Thursday, October 13, 2022
HomeHackerUUID-Shellcode - One other shellcode injection method utilizing C++ that makes an...

UUID-Shellcode – One other shellcode injection method utilizing C++ that makes an attempt to bypass Home windows Defender utilizing XOR encryption sorcery and UUID strings insanity




Introduction

One other shellcode injection method utilizing C++ that makes an attempt to bypass Home windows Defender utilizing XOR encryption sorcery and UUID strings insanity :).

Shellcode era

  • Firstly, generate a payload in binary format( utilizing both CobaltStrike or msfvenom ) as an example, in msfvenom, you are able to do it like so( the payload I am utilizing is for illustration functions, you need to use no matter payload you need ):

    msfvenom -p home windows/messagebox  -f uncooked -o shellcode.bin
  • Then convert the shellcode( in binary/uncooked format ) right into a UUID string format utilizing the Python3 script, bin_to_uuid.py:

    ./bin_to_uuid.py -p shellcode.bin > uuid.txt
  • xor encrypt the UUID strings within the uuid.txt utilizing the Python3 script, xor_encryptor.py.

    ./xor_encryptor.py uuid.txt > xor_crypted_out.txt
  • Copy the C-style array within the file, xor_crypted_out.txt, and paste it within the C++ file as an array of unsigned char i.e. unsigned char payload[]{your_output_from_xor_crypted_out.txt}

Execution

This shellcode injection method includes the next subsequent steps:

  • First issues first, it allocates digital reminiscence for payload execution and residence through VirtualAlloc
  • It xor decrypts the payload utilizing the xor key worth
  • Makes use of UuidFromStringA to transform UUID strings into their binary illustration and retailer them within the beforehand allotted reminiscence. That is used to keep away from the utilization of suspicious APIs like WriteProcessMemory or memcpy.
  • Use EnumChildWindows to execute the payload beforehand loaded into reminiscence( in step 1 )
  • It’s a must to change the xor key(row 86) to what you would like. This may be accomplished within the ./xor_encryptor.py python3 script by altering the KEY variable.
  • It’s a must to change the default executable filename worth(row 90) to your filename.
  • The command for compiling is offered within the C++ file( across the prime ). NB: mingw was used however you need to use whichever compiler you favor. 🙂

Compile

The binary was scanned utilizing antiscan.me on 01/08/2022.

https://analysis.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments