• Stars
    star
    163
  • Rank 231,141 (Top 5 %)
  • Language
    C
  • License
    MIT License
  • Created almost 2 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (using pe2shc by @hasherezade). Payload encryption via SystemFucntion033 NtApi and No new thread via Fiber

❗ A Small personal WeekEnd Project POC form my side. Completely Free and Open Source. Doesn't belong to my Company's Asset!

This POC will be useful if the Operator came to know about the RealeaseID of the Victim Windows Machine before the execution of this implant into the Victim Machine. As for different release ID, the ntdll.dll are different. In case of wrong match, this implant will NOT work/ crash!

Another Project Related to this Concept done by @D1rkMtr : NTDLLReflection

Future Upgrades:

  1. Applying ApiHashing to replace GetModuleHandle & GetProcAddress by @NUL0x4C

ReflectiveNtdll

POC1:

  1. A POC Dropper focusing EDR evasion (Self-Injecting dropper). Again thanks to Sektor7 by reenz0h
  2. Followed by loading of ntdll in-memory (BYONtdll), which is present as shellcode (using pe2shc by @hasherezade).
  3. NTDLL Unhooking from implant Process.
  4. Evasion via In-memory Payload encryption via SystemFucntion033 NtApi. It performs RC4 encryption and decryption in-memory, which erradicates "On Injection" shellcode detection, as in case of normal shellcode injection, encrypted payload is decrypted just before mapping those raw shellcode in process memeory, at that particular moment, the AV trigger happens. But in this case, no chance of that as decryption occurs when it is already mapped in process memory πŸ˜‰
  5. Shellcode Execution via No new thread technique via Fiber.

POC2:

  1. A POC Dropper focusing EDR evasion (Self-Injecting dropper). Again thanks to Sektor7 by reenz0h
  2. Loading of ntdll in-memory (BYONtdll), which is present as shellcode (using pe2shc by @hasherezade).
  3. [Different from Previous One]
    No need of Ntdll Unhooking.
    Mapping the new Ntdll in memory and then getting the address of our target NtApi from the EAT of the mapped Ntdll in process memory (Yup! Appended the technique of NTDLLReflection by @D1rkMtr).
  4. Evasion via In-memory Payload encryption via SystemFucntion033 NtApi. It performs RC4 encryption and decryption in-memory, which erradicates "On Injection" shellcode detection, as in case of normal shellcode injection, encrypted payload is decrypted just before mapping those raw shellcode in process memeory, at that particular moment, the AV trigger happens. But in this case, no chance of that as decryption occurs when it is already mapped in process memory πŸ˜‰
  5. Shellcode Execution via No new thread technique via Fiber.

DrawBack of this POC:

To make it work in a Victim Windows Machine, Operator need to know the ReleaseID of the Victim Windows Machine prior to the Execution of this Implant, as based on the ReleaseID, ntdll.dll varies. After getting the ntdll version, follow the below mentioned steps.

Building the Executable (For POC1 as well as POC2):

1. Get the shellcode from Havoc C2 (Or any C2) [Tested Against Havoc C2 only!]

2. Use (in linux/ gitbash prompt) to get header file containing shellcode : xxd -i shellcode.bin > shellcode.h

3. Then copy the 'shellcode.h' to 'Encrypt_shellcode folder':

4. Use compile.bat to create the executable to encrypt the shellcode.h and will return shellcode.bin file (remember to edit the shellcode.h file with unsigned char named "shellcode")

5. Then: ".\encrypt.exe shellcode.h" => You will get a bin file which is encrypted.

6. Now again, (in linux/ gitbash prompt) to get header file containing encrypted shellcode : xxd -i enc_shellcode.bin > enc_shellcode.h (remember to edit the shellcode.h file with unsigned char named "enc_shellcode")

7. Now to get the shellcode version of ntdll: .\pe2shc.exe .\win10_ntdll_22H2_19045_2486.dll .\win10_ntdll_22H2_19045_2486.bin
(I tested in these versions only: win10_ntdll_22H2_19045_2486 and win11-ntdll_22H2_22621-1105)
8. Again, (in linux/ gitbash prompt) to get header file containing ntdll shellcode : xxd -i win10_ntdll_22H2_19045_2486.bin > win10_ntdll_22H2_19045_2486.h

9. Move those two header file to "ReflectiveNtdll\POCn" folder (where n = 1 or 2)

10. Run: .\compile.bat

Demo For POC1:

ReflectiveNtdll.mp4

Video Link: https://drive.google.com/file/d/11lPBx2pYpy0_wr3lzVUeDziELdT-DAlK/view?usp=share_link

Internal Findings:

  1. Bypassing Get-InjectedThread.ps1 by @jaredcatkinson:

I used CreateThread not CreateRemoteThread, to run shellcode version of ntdll in-memory!

