AV Evasion using PeCloak.py on Kali Linux

A little while ago, I came across a script from Mike Czumak from SecuritySift here.

It was written as an experiment in AV Evasion as part of Mike’s OSCE course, but it has uses for defenders as well such as being able to dump sections of a Windows PE file.

The script can be downloaded from the SecuritySift here. It has three requirements, these are pefile, pydasm and SectionDoubleP.

The script uses a modified version of python’s pefile, so If you have that installed, then un-install it. After you have uninstalled it, modify the code as shown below:-

pefile-mod3

Add lines 2222-2225

pefile-mod1

Add line 2254

pefile-mod2

Now change to the pefile directory and do the usual ‘python setup.py install’ to install the module as shown below:-

pefile-install-success

You should also bear in mind, that the modified version may not be compatible with other tools using pefile.

Next we need pydasm, which is part of the libdasm project on googlecode here. Next download the zip file, extract it to a directory of your choice, change to the ‘libdasm-beta’ directory and run ‘python ./setup.py install’, the output should be similar to below.

pydasm

Now browse to the SectionDoubleP git repository here. Now click on ‘snapshot’ link, save the tar.gz archive to the same folder as pefile, extract the SectionDoubleP.y file to be in the same folder as pecloak.py as shown below.

pecloak-final

Now to test if we can create an pecloaked file, first create a meterpreter binary and put it in the same directory making sure it is writeable. Let’s try to cloak it.

pecloak-sucess

Happy pecloaking!!!!!

7 responses to “AV Evasion using PeCloak.py on Kali Linux

  1. Hi ! I can write.. i have this : [!] ERROR: Could not save modified PE file. Check write permissions . But i have give all permission to folder an file ( chmod 777 ) can you help me ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s