how everybody and welcome to episode Number 27 off the RCP Core's anti virals avoidance. My name is Alejandro Ggonna, and I'll be your instructor for today's session.
The rarely operatives is to understand the concept behind this technique and apply the concepts to actually implement this technique. So let's get down to business, shall we?
anti virus databases contain most of the well known or known and bio signatures. For example, let me just create ah, reversal here with Halo. We're ready to use for a previous video for the MSF ban on video. To be more specific. Eyes,
uh, you know, files test that. Let me just give it another name that it probably has one name already. I don't know what to treat
so let's blow that to, ah, well known virus. Total bios. Total Agra Gates many anti virus product on online's kind and giants to check for viruses that the user's our own anti virus might have missed
or to verify against, you know, any false positives.
Anti virus suffer benders can receive copies of files that were flagged by others kind but passed by their own enjoyment to help improve their sub word. And by extension, uh, virus, total own capability.
Users can also scan your else and, you know, search for form. I'll work. I don't know. Whatever. Well, let me just show it to you so you can see how it really works by was total.
So this is a really cool ah, user friendly interface. Just select file. Remember way Grady want to treat that execute herbal were bloated.
And again, the only thing that we did to actually try to bypass anti virus is two encoded with a really generic encoder, which is the sea katanga nine. Remember the command. We use the encoding here in Chicago. Nine. So this will, of course, will not help us improve or
anti virals abundance capabilities. Or at least the capabilities of this
execute herbal. Because at the end, it was kind of actually letting this the opera resisting known that we actually, uh a Robert again. Oh, my God. Uh, letting the operating system that we actually want to trow a reversal back to a system. So
this will be This was flagged by his 52 giants.
So pretty common. I mean, yeah, that was expected. So another tool that I really love online tool. By the way, these hybrid analysis hybrid. And now this is kind of a sign books, eh? So you can actually upload files in here. Let me just grab here
Nope. Sorry. No. Want to treat this? Execute herbal and gravity in here?
Yeah, I consent. And I'm not a revote again. Oh, my gosh.
Basses does this Include Is that it's a bust. These bucking
thinks it is a a bus. Okay, it was a bus. You know you can slick, coppery system were to run this and it will run that. First of all, what I love about this is that you have the option to integrate this week. Crowd strike Falcon. I cannot stress this enough
crossed strike. One of the most amazing tools have ever seen
Thio. You know, when it comes thio like an ant exploit southward
because it is not. I don't know if he's classifies the next generation anti virus, but it's critical you can check. You could take a look about Well, it would take a welcome at the end. This is a free service. And it's, you know, you have to you know, Tuttle's missions spending. I have to wait for this ace missions to finished.
Ah, let me just stop it in here and just show you the results
at the end. This is the result. The final result.
You know, if you click here, it will take you to dispatch. And this you can get all the information from the virus you uploaded. You know, kind of reverse engineer capabilities of this. It will tell you the hash. It will tell you. I don't know more information that believe that we saw the shape be Solas stations. Right?
Uh, what it was supposed to do? What? The alliance are involved?
We're the real deal. L starting form. I mean, a really detailed report off this buyer is so these two tools, I believe is you have to use it in your everyday usage, especially if you're part off secure security operation center for sock.
You have to use it differently. This to tools and other tools as well. But this one,
these ones are free, and they're really cool. So yeah, so back to our anti virus capabilities, uh, avoidance capabilities. Let me just go ahead and here, and we can put an extra layer to a virus.
We can use some pocket scriptures or encoders, for example. Hyperion. I love Hyperion.
Hyperion is just as it sounds. Are pocket crypt around in quarter Eyes is located in here. Let me just give you the location,
and a CZ. You can see it's an execute a ble. Fortunately, we can actually execute those extension in your column mission by using the wind tool I already downloaded and upgraded. Updated more or to be more precise. And I could just throw this. Let me just,
So I put that in here.
I will change the name, of course,
because at the end, I was tested this.
I went to tree Hyperion, Hyperion and 12 tree, which is the the executed we created, and ever I mean, all all it took me years to write. Ah, Hyperion. I mean, Thio a bucket. Um,
toe actually Call it a and tell it to use. This is an input and output. This now the problem we had, period, it's It uses a really, really generic. Uh, encoder. So the Cape detection capabilities were not improved? A swell as we wished.
So it probably decreased, like one or two. Or maybe tree
detection giants. I mean, maybe we will get up, like 50 or 51. I don't know. Or maybe we will now get an improvement improvement at all.
Sometimes I have seen that using Hyperion with the default or, you know,
I barely can use ah, custom and quarter. But, you know, for the purpose of this off, this session will use it to fall one. But Hyperion actually uses the default in quarter used by happier and sometimes increases the detection
rates off. Anti virus is at the end. It is, you know, flagging or sending all the alarms that the file or execute herbal wants to actually hide something. But, you know, let's give it a shop, see what the result is.
It will probably like 50 or 51. I mean, we get we got 52 the last time. So
anything now below 52 is kind of what improvement, I guess.
But fortunately for us, we can, you know, use another
crypt. Er oh, are encoded, which is called,
um priest P p e is scrambler. You know, p a scrambler
module provides similar functionalities of the Hyperion module, except he uses a different AFIS cation tool by default. So it may be improved a little bit more than hey, period. But, you know, at the end of the date, I don't know, maybe will stay the same at the end. Hyperion, the p a scrambler
are both use for, um,
encoding or encrypting if you if you allow me to use that word file so we can avoid anti virus. Okay, Foreign, I we decrease of least three positions.
