A Windows stager-cum-PELoader with a capability on Dynamically evading EDR hooks, as well as FUD till now (03/03/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.
CrowdStrike Falcon
:wink:A Windows stager-cum-PELoader
with a focus of Dynamically evading EDR hooks as well as FUD (acc. to antiscan.me) till now (03/03/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition and load that in-memory using this PELoader.
Actually this image made me to do this Project. (Thanks to @matterpreter)
MZ
to ÉZ
and then Downloaded from the Website in that state. This is done just to trick EDR
that the downloaded binary is not any PE binary.Editing Demon.exe (HavocC2 bin):
Before the Usage of this PE header EDITING technique:
After the Usage of this PE header EDITING technique:
Video Link: https://drive.google.com/file/d/1Y7MqPWR13fY0WqNGUTXPgYVbiMy-j41d/view?usp=sharing
png header
at the start of the demon binary -$ cd obfuscator
$ compile_cs.bat
$ .\append_png_header.exe
C:\WINDOWS\system32
(as key) (Thanks to @D1rkMtr for the AES Encryption template!)-$ cd obfuscator
$ python3 aes.py demon.exe
$ ls
aes.py demon.exe implant.bin
Required python lib: hashlib
, pycryptodome
and pycryptodomex
GetSystemDirectoryA()
in Main Implant so that:i. We don't need hardcoding of password.
ii. We don't need to download the key while RunTime.
iii. No Need of Special Intial Recon for Knowing any Artifacts Unique to the Victim Machine prior to the Execution of this Implant. Moreover, incase of phishing, we don't have anything known, except the mail addresses of the employees of the Target Organization.
iv. It automatically retrieves stringC:\WINDOWS\system32
usingGetSystemDirectoryA()
at runtime (all x64 arch has this folder, no problem regarding that) and uses this as a key to decrypt the AES Encrypted stage2 PE binary.
C:\WINDOWS\system32
" via GetSystemDirectoryA()
C:\Windows\system32
" via GetSystemDirectoryA()
UpperCase()
, after retrieving to avoid confusion 👍Nt
or Zw
) => Refer this repo: RemoveFalsePositives.I used EnumThreadWindows not CreateRemoteThread, to run shellcode version of ntdll in-memory!
PS C:\Users\HP\Desktop\Tools\DefenseTools> .\pe-sieve64.exe /pid 18164 /shellc /data 3
PID: 18164
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[*] Scanning: C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\CheckHook_PELoader\checkHooks-n-load.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\winhttp.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\webio.dll
[*] Scanning: C:\Windows\System32\mswsock.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\winnsi.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\System32\sspicli.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\mscoree.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\cryptsp.dll
[*] Scanning: C:\Windows\System32\wkscli.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\samcli.dll
[*] Scanning: C:\Windows\System32\srvcli.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\dhcpcsvc.dll
[*] Scanning: C:\Windows\System32\schannel.dll
[*] Scanning: C:\Windows\System32\mskeyprotect.dll
[*] Scanning: C:\Windows\System32\ntasn1.dll
[*] Scanning: C:\Windows\System32\ncrypt.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\ncryptsslp.dll
[*] Scanning: C:\Windows\System32\bcryptprimitives.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\rsaenh.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\dpapi.dll
Scanning workingset: 298 memory regions.
[!] Scanning detached: 00007FF770A10000 : C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\CheckHook_PELoader\checkHooks-n-load.exe
[-] Could not read the remote PE at: 00007FF770A10000
[*] Workingset scanned in 985 ms
[+] Report dumped to: process_18164
[!] Image size at: 7ff770a10000 undetermined, using calculated size: 2f000
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\7ff770a10000.checkHooks-n-load.exe as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\7ffe237e0000.kernel32.dll as REALIGNED
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\140000000.exe as REALIGNED
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\29883e50000.shc as VIRTUAL
[+] Dumped modified to: process_18164
[+] Report dumped to: process_18164
---
PID: 18164
---
SUMMARY:
Total scanned: 46
Skipped: 0
-
-Hooked: 1
Replaced: 0
Hdrs Modified: 0
IAT Hooks: 0
-Implanted: 2
-Implanted PE: 2
Implanted shc: 0
Unreachable files: 0
-Other: 1
-
-Total suspicious: 4
---