• Stars
    star
    105
  • Rank 328,196 (Top 7 %)
  • Language
    C#
  • Created almost 3 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version.

Perun's Fart

A C# application that unhooks AV and EDR to help run malicious code undetected. This differs to this classic unhooking technique because it does not need to load the 'clean' copy of ntdll.dll from disk, it copies it from another process before AV/EDR can hook it.

The concept is very similar, overwrite hooked syscalls with clean versions (unhooked).

Introduction

This C# code is based upon one of the techniques demonstrated in the RED TEAM Operator: Windows Evasion Course from Sektor7, the original, developed by Sektor7, is written in C/C++. I would recommend any of the malware development courses, there is a lot of great stuff to learn about creating malware in C/C++.

The blog entry can be found here. Apparently, Fart in Swedish translates to speed in English (this technique loads a new process in a suspended state, before AV/EDR can hook ntdll.dll), fart is also luck in Polish. A quick Google tells me that Perun is a Slavic God (this was confirmed in an email from Sektor7).

Proof of Concept in x64dbg

The following image shows the ZwCreateProcess function when BitDefender is disabled:

Disabled

When I run the program again, but this time with BitDefender enabled, we can see that the ZwCreateProcess syscall in ntdll.dll is hooked, this is apparent by the JMP instruction:

Enabled

When Perun's Fart has completed unhooking ntdll.dll we can see that the syscall is back to normal (although the symbol is now NtCreateProcess):

Unhooked

Example

Execution of the code is shown below:

Creating a new process to read in a clean copy of NTDLL
[+] New process created. Pid: 6700
[+] Getting Module Size: ntdll
[+] Got Module base address: 0x7FFC92E00000
[+] Module is a valid image.
[+] e_lfanew equals 0xE0
[+] NT_HEADERS address is 0x7FFC92E000E0
[+] Module NT Headers is valid.
[+] ntdll Module Size: 2019328 bytes
[+] Bytes read from remote process memory: 2019328 bytes
[+] Killing process. Pid: 6700
[+] Done

Unhooking NTDLL
[+] Sections to enumerate is 9
[+] First section is .text
[+] First section is at 0x1E912279CA8
[+] Analysing section .text
[+] .text section is at 0x1E912279CA8
[+] First syscall found at offset: 0x9F9E0, addr: 0x7FFC92E9F9E0
[+] Last syscall found at offset: 0xA33C8, addr: 0x7FFC92EA33C8
[+] VirtualProtect Dll to PAGE_EXECUTE_READWRITE...
[+] Unhooking Dll by copying clean data...
[+] VirtualProtect Dll to OldProtect
[+] Done

I have not injected any shellcode in the PoC. The technique achieves the same result as this technique, see notes below for BitDefender specifics.

Notes

The code can be changed to unhook any loaded DLL. BitDefender hooks ntdll.dll and kernelbase.dll.

Upon loading the suspended process I used Process Hacker to see which modules had been loaded and unfortunately only ntdll.dll is loaded (this makes sense in hindsight):

Suspended

Still, it could be used in conjunction with direct system calls to ntdll.

More Repositories

1

Shellcode-Encryptor

A simple shell code encryptor/decryptor/executor to bypass anti virus.
C#
462
star
2

Shellcode-Injection-Techniques

A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload. I will be building this project up as I learn, discover or develop more techniques. Some techniques are better than others at bypassing AV.
C#
439
star
3

Suspended-Thread-Injection

Another meterpreter injection technique using C# that attempts to bypass Defender
C#
248
star
4

SandboxDefender

C# code to Sandbox Defender (and most probably other AV/EDRs).
C#
163
star
5

CmdLineSpoofer

How to spoof the command line when spawning a new process from C#.
C#
96
star
6

Sys-Calls

An example of using Syscalls in C# to get a meterpreter shell.
C#
95
star
7

Unhook-BitDefender

Unhooks Bit Defender from NTDLL and KERNELBASE using a classic technique.
C#
50
star
8

AMSI-Bypass

Another AMSI bypass - but in C++.
C++
24
star
9

ps-encoder

A very simple python script to encode and decode PowerShell one-liners.
Python
21
star
10

PowerGhost

A custom run space to bypass AMSI and Constrained Language mode in PowerShell.
C#
19
star
11

Malicious-KeePass-Plugin

A malicious KeePass plugin to exfiltrate the master key.
C#
15
star
12

DynamicEarlyBird

An example of using Dynamic Invoke to Inject Shellcode using the Early Bird Method.
C#
11
star
13

impersonator

C++ code to impersonate a Windows token and spawn a new process.
C++
5
star
14

misc-scripts

Miscellaneous Scripts
Python
5
star
15

Enumeration

Some .Net assemblies used to enumerate a host. Best when they are loaded in to memory.
C#
4
star
16

plackyhacker.github.io

Python
3
star
17

msgbox

Host a non-malicious shellcode
PowerShell
3
star
18

HEVD

My exploits for the HackSys Vulnerable Driver Project
C++
2
star
19

passwordgenerator

Generate three random word password lists quickly
Python
2
star
20

SecureCode1

Python exploit for the VulnHub OSWE practice box 'SecureCode1'
Python
2
star
21

marra

Marra
PowerShell
1
star
22

Sliver-Extension-Template

A Sliver Extension Template
C++
1
star