peCloak.py (beta) – is A Multi-Pass Encoder & Heuristic Sandbox Bypass AV Evasion Tool.
– Heuristic Bypass
– Carving out a code cave
– Jumping to the code cave
– Restoring execution flow
– Other Features: Writing the Modified PE File.
+ The modified PE file must evade AV detection from market-leading products with up-to-date definitions.
+ The encoded malicious payload must execute without error. Failure to execute regardless of AV detection would be considered an unsuccessful bypass.
+ The entire process (encoding, decoding, etc) must be automated. No manual manipulation of code caves or jump codes within a debugger.
– PyDasm http://sourceforge.net/projects/winappdbg/files/additional%20packages/PyDasm/
– PEFile https://code.google.com/p/pefile/downloads/list
– SectionDoubleP http://git.n0p.cc/?p=SectionDoubleP.git;a=summary
four files that were tested for evasion were:
+ av_test_msfmet_rev_tcp.exe – Metasploit Meterpreter reverse_tcp executable
+ av_test_msfshell_rev_tcp.exe – Metasploit reverse tcp shell executable
+ strings_evil.exe – strings.exe backdoored with Metasploit reverse_tcp exploit
+ vdmallowed.exe – local Windows privilege escalation exploit
Example Usage :
peCloak.py -e .text,.data:500:10000 av_test_msfmet_rev_tcp.exe
peCloak.py -e .text,.data:500:10000 av_test_msfshell_rev_tcp.exe
peCloak.py -e .text,.data:50:5000 vdmallowed.exe
This program is intended for use in research, sanctioned penetration testing, or other authorized security-related purposes. Do not use this code or any derivative of it for illegal or otherwise unauthorized activities.