modern av evasion with shellter

i’d used shikata-na-gai and hyperion in the oscp labs with good effect, but in reality they are totally busted by modern and up-to-date AV

so i was pleased to be introduced to shellter.  i haven’t yet used it a lot, but it’s already the obvious choice for the future!

it can very effectively hide something from AV by taking any 32 bit payload and injecting it into any 32 bit PE.  in the training scenario i used it in (putty with a meterpreter revshell), virustotal counted 3 of about 50 AV engines detecting it, with 2 of those being suspected false positives.  amazing!

the two main use cases are:

  1. non-stealth mode: simply to get past AV and execute the payload (e.g. a privesc).  in this case the enveloping legit app is not executed, only the embedded evil app is
  2. stealth mode: perform a client-side attack without the target being any-the-wiser (e.g. trojan a legit app).  in this case the enveloping app works as intended, and the embedded evil app goes about its business in the background

in stealth mode, if a msfvenom payload is used, it must have EXITFUNC=thread, otherwise killing the established session will also kill the enveloping app

shellter seems to weave the evil app into the code of the original app, and also tries to run out the clock on an AV’s process monitoring sandbox

the website says it doesn’t make use of code caves, nor does it add/modify PE sections!  it’s funny how i’m just about to learn all about all that stuff in the osce, and yet they are already pretty much obsolete, it would seem.  still, it’s nice to get in at the ground level and build up – more complete knowledge that way

still, however good shellter is right now, you can bet your bottom dollar that AV engines will catch up, and new techniques will be needed.  how wonderful and interesting the world of computer security is!

2 thoughts on “modern av evasion with shellter

  1. Thanks for making such a nice post for Shellter.

    Indeed, AV engines might catch up at some point, but considering that it’s being massively used for 2 1/2 years and still performs so nicely it should tell you a lot. And I know it does. ;0)

    All the best,
    kyREcon

    1. thanks so much for stopping by and commenting, kyREcon!

      merry christmas, and wishing you all the best for your impending release of Shellter Pro 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *