UPX is easy to use, give it a try. Many AV products support UPX extraction; some malware uses UPX and then purposely damage the header to bypass attempt to detect and extrace the real executable. These modalities may serve you well.
Jim On 19 March 2010 13:34, Brian Judd <[email protected]> wrote: > Wow, you've had success with PEScrambler and Core's agent? I've tried > PEScramber several times and it creates a new executable, but it doesn't > work. I am not familiar with UPX or the ability to use Metasploit's > msfpayload with Core's agent. Have you done this before? Any tips or > tricks that you could share? I guess I will try PEScramber again also. > > Brian Judd > ------------------------------ > > Message: 8 > Date: Thu, 18 Mar 2010 13:02:54 -0400 > From: Paul Asadoorian <[email protected]> > Subject: Re: [Pauldotcom] Package/Scramble Core Impact Agents > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > Ah yes, pe-scrambler works really well too, I've used it with great > success. > > If all else fails, a VBscript payload in a Word doc is effective. > > Cheers, > Paul > > On 3/18/10 12:07 PM, Daniel Holiday wrote: > > Would pescrambler work for this? > > > > http://www.rnicrosoft.net/ > > > > > > > > On Thu, Mar 18, 2010 at 9:05 AM, Brian Judd <[email protected] > > <mailto:[email protected]>> wrote: > > > > Does anyone know of a good packager/installer that can get a Core > > Impact agent past AV detection? I used NSIS in the past, but it > > seems to be getting caught now. Thanks! > > > > > > > > Brian Judd > > > > This message (including any attachments) may contain confidential > > information and is intended only for the individual to which it is > > addressed. If you are not the intended recipient, please delete > this > > message and contact the sender. You are also hereby notified that > > any review, disclosure, copying, or distribution of this message, > or > > the taking of any action based on it, is prohibited. > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > <mailto:[email protected]> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > -- > Paul Asadoorian > PaulDotCom Enterprises > Web: http://pauldotcom.com > Phone: 401.829.9552 > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
