/screenshot.61.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh77rs5dl4xEyDq8yiap2M5fk7e7xG8Ui9xs2KOKdh-pOkoT_N5Avykh2j4jhwtAJH87d2EYlQwyZpLIdOFI2l1KIeuX0MjKkyPROwUsYWIatSse4yxPBCKWMLhnNfFxQ3ykMeaqc39XOCL/s1600/screenshot.43.jpg)
- Finally, the whole altered section looks like this:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8D7j8sFe_ZAvJuXUWCjd71TD0SRY4Pqxvj8_qpmQ0mdJ_VzBE6RYGU5CzIuXAdpzvu-1aSrdrMq2HWbkXHTu1LGLe-WCuAGi1EKSn65xWQxTAdl2ld8ol5bS0pUlEtvdqR9f0dps35qM4/s1600/screenshot.44.jpg)
- Cross-compiling with mingw32 (version for x64_64 bits):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLonv4HqGaULswmi-xlme7WtounET9bcNxNk55JkyFSsQf4miBUSn6Dx4XtoBLLCLridlfcwAbp1MarmvR-GdwU0uoZQgD23dr9HNp43QddISjLSZs7a-carxOMsvRm-Noram9DpzmM8If/s1600/screenshot.45.jpg)
- A new executable loader64.exe is created:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUWXjqmcosh7MMrgsoXxNS0f8isEtErSXrS4iP0BfrRR1DH2TmEmfuF_-JJRhewDpWaFHk9lxWhh9bd5Jr9yhtpQdkcuXMBrZDcq00SJnHr_ajGpBiKw4dn1SNwTzkoYOh54wcLVGZJOW5/s1600/screenshot.62.jpg)
2 - Running the payload at the victim side
- Setting a simple web server at Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-VR8wfgYefvMzLhA69Rma_TaOQMXeQML8MLnK0JWB_AfrduDhXHAhhAvkEHuJFvd7yIwbcMt0AstUgU1VM4-9Ea6rui9noB5SGIEgDEKgkBr7NSF93HMgaLhqgfIwlL-pKi1vIkYKAFA0/s1600/screenshot.47.jpg)
- Downloading the executable loader64.exe to Windows 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb_Dy3FmoYjN1V0p2lxXfL1Ni8o-tXPRndQgjQZqJ2qJJ7H5RjtZWxdyg-beiuwVNFj1_Y64SpcE0iW6AI3r-s2LqEKIMFBRXxYDmoJq9XSlJT0rfBjTsRbUF6452HkjWS_83BBEEKh9d0/s400/screenshot.48.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1jzlB4UneHKurDDrcuQhnzNUoKVaqv7pcZSlsj_7-Ear-o5Xc-mffif44qxdaGpOSHfdDOyUIwWb3k0NV-7S0iGMlVAqSW4JUkelyW_zZnQJs9QXIGjUlvJXKw2Cqq00s0sgc6hDDlUWC/s400/screenshot.49.jpg)
- Setting up a Metasploit handler session at Kali machine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQwXpfNVIWKkHBZvmwa5HycL3H9T3TOVasLm-rFtPN0jaM-kvlNWvVBGe2JxjIrwxeIHRs6uSt97GsqNVzdw5KnZhs7Ean63d1nC_MfkogXwFRI107NbOOcbUB-I-CPUtBr4IcLqYFySUO/s1600/screenshot.50.jpg)
- However, when running loader64.exe at Windows 10 the file stops working:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9xITdPlz5Tx2VV6oWLgamETxbiRMIEJR_3sd-wcz7ZKm5BJLUfZF6y8veKQFpx9JpiobVOfReT61zv38dJ-zhxS5k0eHi1csVXW3iUiLvCejLgfrOXTu9b_YJf5F_g9v4XrhyzC6hq_-F/s1600/screenshot.51.jpg)
- Also, a Meterpreter session is created but it dies after a few instants:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj04DHrSShmyO-vqjFY0u4Eid04asx9wdiKwuqPLv-iMdsIWUcCB7gyS198KAtgXoTDWrnDhqR3Zol7KW5f_qrfVD67TXzLzYzeYtfIYzf5SopMclzyp4JXTER18maMKmsLWCAk3H0d5hKl/s1600/screenshot.52.jpg)
- Why does this handler session fail?
- The reason is that the payload was established for the x86_32 bits architecture, what is not correct because in this exercise we are dealing with x64_64 bits:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9Hm26e_vV5xL0Rjwn26HI-9dODVWil8yYj6DzmMAJuNOIxBhfB900_69-SJDnn4EZxRcNXdC0eMS7s3XG4GnVNTffXHneeAYEAbKEIswh-XPHyOCa4zCTRWb7EuKVgXRoZJeeCjIH76i9/s1600/screenshot.10.jpg)
- So, the payload must be replaced with the version for x64_64 bits (let's notice the /x64):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB06cuRhFp4j-EsGP1FqGu0rRWhGEGCQlAwxQulC75H5KobNIke0UoPY9uzDVx9JudYAOKIkuXA18WIAxvd90n8sFpjuJ3h62zVmHfBcyFweUEYI9JbgYeXKMWJ5y43fh11GVNyLZlTKEq/s1600/screenshot.53.jpg)
- Repeating the whole process now the attack is successful. Establishing a Metasploit handler session on Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzAz1aoGL1DZMMIDZowHNrKnEGQkmew5N9Moo6SHeLAII7ccFmjaxp6meRjFbZW9Nlgunhqv7C9Ne6Xf0zIAqrJ9HM9OgWgte3A3TtT9jBnW-yHCRRZy8IIYqxO4xJsjJ4hThhxJj4LLia/s1600/screenshot.55.jpg)
- Running loader64.exe from the victim Windows 10 x64_64 bits:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_rHwUzcZ1PSFilvP0AMy4M1aRNKSL9msgKGye6_z7kw7A5wmifwWhFDKSrWcKqxoNa2XbTEReU1B4VQc6JIjW1Pc8ce_66bOGkqWbKD_4lMMx9nft5ey0yHPhSRF6mIbo6dJto_ikbKYm/s1600/screenshot.56.jpg)
- Finally the meterpreter session is successfully generated:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm_qJTXgg_2858UuZnjBp5NhJDBCV-3gcayy-MKs5qf6ZbebM49573GnunpWCdx4gHuUEoN5LlWmeBdvkUdFApEgvKY1EYH0eRec-jCSFdNddIX80zsdRYV3ainlzWb9md6BJPS61uNwgl/s1600/screenshot.57.jpg)
4 - Checking the Anti Virus evasion rate
- Checking loader64.exe against Virus Total a rate of 95.5% of evasion success is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzGPHftrZRIKmT-WbDdZQEVCA4i97ohMtWojF6I1q7u9NZKri1f3528AHiMfJz-ccu3u3hovH7BNjvLPFZacNEZXDlykzsfZ_L5-h9wNAfl3WOfq7L3vDAhLNbryu0SiI98DlEidZktv5u/s1600/screenshot.59.jpg)
- Checking loader64.exe against No Distribute, a rate of 100% of evasion success is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7JIXtgl9fuRYUqEStYDmM0GjiArBDcilSj0Vcujp0tURA0ugGj8v_OtL5j5Fdi47Yu5MqZX_uenmLEIwLrZLVMg5IwiREK_AsGGJkBBUJ0tYs9SW5haX7eNrB-bjGO_Hcly44bO3OeVEC/s1600/screenshot.60.jpg)