1
00:00:00,210 --> 00:00:02,350
Hello everybody and welcome back.

2
00:00:02,460 --> 00:00:09,030
And right now what I want to show you is how you can actually bypass some of the antivirus with our

3
00:00:09,090 --> 00:00:10,720
river shell.

4
00:00:10,860 --> 00:00:12,510
Now let's see.

5
00:00:12,780 --> 00:00:19,020
Basically our backdoor that we decoded so go to your reverse virtual directory.

6
00:00:19,080 --> 00:00:25,830
As you can see right here I've got my reverse shell that be why it is the same code that we used in

7
00:00:25,830 --> 00:00:29,200
the backdoor coding section as we can see right here.

8
00:00:29,280 --> 00:00:31,360
Everything is the same.

9
00:00:31,410 --> 00:00:34,380
We got all of our available options right here.

10
00:00:34,530 --> 00:00:39,230
Our shell function revile the sun and so on and so on.

11
00:00:39,540 --> 00:00:41,260
What we want to do right now.

12
00:00:41,310 --> 00:00:44,380
First of all let me tell you this thing.

13
00:00:45,060 --> 00:00:50,170
Basically adding functions to your reverse shell that actually do nothing.

14
00:00:50,280 --> 00:00:53,710
For example I mean not that they literally don't do anything.

15
00:00:53,730 --> 00:01:02,160
They don't do anything useful for the universe shell functions such as adding numbers such as multiplication

16
00:01:02,160 --> 00:01:08,370
division and so on and so on just basically some random functions here and there can help you actually

17
00:01:10,870 --> 00:01:15,180
prevent some of the anti viruses from detecting your reverse shell.

18
00:01:15,180 --> 00:01:17,650
Now might be asking how does he do that.

19
00:01:17,650 --> 00:01:25,680
Well basically what antivirus is do is they simply compared the code to their database and if the code

20
00:01:25,680 --> 00:01:33,630
matches two or if the hash value matches to the virus in their database they will detect it as a virus.

21
00:01:34,140 --> 00:01:39,430
But if you change a code a little bit at some functions they don't do anything here and there.

22
00:01:39,470 --> 00:01:45,870
Switch up the codes which up some of the bytes you have a good chance of bypassing most of the antivirus

23
00:01:45,870 --> 00:01:47,700
is now the best ones.

24
00:01:47,700 --> 00:01:57,120
Of course it will be really hard to bypass such as big defender But at a certain point I created basically

25
00:01:57,920 --> 00:02:02,310
a backdoor that actually is detected by anti any antivirus.

26
00:02:02,310 --> 00:02:09,600
Then they'd start getting used and basically now like three out of 70 antivirus is detected or something

27
00:02:09,600 --> 00:02:10,260
like that.

28
00:02:10,380 --> 00:02:14,970
It doesn't even matter is it is still a really small number if you create a backdoor that is actually

29
00:02:14,970 --> 00:02:22,050
only detected by three out of 70 antivirus is you have a good chance at bypassing most of the target

30
00:02:22,110 --> 00:02:23,040
systems.

31
00:02:23,040 --> 00:02:30,270
So if you want to you can just add simple functions then don't do anything right here or basically anywhere

32
00:02:30,270 --> 00:02:33,800
else and you can use them somewhere in your programs.

33
00:02:33,810 --> 00:02:36,730
The good example will be dysfunction right here.

34
00:02:36,750 --> 00:02:41,640
So this is a function that doesn't have anything to do with our program I just sat there.

35
00:02:41,730 --> 00:02:44,360
It can be useful to bypass some of the anti viruses.

36
00:02:44,640 --> 00:02:47,350
So that is one thing you can do.

37
00:02:47,430 --> 00:02:51,280
Another thing you can do is first of all compile the program.

38
00:02:51,270 --> 00:03:02,580
So we use wine road to not wine to drive seed python script spy installer and then you use the reverse

39
00:03:02,580 --> 00:03:05,980
of the P Why no console.

40
00:03:06,280 --> 00:03:09,330
And what was the other option.

41
00:03:09,330 --> 00:03:10,330
I forgot.

