Payload to bypass G-DATA

[Huibuh2010]

Hey Folks,

is it possible ot create a meterpreter payload with msfvenom or other payload generator to bypass G-DATA? If i disable G-DATA it works fine but now i´ll whether protection is easy or difficult to bypass.

Here is the screenshot from gdata console

e

[gwillcox-r7]

Potentially but without knowing more about what G-DATA is doing behind the scenes it would be tough to tell. We do include some mechanisms to try bypass AV within Metasploit under the evasion directory. See #10759 for more info on how one might use this and https://github.com/rapid7/metasploit-framework/tree/master/modules/evasion/windows for a list of potential Windows AV bypass modules that may assist you with what you are after.

If your doing this professionally, it may be worthwhile looking into https://www.shellterproject.com/ which integrates with Metasploit Framework and is designed to help bypass AV, though this is a paid product that is unaffiliated with Rapid7 so we would not be able to provide any assistance with this.

Otherwise you could always try standard tricks of patching the binary and making your code do a few AV evasion tricks and see if that works.

There are plenty of papers on potential ideas though that might not be supported directly by tools, such as https://theevilbit.github.io/posts/divide_and_conquer/ that are also worth a try if you find the tools are still generating payloads that are getting detected.

[timwr]

@Huibuh2010 just keep adding and removing parts of the payload/stager until you pinpoint exactly which part is detected by the AV. e.g start with just the template, then add in the payload, etc. You can then customise the part that is detected to avoid detection.

[gwillcox-r7]

Note you may need to split the resulting EXE/etc file into multiple segments and then slowly add to it until you find out which part of the file is detected.