Injection gloves-off: bypassing antivirus software with Shellter

The great problem for many pentests lies in the fact that any "charged" executable file created with Metasploit or other pentest frameworks can be tracked by any antivirus vendor. That is why a pentester has to find out a way to bypass antivirus software instead of going on with penetration. A lot of time is wasted on this task being performed from case to case. So, eventually, various tools for automation of this task started to appear; today we are going to review one of these cool tools, named Shellter.

Quick Start

Some official project information first. So, Shellter is a tool for dynamic shell code embedding, it is indeed the first tool for dynamic embedding of a code into PE files (but it's worth noting that dll files are not supported). It's used for embedding shell codes into native Windows applications (yet only 32 bits are supported). Custom or framework-generated shell codes (e.g. with Metasploit) can be used as a payload.

The advantage of Shellter is that it is based on PE file structure only, and doesn't use any "dirty" tricks like adding new sections with RWE rights, modification of access rights for existing sections, or other operations that any antivirus software will at once find suspicious. Instead, Shellter uses a unique dynamic approach based on the target (to be infected) application flow.

Main Features

Here we need to provide a rather impressive list of features, and we'll use this article to try and discuss some of them (the most interesting ones).

  • The utility can be used with 32 and 64 bit Windows versions (starting with XP SP3), as well as Linux/Mac through Wine/CrossOver
  • Does not require installation (unpacking the archive is enough)
  • Engages no additional dependencies (like Python, .NET)
  • Doesn't use static patterns, frameworks, etc.
  • Supports 32-bit payloads (generated with Metasploit or provided by the user) only
  • Supports all types of payload encryption provided by Metasploit
  • User-provided variants of payload encryption can be used
  • "Stealth" Mode
  • Possibility to embed several payloads into one file
  • Engages a proprietary payload encryption mode
  • Dynamic Thread Context Keys
  • Includes several custom payloads from Metasploit
  • Has its own built-in engine for generating polymorphic junk code
  • Users can use their own polymorphic code
  • Thread context information is used to prevent static analysis
  • Can track polymorphic codes
  • Performs tracing for both single- and multi-threaded applications
  • Dynamic location of a point to embed the code based on application flow
  • Disassembles and displays possible points for embedding
  • Allows users to configure the type, place and time of embedding
  • Command prompt support
  • Absolutely free

Based on its built-in heuristics and the debug tool engine that dynamically starts the host file and traces the indicated number of instructions, Shellter finds the appropriate place for secure shell code allocation in the PE file. The mandatory changes in the PE file structure are minimum, with flags in DllCharacteristics (relocation prevention) deleted and digital signature data cleared.

When running, Shellter will trace only the userland's execution flow, i.e. the code within the infected application, as well as the "external" code located in system libraries, bulk, etc. This is done in order not to leave out the target application's functions used only as callbacks for Windows API. During the tracing process Shellter doesn't use or log instructions located beyond the target application's memory, as they cannot be referred to for shell code embedding.



Target Application Selection

We've got to know Shellter's basic idea, let's now discuss such an important matter as selection of an appropriate target for shell code embedding. First of all, as we've already said before, the application shall be 32 bit native. Another condition is that the application shall be statically connected to no exterior libraries except for those by default included into Windows.

As this tool's main task is bypassing antivirus solutions, you should also avoid the following: packed applications, applications with RWE-right sections or more than one code section, as they will by default look suspicious for antivirus programs.

One more reason to avoid packed .exe files is that most standard packers check files for modifications before unpacking, and thus they won't run after the shell code has been embedded. Furthermore, almost every one of them is crammed with anti-debugging features and will quickly discover Shellter's attempts to trace it (at the moment Shellter is only able to fight PEB.IsBeingDebugged, PEB.NtGlobalFlag). That's why it's best to pack the application after the shell code has been embedded. And the ideal variant is to select an application that will look legitimate for the antivirus software.

Fouling the Trail

Now a few words about the methods used for deceiving antivirus software. Two main methods are using junk code and encrypted/self-decrypting payloads. Shellter has a built-in polymorphic engine that generates spam code of the size indicated in bytes by the user. The dead code will be executed from the Shellter shell code access point till the payload execution or decryption. Spam code is a sequence of null cycles (loopd), use of real application data (read/write), null procedure listing, with the code searched by gadgets within the original code section of shell code host program.

Generating spam code

Generating spam code

Shellter allows payload encryption through seven methods based on usage of Windows API (for creation of self-decrypting code with no changes in properties of PE file executable code sections).

  1. VirtualAlloc
  2. VirtualAllocEx
  3. VirtualProtect
  4. VirtualProtectEx
  5. HeapCreate/HeapAlloc
  6. LoadLibrary/GetProcAddress
  7. CreateFileMapping/MapViewOfFile

As the utility tends to change PE file headline structure as little as possible, it suggests using only the available file import. If the file's import table doesn't have any of the abovementioned API sets, then Shellter will offer to either give up on payload encryption, or forcefully change properties of the PE file section. As you can see, with no payload encryption performed, Shellter will normally be useless (in case of aver bypassing).

Payload encryption method is only available with LoadLibrary/GetProcAddress

Payload encryption method is only available with LoadLibrary/GetProcAddress

Shellter shell code access point, no obfuscation and polymorphism+usage of payload self-decryption (VirtualAlloc)

Shellter shell code access point, no obfuscation and polymorphism+usage of payload self-decryption (VirtualAlloc)

Starting with the fourth version, Shellter provides its own dynamic encryptor. It can be used to obfuscate the payload encryption procedure by embedding a random number of XOR, AND, SUB, NOT operations into each shell code generating (--polydecoder command prompt modifier is used here). API function invocations used to transfer shell codes into the write-access memory may also be obfuscated. With "Auto" mode, Shellter will by default use its own encryptor to obfuscate payload decryptor. This feature can be applied to both unencrypted and encrypted payloads as an additional level of encryption.

Dynamic Thread Context Keys

It's a rather interesting feature appearing in the fourth version, called Dynamic Thread Context Keys. It allows using dynamic information from the target application context in the function of encryption keys. The idea is simple: during tracing, the values of specific CPU registers are logged, after that the points of possible payload embedding with at least one register preserving the value suitable for encryption/decryption during the program flow will be filtered off. While it's still a pilot feature, it helps get rid of necessity to hardcode the decryption key. While in "Auto" mode, it can only be activated with --DTCK modifier.

A few words about payloads

Now a few words about payloads. Shellter already has several most popular payloads embedded, so normally you don't have to generate them manually through Metasploit. This list includes:

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of
Read more about the project

Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.