A little while ago, I came across a script from Mike Czumak from SecuritySift here.
It was written as an experiment in AV Evasion as part of Mike’s OSCE course, but it has uses for defenders as well such as being able to dump sections of a Windows PE file.
The script can be downloaded from the SecuritySift here. It has three requirements, these are pefile, pydasm and SectionDoubleP.
The script uses a modified version of python’s pefile, so If you have that installed, then un-install it. After you have uninstalled it, modify the code as shown below:-
Add lines 2222-2225
Add line 2254
Now change to the pefile directory and do the usual ‘python setup.py install’ to install the module as shown below:-
You should also bear in mind, that the modified version may not be compatible with other tools using pefile.
Next we need pydasm, which is part of the libdasm project on googlecode here. Next download the zip file, extract it to a directory of your choice, change to the ‘libdasm-beta’ directory and run ‘python ./setup.py install’, the output should be similar to below.
Now browse to the SectionDoubleP git repository here. Now click on ‘snapshot’ link, save the tar.gz archive to the same folder as pefile, extract the SectionDoubleP.y file to be in the same folder as pecloak.py as shown below.
Now to test if we can create an pecloaked file, first create a meterpreter binary and put it in the same directory making sure it is writeable. Let’s try to cloak it.