42
00:03:10,360 --> 00:03:20,670
So no console and one file you compile the program and then you open the DOT EMC version of the file

43
00:03:20,670 --> 00:03:25,730
or basically your backdoor into the hex editor and you try to switch as many bytes as you can without

44
00:03:25,730 --> 00:03:29,770
actually making the reverse shall not work.

45
00:03:29,780 --> 00:03:37,490
So basically I will show you right now as soon as this compiles right here it is compiling currently.

46
00:03:37,490 --> 00:03:43,870
Then we will open our backdoor in the hex editor and we will actually try to switch some of the values.

47
00:03:44,070 --> 00:03:51,770
So right here if I go to my this directory where my reverse shell dot the axes and I simply just open

48
00:03:51,770 --> 00:03:53,360
it in the hex editor.

49
00:03:54,260 --> 00:03:57,420
So hex editor and then reverse shell that the AKC.

50
00:03:57,470 --> 00:04:02,850
This is the command that you have to specify in order to open it in the hex edit Also click here enter

51
00:04:03,290 --> 00:04:04,560
and right here.

52
00:04:04,850 --> 00:04:09,120
We get our file in basically in the bytes.

53
00:04:09,170 --> 00:04:14,570
So here we have the hexadecimal values of all of our instructions.

54
00:04:14,600 --> 00:04:19,570
Most of these functions are basically in assembly.

55
00:04:19,570 --> 00:04:23,520
So for example let me just find it right here.

56
00:04:23,540 --> 00:04:26,030
This is a simple easy structure right here.

57
00:04:26,030 --> 00:04:30,310
Every excel file that is running Windows will have the string right here.

58
00:04:30,320 --> 00:04:36,800
This is the most common string to actually changing all the viruses in order to bypass some of the anti

59
00:04:36,800 --> 00:04:37,370
viruses.

60
00:04:38,120 --> 00:04:44,180
But it is so known that I don't even think it works anymore since everyone who actually watches any

61
00:04:44,180 --> 00:04:51,800
videos knows that in order to actually change some values they can change this value and the and the

62
00:04:51,920 --> 00:04:58,900
actual binary of the dot the XY file will be different than the one in the database.

63
00:04:59,150 --> 00:05:01,070
So you can start out by actually changing this.

64
00:05:01,070 --> 00:05:06,560
So make sure you're at the same line because if you actually switch are byte that you shouldn't have

65
00:05:06,560 --> 00:05:09,740
switched your entire program will not work.

66
00:05:09,740 --> 00:05:17,090
So make sure that you are in the same line I believe I am in the same line same one line lower so I

67
00:05:17,090 --> 00:05:21,940
can go just at this byte this by 54 I believe it is 40.

68
00:05:22,430 --> 00:05:27,510
So if I change it as you can see you can only use a b c d e f and numbers 139.

69
00:05:27,560 --> 00:05:35,020
So you can just spam all the numbers until you actually change the entire string.

70
00:05:35,030 --> 00:05:40,460
So loops I went to the on right here.

71
00:05:40,460 --> 00:05:42,350
I just want to go back right here.

72
00:05:44,180 --> 00:05:46,240
Let me just find out how I can exit this.

73
00:05:46,250 --> 00:05:48,900
So right here.

74
00:05:49,110 --> 00:05:49,430
OK.

75
00:05:49,450 --> 00:05:51,890
So you just continue to change this.

76
00:05:51,910 --> 00:05:59,910
So change it to anything you actually want and then make sure to change the lower part as well so

77
00:06:02,790 --> 00:06:09,170
just spam random numbers and letters and then endorsement.

78
00:06:09,300 --> 00:06:13,980
Make sure to stop at E and you successfully switched the.

79
00:06:14,310 --> 00:06:21,410
This program cannot be on endorsement string weighted the random bytes but this is not the only thing

80
00:06:21,410 --> 00:06:24,200
that you can actually change.

81
00:06:24,200 --> 00:06:26,420
There are other strings here as well.

82
00:06:26,450 --> 00:06:31,950
This part right here cannot be changed so don't make don't change b e d text right here.

83
00:06:31,970 --> 00:06:36,490
You can't change it so you can go down here and let me just find the line.

84
00:06:36,980 --> 00:06:41,860
Not really sure if it is this one five five.

