AntiVirus Evasion Tool

AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques, as well as other methods used by malicious software.
For an overview of new features in v2.3, as well as past version increments, have a look at the CHANGELOG file.

Table of Contents

• Installation
• Docker
• AVET the easy way
• AVET the normal way
• Documentation (click to expand)
  • Data retrieval methods
  • Encryption/Encoding
  • Sandbox evasion
  • Additional command execution
  • Helper tools
  • AVET & metasploit psexec
• More

Some features

• when running a .exe file made with msfpayload & co, the file will often be recognized by antivirus software
• AVET is an antivirus evasion tool targeting windows machines with executable files
• different kinds of input payloads can be used now: shellcode, exe and dlls
• more techniques available: shellcode/dll injection, process hollowing and more
• flexible retrieval methods for payload, decryption key, etc.
• usage as a dropper
• Chaining multiple iterations of AVET enables you to add multiple evasion layers, if necessary
• combination of techniques: download your encrypted payload via powershell, while supplying the decryption key via command line argument at execution time, and finally inject your payload into another process, choosing from multiple techniques
• basic sandbox checks
• execute all available build scripts with build_script_tester.py, might also be interesting for researchers for building a set of “malicious” samples using different evasion and injection techniques

Important Note

Not all techniques will evade every AV engine. If one technique or build script does not work, please test another one.
Feel free to experiment! After all this is a toolbox – yet you should wield the hammer yourself.

Installation

The Installtion Instruction applies for Kali 64bit and tdm-gcc!
You can use the setup script:

./setup.sh

This should automatically get you started by installing/configuring wine and installing tdm-gcc.
You’ll shortly have to click through the tdm-gcc installer GUI though – standard settings should be fine.
The script will also ask if you want to install AVET’s dependencies, which are needed to use some of the build scripts. The fetched dependencies will be put into separate folders next to the avet folder.
Dependencies will grab the latest releases of:

• pe_to_shellcode
• mimikatz
• DKMC

If for whatever reason you want to install wine and tdm-gcc manually:

• How to install tdm-gcc with wine

Docker

If you are not using Kali or don’t want to install Metasploit on your system, you can use the Docker Container instead.
The container encapsulates Metasploit and avet and the samples will be created in your current directory.
It is also possible to use an graphical text editor like gedit.
Building the container:

sudo docker build -t avet:v0.1 .

Usage:

sudo docker run -it --net=host --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" -v $(pwd):/tools/avet/output avet:v0.1 /bin/bash

For a better experience it is recommend to alias this.

# In your .bash_profile, .bashrc or .bash_aliases

alias avet='sudo docker run -it --net=host --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" -v $(pwd):/tools/avet/output avet /bin/bash'

AVET the easy way

avet.py is a small Python utility which was designed to assist you in using the tool.
It lists all scripts that are currently present in the build folder. After selecting one, you will be able to step through the script line by line, having the opportunity to modify the contents on the fly.
The latter is especially useful as you can define new LHOST and LPORT variables for msfvenom each time you run a build script via the fabric.
You can define default LHOST and LPORT values in the /build/global_connect_config.sh file, which are used if you don’t redefine.
These modifications are temporary, which means that any changes you made will not persist in the build script on disk.
The modified version is executed once, and your executable built.

Here is a quick example (Click to expand):

python3 avet.py

                       .|        ,       +
             *         | |      ((             *
                       |'|       `    ._____
         +     ___    |  |   *        |.   |' .---"|
       _    .-'   '-. |  |     .--'|  ||   | _|    |
    .-'|  _.|  |    ||   '-__  |   |  |    ||      |
    |' | |.    |    ||       | |   |  |    ||      |
 ___|  '-'     '    ""       '-'   '-.'    '`      |____
jgs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Welcome to the avet Assistant!

0 : build_40xshikata_revhttpsunstaged_win32.sh
1 : build_50xshikata_quiet_revhttps_win32.sh
2 : build_50xshikata_revhttps_win32.sh
3 : build_asciimsf_fromcmd_revhttps_win32.sh
4 : build_asciimsf_revhttps_win32.sh
5 : build_avetenc_dynamicfromfile_revhttps_win32.sh
6 : build_avetenc_fopen_revhttps_win32.sh
7 : build_avetenc_mtrprtrxor_revhttps_win64.sh
8 : build_calcfromcmd_50xshikata_revhttps_win32.sh
9 : build_calcfrompowersh_50xshikata_revhttps_win32.sh
10 : build_checkdomain_rc4_mimikatz.sh
11 : build_cpucores_revhttps_win32.sh
12 : build_disablewindefpsh_xorfromcmd_revhttps_win64.sh
13 : build_dkmc_downloadexecshc_revhttps_win32.sh
14 : build_downloadbitsadmin_mtrprtrxor_revhttps_win64.sh
15 : build_downloadbitsadmin_revhttps_win32.sh
16 : build_downloadcertutil_revhttps_win32.sh
17 : build_downloadcurl_mtrprtrxor_revhttps_win64.sh
18 : build_downloadiexplorer_revhttps_win32.sh
19 : build_downloadpsh_revhttps_win32.sh
20 : build_downloadsocket_mtrprtrxor_revhttps_win64.sh
21 : build_downloadsocket_revhttps_win32.sh
22 : build_dynamicfromfile_revhttps_win32.sh
23 : build_fibonacci_rc4_mimikatz.sh
24 : build_fopen_mtrprtrxor_revhttps_win64.sh
25 : build_fopen_quiet_revhttps_win32.sh
26 : build_fopen_revhttps_win32.sh
27 : build_getchar_rc4_mimikatz.sh
28 : build_gethostbyname_revhttps_win32.sh
29 : build_hasvmkey_revhttps_win32.sh
30 : build_hasvmmac_revtcp_win32.sh
31 : build_hollowing_targetfromcmd_doubleenc_doubleev_revhttps_win64.sh
32 : build_hollowing_targetfromcmd_doubleenc_doubleev_revtcp_win32.sh
33 : build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.sh
34 : build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.sh
35 : build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.sh
36 : build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.sh
37 : build_kaspersky_fopen_shellrevtcp_win32.sh
38 : build_mimikatz_pe2shc_xorfromcmd_win64.sh
39 : build_pause_rc4_mimikatz.sh
40 : build_rc4_interactive_pwsh_mimikatz_win64.sh
41 : build_rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.sh
42 : build_rc4enc_mimikatz_win64.sh
43 : build_sleep_rc4_mimikatz.sh
44 : build_sleepbyping_rc4_mimikatz.sh
45 : build_timedfibonacci_rc4_mimikatz.sh
46 : buildsvc_20xshikata_bindtcp_win32.sh

Which Script would you like to configure and build?
Enter the corresponding number -> 43

DESCRIPTION :
# RC4-encrypt the payload with a static, preset key.
# Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode.
# pe_to_shellcode is written by Hasherezade:
# https://github.com/hasherezade/pe_to_shellcode

# This script expects the Mimikatz executable to be at input/mimikatz.exe
# and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe

Configure the Build Script

# enable debug output
-> enable_debug_print

# generate key file with preset key
-> generate_key preset aabbccdd1122

Do you want to add sandbox evasions? [y/N]
-> N

Executable will be created Shortly please wait.

*** ============================================= ***

         .==,_                                          
        .===,_`\                                        
      .====,_ ` \      .====,__                         
---     .==-,`~. \           `:`.__,                    
 --- ...