Introduction
One other shellcode injection method utilizing C++ that makes an attempt to bypass Home windows Defender utilizing XOR encryption sorcery and UUID strings insanity :).
Shellcode era
-
Firstly, generate a payload in binary format( utilizing both
CobaltStrikeormsfvenom) as an example, inmsfvenom, you are able to do it like so( the payload I am utilizing is for illustration functions, you need to use no matter payload you need ):msfvenom -p home windows/messagebox -f uncooked -o shellcode.bin -
Then convert the shellcode( in binary/uncooked format ) right into a
UUIDstring format utilizing the Python3 script,bin_to_uuid.py:./bin_to_uuid.py -p shellcode.bin > uuid.txt -
xorencrypt theUUIDstrings within theuuid.txtutilizing the Python3 script,xor_encryptor.py../xor_encryptor.py uuid.txt > xor_crypted_out.txt -
Copy the
C-stylearray within the file,xor_crypted_out.txt, and paste it within the C++ file as an array ofunsigned chari.e.unsigned char payload[]{your_output_from_xor_crypted_out.txt}
Execution
This shellcode injection method includes the next subsequent steps:
- First issues first, it allocates digital reminiscence for payload execution and residence through
VirtualAlloc - It
xordecrypts the payload utilizing thexorkey worth - Makes use of
UuidFromStringAto transformUUIDstrings into their binary illustration and retailer them within the beforehand allotted reminiscence. That is used to keep away from the utilization of suspicious APIs likeWriteProcessMemoryormemcpy. - Use
EnumChildWindowsto execute the payload beforehand loaded into reminiscence( in step 1 )
- It does not use normal features like
memcpyorWriteProcessMemorythat are identified to boost alarms to AVs/EDRs, this program makes use of the Home windows API operate referred to asUuidFromStringAwhich can be utilized to decode knowledge in addition to write it to reminiscence( Is not that nice people? And please do not say “NO!” 🙂 ). - It makes use of the operate name obfuscation trick to name the Home windows API features
- Lastly, as a result of it seems distinctive 🙂 ( Is not it? 🙂 )
- It’s a must to change the
xorkey(row 86) to what you would like. This may be accomplished within the./xor_encryptor.pypython3 script by altering theKEYvariable. - It’s a must to change the default
executable filenameworth(row 90) to your filename. - The command for compiling is offered within the C++ file( across the prime ). NB:
mingwwas used however you need to use whichever compiler you favor. 🙂
Compile
The binary was scanned utilizing antiscan.me on 01/08/2022.
https://analysis.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