85
00:06:42,060 --> 00:06:48,390
It is this one so OK you just go right here make sure to skip the first bite and start from here as

86
00:06:48,390 --> 00:06:53,980
we can see I changed the TS successfully just by typing here a can also change this.

87
00:06:54,030 --> 00:07:02,580
This basically C 1 2 and d is the last digit or part of my last string.

88
00:07:02,580 --> 00:07:05,770
You can change so we also change the text part.

89
00:07:05,910 --> 00:07:13,940
Let us go down here also changed the data part so just find data right here.

90
00:07:13,990 --> 00:07:15,220
Let me just find it.

91
00:07:17,010 --> 00:07:22,740
This line I believe or the upper line it is this one go to the data

92
00:07:25,810 --> 00:07:27,660
or it is actually this one let me just check it.

93
00:07:27,680 --> 00:07:34,250
OK so here is the data again change it don't make sure to not pass the last letter.

94
00:07:34,250 --> 00:07:39,500
So this is about it and you change a few string right here.

95
00:07:39,500 --> 00:07:45,220
Make sure to not change this part of the code since we do not know what it is we changed a few strings

96
00:07:45,230 --> 00:07:47,060
so these two strings we changed.

97
00:07:47,060 --> 00:07:51,480
We also changed this part right here and we are good to go.

98
00:07:51,480 --> 00:07:56,710
Right now you can actually control how to save this fundamental right legal shell and then exit.

99
00:07:56,750 --> 00:08:02,690
And now let us plug in our U.S. B drive in order to see if we correctly changed the hex values of some

100
00:08:02,690 --> 00:08:06,450
bytes and see if it will still be able to run.

101
00:08:06,560 --> 00:08:11,720
Now if it doesn't if it can't find if it prints out some error that means we actually change the byte

102
00:08:11,750 --> 00:08:15,350
in our hex editor that we shouldn't have changed.

103
00:08:15,350 --> 00:08:24,900
So let's see more reversion to the media routes and then Kelly life now we can actually delete all of

104
00:08:24,900 --> 00:08:29,370
this so clips.

105
00:08:29,870 --> 00:08:34,990
We'll see what else do we need to delete We can delete the desktop to extend the screenshot.

106
00:08:35,190 --> 00:08:37,060
And right now we can run our server.

107
00:08:37,450 --> 00:08:41,930
Let us unplug the U.S. B Drive.

108
00:08:42,570 --> 00:08:46,600
Now let us right now try to run our reverse shell

109
00:08:50,560 --> 00:08:53,170
so go right here find your reverse shell.

110
00:08:53,170 --> 00:09:01,410
Here it is and then I run it right here as we can see it did print out any error so it means that this

111
00:09:01,500 --> 00:09:07,530
actually works if we get the shell back it works 100 percent since we didn't get any error and we are

112
00:09:07,530 --> 00:09:15,250
able to execute commands on target b c so and with this that you actually did with the hex editor and

113
00:09:15,250 --> 00:09:18,100
with adding some of the functions that make no sense.

114
00:09:18,160 --> 00:09:20,700
Basically you can bypass most of the antivirus is.

115
00:09:20,710 --> 00:09:27,390
So for example if you just type your code in my IP config you can see we have a working shell.

116
00:09:27,730 --> 00:09:32,830
We changed bytes but make sure to only change the bytes that are actually a string.

117
00:09:33,250 --> 00:09:36,880
If you change ad buys that actually run the code it will not work.

118
00:09:37,060 --> 00:09:43,390
So that will be about it for the bypassing some of the antivirus is now the more you use this and the

119
00:09:43,390 --> 00:09:48,310
more people actually use these backdoor it will get uploaded on the virus total and once you get up

120
00:09:48,310 --> 00:09:53,960
so uploaded on the virus total basically this show will also be flagged as virus by a..

121
00:09:54,070 --> 00:09:58,730
By any antivirus company so make sure to always switch it up.

122
00:09:58,730 --> 00:10:00,970
Change some functions change.

123
00:10:01,010 --> 00:10:03,180
Different code basically.

124
00:10:03,690 --> 00:10:06,010
That will get you the best results you can.

125
00:10:06,530 --> 00:10:13,520
Now also one thing the pie installer library in Python is also flank flagged by most of the anti viruses

126
00:10:13,550 --> 00:10:14,500
but not my mouse.

