CheckHooks N Load Save Abandoned

:exclamation: Another Small personal Project POC form my side. Completely Free and Open Source. Doesn't belong to my Company's Asset!

BTW, a Strong Update of this tool will come from my side, as soon as I get a hand of the Free Trial Version of CrowdStrike Falcon :wink:

Main Idea: Dynamic Evasion

A Windows stager-cum-PELoader with a focus of Dynamically evading EDR hooks as well as FUD (acc. to antiscan.me) till now (03/03/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition and load that in-memory using this PELoader.

Actually this image made me to do this Project. (Thanks to @matterpreter)

1. First dumping the Hooked Function and then wait for User Input => Name of implant to download From remote.

2. Once the implant is ready (Doesn't use any hooked functions which are dumped previously), the implant is hosted on the payload Server and inputed as implant name into this PE Loader.

3. Obfuscation Methods: Much much thanks to @peterwintrsmith for all these suggestions! :smile:

• UnComment Method 1 and Comment Method2 and 3

i. Then implant Header needs to edited using any hex editor, in my case => I edited from MZ to ÉZ and then Downloaded from the Website in that state. This is done just to trick EDR that the downloaded binary is not any PE binary.

Editing Demon.exe (HavocC2 bin):

Before the Usage of this PE header EDITING technique:

After the Usage of this PE header EDITING technique:

1. BitDefender Static Scan:

2. BitDefender Dynamic Scan:

https://user-images.githubusercontent.com/61424547/219202618-6fcc9a3c-63df-4745-8ac9-cd1351ec87da.mp4

Video Link: https://drive.google.com/file/d/1Y7MqPWR13fY0WqNGUTXPgYVbiMy-j41d/view?usp=sharing

• UnComment Method2 and Comment Method1 and 3

Update!

ii. Added Obfuscator C# Script which appends png header at the start of the demon binary -

$ cd obfuscator
$ compile_cs.bat
$ .\append_png_header.exe

1. BitDefender Static Scan:

2. BitDefender Dynamic Scan:

https://user-images.githubusercontent.com/61424547/222496578-646add0a-3672-4784-be3b-f9a5b6be95e4.mp4

3. Add CrowdStrike SS:

• Will be doing as soon as I get a hand, told one of a friend of mine

• UnComment Method3 and Comment Method1 and 2

Update again!

iii. Added another Obfuscator Python Script (Not C#, My Xp while doing AES Encryption in C# was pretty Crappy! :angry:, took a lot of time) which obfuscates the demon binary with C:\WINDOWS\system32 (as key) (Thanks to @D1rkMtr for the AES Encryption template!)-

$ cd obfuscator
$ python3 aes.py demon.exe
$ ls
aes.py demon.exe implant.bin

Required python lib: hashlib, pycryptodome and pycryptodomex

Tried out Execution Guardrails: Environmental Keying using GetSystemDirectoryA() in Main Implant so that:

i. We don't need hardcoding of password.
ii. We don't need to download the key while RunTime.
iii. No Need of Special Intial Recon for Knowing any Artifacts Unique to the Victim Machine prior to the Execution of this Implant. Moreover, incase of phishing, we don't have anything known, except the mail addresses of the employees of the Target Organization.
iv. It automatically retrieves string C:\WINDOWS\system32 using GetSystemDirectoryA() at runtime (all x64 arch has this folder, no problem regarding that) and uses this as a key to decrypt the AES Encrypted stage2 PE binary.

1. BitDefender Static Scan:

2. BitDefender Dynamic Scan:

• I was facing a issue here:
• I saw that:
  1. In My windows Host: my cpp implant is retrieving: "C:\WINDOWS\system32" via GetSystemDirectoryA()
  2. But in my Windows VM: my cpp implant is retrieving: "C:\Windows\system32" via GetSystemDirectoryA()
  3. Changing the Whole string to UpperCase(), after retrieving to avoid confusion 👍

https://user-images.githubusercontent.com/61424547/222793675-5f4f511c-e760-49b9-ac16-c66875cfa05d.mp4

3. Add CrowdStrike SS:

• Will be doing as soon as I get a hand, told one of a friend of mine

In order to remove FalsePositve Hooks (all, not just Nt or Zw) => Refer this repo: RemoveFalsePositives.

Internal Findings:

1. Bypassing Get-InjectedThread.ps1 by @jaredcatkinson:

I used EnumThreadWindows not CreateRemoteThread, to run shellcode version of ntdll in-memory!

2. Bypassing DefenderCheck: by @matterpreter

3. AntiScan.me Scan:

4. Capa Scan:

5. Moneta Scan:

6. Pe-sieve Scan:

PS C:\Users\HP\Desktop\Tools\DefenseTools> .\pe-sieve64.exe /pid 18164 /shellc /data 3
PID: 18164
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[*] Scanning: C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\CheckHook_PELoader\checkHooks-n-load.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\winhttp.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\webio.dll
[*] Scanning: C:\Windows\System32\mswsock.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\winnsi.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\System32\sspicli.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\mscoree.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\cryptsp.dll
[*] Scanning: C:\Windows\System32\wkscli.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\samcli.dll
[*] Scanning: C:\Windows\System32\srvcli.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\dhcpcsvc.dll
[*] Scanning: C:\Windows\System32\schannel.dll
[*] Scanning: C:\Windows\System32\mskeyprotect.dll
[*] Scanning: C:\Windows\System32\ntasn1.dll
[*] Scanning: C:\Windows\System32\ncrypt.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\ncryptsslp.dll
[*] Scanning: C:\Windows\System32\bcryptprimitives.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\rsaenh.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\dpapi.dll
Scanning workingset: 298 memory regions.
[!] Scanning detached: 00007FF770A10000 : C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\CheckHook_PELoader\checkHooks-n-load.exe
[-] Could not read the remote PE at: 00007FF770A10000
[*] Workingset scanned in 985 ms
[+] Report dumped to: process_18164
[!] Image size at: 7ff770a10000 undetermined, using calculated size: 2f000
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\7ff770a10000.checkHooks-n-load.exe as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\7ffe237e0000.kernel32.dll as REALIGNED
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\140000000.exe as REALIGNED
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\29883e50000.shc as VIRTUAL
[+] Dumped modified to: process_18164
[+] Report dumped to: process_18164
---
PID: 18164
---
SUMMARY:

Total scanned:      46
Skipped:            0
-
-Hooked:             1
Replaced:           0
Hdrs Modified:      0
IAT Hooks:          0
-Implanted:          2
-Implanted PE:       2
Implanted shc:      0
Unreachable files:  0
-Other:              1
-
-Total suspicious:   4
---

Resourses:

1. @peterwintrsmith and @Jean_Maes_1994, as always helping and guiding me! :smile:!
2. https://stackoverflow.com/questions/38672719/post-request-in-winhttp-c
3. https://github.com/aaaddress1/RunPE-In-Memory
4. detecting-hooked-syscall-functions by @spotheplanet
5. posts.specterops.io by @matterpreter
6. @SEKTOR7net as always for his Evasion Course!