Let me just use right now the pre a scrambler, by the way, Pre scrambler. You can download it from this page. Let me just give you the link.
I really did it, by the way. So I don't will not do it anymore. But you can download it from this weapon. Tch.
the syntax of the command is really simple. I will just wind about 64 now.
Ah, and I go to roots. Don't know. 10. I tell it to execute the scrambler. Ah, Dash e um,
Ah, Hyperion. That X
and the output will be once a tree. Ah, Hyperion. And they a scrambler that execute herbal.
And that's all it takes. Ah, will be no creating me on your secure a ble. So I going here again? Let me just go back
and upload another. Get another virus to the bidders by was total here to see if he actually improved my antifreeze abidance capabilities. Most likely again. It will, like, increase
our numbers into maybe 23 onto virus and giants. But, you know, don't expect too much of far off improvement, because again, Kryptos sometimes used generic algorithms and kiss to actually office K the content or, you know, encrypted contact itself.
So, yeah, don't expect much of our improvement
with the Hyperion. Yeah. What did I really have got a little bit of improvement? But you know, not as much as we would like to
Ah, largely improved due. Largely include it improved his numbers. You can create your own custom payloads and explode with python. Or so I remember that we have seen have to use python to actually true our river shell back to us. Well, why not use that capability in that code,
for example, let me just
copy Paste in here. I just created court on a test, fightin
and just copy faced this paler. Which, by the way, I did not create. I did. Just did a little bit. Ah, a real quick Google search for reversal pie transcript or something like that. And it throw me this coat. I didn't change anything about this code.
Well, you can change the I pee. Yeah, well, you can change that. Be,
on the port. Yeah, well, I would like to use for four for four,
but that's it. I mean, I'm not changing anything about it. I mean, it will throw a reversal we have or
test fighting here, and we can actually re largely improve our numbers. You can. We'll just to to be consistent in the form that I don't want to upload the Buyten. I just want to upload the execute herbal.
So you have to You can use a tool called P y installer.
Uh, you know, p y install and just type. I already did it, but let me just show you in here,
and That's it. Already having style it as I told you. Uh, yeah, You can just run the command
installer? Ah, moustache
One files I want to use. I want to. I only went to Herbert one file, which is our test pipe and the pipe.
Uh, you know, it's going to come, bird that to an executed vel. And, you know, there. Let me just l s here. And we have some new folders created by this,
uh, b y installer, for example. Let me just,
this speck folder or what is it?
Let me just find any here. Hi. My hand files. This for example.
if I go here, I have a test five, uh, executable.
Ah, let me just go back one to go to the other location so you can see the locations that this will will create. We have the bills, for example. Citi field
some folders in here.
And we have more information about this. Ah,
more information. You know, just the usual. Here s o. Let's go to the this distribution here to upload. Actually upload this pied execute herbal tour or anti virus detection.
ups. What did I do here
Okay, uh, let me just wait for this load.
And remember, it was this to push in.
And I go here to reverse this pie. I'm sorry.
and let's see what the numbers are hung across fingers. You guys, let's hope that it goes at least below. I don't know, 3 35 Remember that very number we got with the other tool? Wes? What was it? 42?
Yeah, we're a lists before, below three. We can consider a win here or Well,
well, my get even. Way to better numbers. Okay. 14 and had shot out 14. In which you actually located that? Yeah, to enjoyments to virus. And giants actually flag this as militias.
The other 57 missed that one. So yeah, we would this be that we just help you prove all of the other antivirus capabilities detection capabilities? Because at the end of a virus total, What does again? As I told you the beginning, it will tell other anti virus vendors that there are spiders.
Summerlee malicious code that was actually trying Thio.
They were not flack in there by their enjoyment, but they were flagged. But other enjoyments. So we help improve security today, guys. So that's that's the magic off. You know, Antivirus abidance. Yeah, you can use Eun Eric, um,
tools to create your own payloads and including or encrypted as much as you want. But, you know, creating your own payloads will largely improved that those numbers. So I encouraged you to. Actually, when you're great and you're river sales created your own river shelf when your own code that will largely improve
the, um, your anti virus
so you can go on notice when exploiting any system.
So what is achieved? But the Hyperion Hyperion tools? Well, it's a crypt. Err on an encoder that you can actually encode or office Kate tools or, you know, executed Val's or files.
This'll will improve your chances to go unnoticed by antibiotics, but just a little bit. If you're using generic tools, most likely you will get off your advisers Will, Will will, you know, catch your your
What is a virus total use for? Well, you can actually use a blowed, um,
files in and search for your else to see if they were flagged as malicious before by other onto virus vendors or by several anti virus vendors. And you can actually see if you have false positives or maybe sexually, something actually affecting your system.
In this video, we'll learn as the concepts of this technique, and we implemented sub tools and commands to execute this technique. And we saw how malicious it can be. Supplemental materials, as always. Ah,
the hacker playbook. Needless to say, you can actually go to that to ah, they wept. The main webpage off. It's, too. We're seeing in these videos to get more information, you know,
a supplying the technique itself or getting more concept or context on how to use this technique. The hacker playbook is an amazing source, and us always every possible source in Google and YouTube.
Well, in the next video, we'll start a new model showing you how to create a buffer overflow exploit from scratch. I mean, we'll try. Thio will understand how to identify
that something is actually before vulnerable to buffer overflow and we'll start. You know it will create our own payload will create
search. What's the return address? Remember, we saw that in a previous video. What? The return address for that and everything. We'll do that from a scratch and we'll create, I guess, our own first exploit by yourself. So that's it for today, folks. I hope you enjoyed the video and talk to you soon.