background image

Avoiding Detection

107

flag, when the payload is executed, the target will not see a console window. 
Paying attention to these little details can help you remain stealthy during an 
engagement.

Figure 7-5: AVG declares the payload safe and the computer secure.

Packers

Packers

 are tools that compress an executable and combine it with decom-

pression code. When this new executable is run, the decompression code 
re-creates the original executable from the compressed code before execut-
ing it. This usually happens transparently so the compressed executable can 
be used in exactly the same way as the original. The result of the packing pro-
cess is a smaller executable that retains all the functionality of the original.

As with 

msfencode

, packers change the structure of an executable. How-

ever, unlike the 

msfencode

 encoding process, which often increases the size of 

an executable, a carefully chosen packer will use various algorithms to both 
compress and encrypt an executable. Next, we use the popular 

UPX

 packer 

with Back|Track to compress and encode our 

payload3.exe

 payload in attempt 

to evade antivirus software detection.

root@bt:/# 

apt-get install upx 

. . . SNIP . . .

root@bt:/# 

upx 

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2009
UPX 3.04

 Markus Oberhumer, Laszlo Molnar & John Reiser 

Sep 27th 2009

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

. . . SNIP . . .

Type 'upx--help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net