Skip to content

codewatchorg/SideStep

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SideStep

SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.

Additional information can be found here: https://www.codewatch.org/blog/?p=414.

Requirements

Software:
Recent release of Metasploit Framework
Ruby 2.x
Windows (tested on 7, 8, and 10)
Python 2.7.x
Visual Studio (free editions should be fine - tested on 2012, 2015, and 2017)
Windows SDK
Cygwin with strip utility (if you want to strip debug symbols)
peCloak (f you want to use it - http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
Ditto (if you want to use it - https://github.com/mubix/ditto)
Mono (if you want to sign the executable - http://www.mono-project.com/download/)
SigThief (if you want to add a signature from another file - https://github.com/secretsquirrel/SigThief)

For code signing, a good example can be found here: https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode

Configuration: Python and strip.exe (if using it) need to be in your path. Sorry, I tried to make it compile with mingw-gcc with no luck.

*** The tool should now autocompile the cryptopp library ***

Usage

You must configure settings in conf\settings.py, and then you must at a minimum provide the Metasploit listening handler IP and port:

  python sidestep.py --ip 192.168.1.1 --port 443

If using the defaults, then a source file will be generated in the .\source directory and the executable will be dropped in the .\exe directory.

peCloak Modifications

If you want to use peCloak in the last step of the executable creation, then you will need to install the pydasm and pefile Python modules. You will also need to download the SectionDoubleP Python module (found here: http://git.n0p.cc/?p=SectionDoubleP.git;a=blob_plain;f=SectionDoubleP.py;h=93717cdd0ac293548fb995a1c54094dbea6005d9;hb=8846697ecda15bc814f99d24f7f5cbf0e06466d0) and save it to the peCloak directory.

Next, you need to make the modifications to pefile that the author of peCloak references on his page. If pefile was installed as an egg file:

  1. Find the egg file, typically in PythonRootDir\Lib\site-packages
  2. Make a copy of the egg file and rename the extension to .zip
  3. Unzip somewhere and rename the folder to the original name, but add .egg. So if the egg file was named pefile-1.2.10_139-py2.7.egg, then make that the directory name.
  4. Make the necessary changes to pefile.py and remove pefile.pyc
  5. Copy the unzipped folder containing the modified pefile.py back to the PythonRootDir\Lib\site-packages directory and remove the .egg file.

If it is installed as an editable Python package, then just find and edit the pefile.py as shown in the peCloak demonstration.

Notes

SideStep generates Meterpreter shellcode, randomly generates an encryption key, and then encrypts the shellcode using AES-128bit with the random key. All variables and function names are also randomly generated.

In addition, to encrypting the shellcode and assigning random names, it also generates a configurable number of random variables with configurable value lengths. Surprisingly, this can also help evade AV (read this: https://github.com/nccgroup/metasploitavevasion).

To evade AV sandboxes, I implemented a function that checks the current time, and then loops until a configurable number of seconds have passed since the current time. As an added small time function, I have added support for generating 1024 or 2048bit DH parameters. I chose these methods as I've read that some AV hook sleep function calls.

SideStep can also be configured to strip debugging and other symbol information from the final executable and then randomly encode the assembly instructions using peCloak.

Future

In the future, I plan on making this more of a framework where additional algorithms can be plugged in and selected more "Metasploit / Veil" style. I would also like to set it up to randomly organize functions and variables.

At some point, I will better organize and design the system using OOP.

License

I have included the CryptoPP source and a 32bit compiled version of the library, which I believe is ok as I have included the CryptoPP license with this repository.

SideStep is free to modify, use, change, and do whatever else to.

About

Yet another AV evasion tool

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published