127
00:10:14,500 --> 00:10:18,350
But like big defender flags pine star as an ant as a virus.

128
00:10:18,350 --> 00:10:21,970
Basically if you were to for example create a simple program.

129
00:10:22,070 --> 00:10:23,030
So let me show you.

130
00:10:23,960 --> 00:10:33,700
If I just open my big defender it put my big defender to be to run as we can see right now it is your

131
00:10:33,700 --> 00:10:37,510
device is not the base fed to activate protection please retry.

132
00:10:37,750 --> 00:10:39,340
OK so your device is now protected.

133
00:10:39,340 --> 00:10:40,260
Not really sure about that.

134
00:10:40,260 --> 00:10:49,360
There was no let me show you if I nano if we nano actually test that by users should be in Python and

135
00:10:49,360 --> 00:11:01,200
we just print less print Hello World we just print this which obviously this isn't a virus.

136
00:11:01,210 --> 00:11:07,100
But the big defender antivirus will actually flag it is a virus just because it used by installing the

137
00:11:07,250 --> 00:11:10,000
PI installer in order to compile.

138
00:11:10,000 --> 00:11:18,130
Now it is only I believe big defender and F secure all the other anti viruses will not flag this program

139
00:11:18,160 --> 00:11:20,460
as a virus so you will be good to go.

140
00:11:20,530 --> 00:11:26,870
In any case that target has anything except B defender and I believe AV secure or something like that.

141
00:11:26,890 --> 00:11:31,990
So let us see if this will actually get flagged as an antivirus as a virus.

142
00:11:31,990 --> 00:11:33,290
Pardon me.

143
00:11:33,340 --> 00:11:37,340
So we find the command for the compilation.

144
00:11:37,810 --> 00:11:46,600
We just find it right here and we compile it does not be like so let's let this compile shouldn't take

145
00:11:46,600 --> 00:11:47,290
too long.

146
00:11:47,770 --> 00:11:50,890
Basically our program is a single line that will print how a world

147
00:11:53,710 --> 00:11:57,840
and right now if we plug in our use be try once again.

148
00:11:57,840 --> 00:11:59,070
Copy the file to their

149
00:12:05,070 --> 00:12:10,750
now we go to the test mode test not to exceed to media.

150
00:12:10,770 --> 00:12:17,060
Ruth and Kelly live unplug this.

151
00:12:17,420 --> 00:12:19,160
We don't have to run anything right here.

152
00:12:19,160 --> 00:12:23,260
We only need to print the products of our.

153
00:12:24,290 --> 00:12:28,010
Let me just find it where it is not.

154
00:12:28,020 --> 00:12:28,700
This

155
00:12:31,540 --> 00:12:33,900
our main defender or its right here is running.

156
00:12:33,900 --> 00:12:35,000
So let us run.

157
00:12:35,070 --> 00:12:41,250
Right now that's not the AKC windows cannot access the specified device path or file.

158
00:12:41,280 --> 00:12:44,310
You may not have the appropriate permission to access the item.

159
00:12:44,310 --> 00:12:49,530
Which basically means it already deleted the item because it's likely that the app is a virus as you

160
00:12:49,530 --> 00:12:56,250
will see soon enough I believe right here it'll pop up threat blocked or something like that.

161
00:12:56,310 --> 00:12:58,440
So let us see how long that will take.

162
00:12:58,440 --> 00:13:04,200
It should basically show us any second that it actually deleted that file as we can see if we tried

163
00:13:04,200 --> 00:13:04,900
to run this.

164
00:13:04,920 --> 00:13:06,000
We cannot run it

165
00:13:08,860 --> 00:13:11,610
just close this close this as well

166
00:13:16,800 --> 00:13:23,830
and here it is on access item was deleted thread name tags dot the exit so by installer basically gets

167
00:13:23,830 --> 00:13:30,550
flagged as an app as a virus by basically anything you called will be flagged as a virus if compiled

168
00:13:30,550 --> 00:13:31,340
with by installer.

169
00:13:31,600 --> 00:13:37,060
If he was a defender or secure so that would be about it for this video.

170
00:13:37,060 --> 00:13:40,480
I hope you enjoyed it and I will see you in the next one.

171
00:13:40,580 --> 00:13:40,870
Bye.