According to Get-InjectedThread.ps1:

image

No CreateThread is mentioned!

image

  1. Bypassing DefenderCheck: by @matterpreter

image

  1. AntiScan.me Scan:

image

  1. Capa Scan:

image

  1. Moneta Scan:

image

As we have loaded ntdll.dll in-memory and also the implant is not signed!

  1. Pe-sieve Scan:
PS C:\Users\HP\Desktop\Tools\DefenseTools> .\pe-sieve64.exe /pid 26744 /shellc /data 3
PID: 26744
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[*] Scanning: C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\ReflectiveNtdll\implant.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\cryptsp.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\bcryptprimitives.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\mscoree.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\winhttp.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\wkscli.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\samcli.dll
[*] Scanning: C:\Windows\System32\srvcli.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\sspicli.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\System32\dhcpcsvc.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\webio.dll
[*] Scanning: C:\Windows\System32\mswsock.dll
[*] Scanning: C:\Windows\System32\winnsi.dll
[*] Scanning: C:\Windows\System32\schannel.dll
[*] Scanning: C:\Windows\System32\mskeyprotect.dll
[*] Scanning: C:\Windows\System32\ntasn1.dll
[*] Scanning: C:\Windows\System32\ncrypt.dll
[*] Scanning: C:\Windows\System32\ncryptsslp.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\rsaenh.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\dpapi.dll
[*] Scanning: C:\Windows\System32\dnsapi.dll
Scanning workingset: 328 memory regions.
[*] Workingset scanned in 2500 ms
[+] Report dumped to: process_26744
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_26744\234daa50000.shc as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_26744\234daa61000.shc as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_26744\234dabc0000.dll as UNMAPPED
[+] Dumped modified to: process_26744
[+] Report dumped to: process_26744
---
PID: 26744
---
SUMMARY:

Total scanned:      48
Skipped:            0
-
Hooked:             0
Replaced:           0
Hdrs Modified:      0
IAT Hooks:          0
-Implanted:          3
-Implanted PE:       2
-Implanted shc:      1
Unreachable files:  0
Other:              0
-
-Total suspicious:   3
---
  1. PEBear View: IAT Table

image

Suspicious usage of WinApi is removed from IAT

Demo For POC2:

ReflectiveNtdll_POC2.mp4

Video Link: https://drive.google.com/file/d/1xa9Jevs1nl4EIUNd5Hq5BKFUicNtJDBQ/view?usp=share_link

Internal Findings:

  1. Bypassing Get-InjectedThread.ps1 by @jaredcatkinson:

I used CreateFiber not CreateRemoteThread, to run shellcode in-memory!

image

  1. Bypassing DefenderCheck: by @matterpreter

image

  1. AntiScan.me Scan:

image

  1. Capa Scan:

image

  1. Moneta Scan:

image

As we have loaded ntdll.dll in-memory, but this time it was not detected by Moneta and also the implant is not signed!

  1. Pe-sieve Scan:
PS C:\Users\HP\Desktop\Tools\DefenseTools> .\pe-sieve64.exe /pid 4844 /shellc /data 3
PID: 4844
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[*] Scanning: C:\Users\HP\Downloads\OOOps.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\cryptsp.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\bcryptprimitives.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\mscoree.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\winhttp.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\wkscli.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\samcli.dll
[*] Scanning: C:\Windows\System32\srvcli.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\sspicli.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\System32\dhcpcsvc.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\webio.dll
[*] Scanning: C:\Windows\System32\mswsock.dll
[*] Scanning: C:\Windows\System32\winnsi.dll
[*] Scanning: C:\Windows\System32\schannel.dll
[*] Scanning: C:\Windows\System32\mskeyprotect.dll
[*] Scanning: C:\Windows\System32\ntasn1.dll
[*] Scanning: C:\Windows\System32\ncrypt.dll
[*] Scanning: C:\Windows\System32\ncryptsslp.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\rsaenh.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\dpapi.dll
Scanning workingset: 311 memory regions.
[*] Workingset scanned in 1218 ms
[+] Report dumped to: process_4844
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_4844\250d9510000.shc as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_4844\250d9731000.shc as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_4844\250d9840000.dll as UNMAPPED
[+] Dumped modified to: process_4844
[+] Report dumped to: process_4844
---
PID: 4844
---
SUMMARY:

Total scanned:      47
Skipped:            0
-
Hooked:             0
Replaced:           0
Hdrs Modified:      0
IAT Hooks:          0
-Implanted:          3
-Implanted PE:       2
-Implanted shc:      1
Unreachable files:  0
Other:              0
-
Total suspicious:   3
---
  1. PEBear View: IAT Table

image

Suspicious usage of WinApi is removed from IAT

Also thanks to:

  1. @Jean_Maes_1994 for enlightening me, regarding the internals of EDR and other suggestions.
  2. @D1rkMtr for having a spontenious discussion on ImplantDev.
  3. @winterknife for his Wraith Project.
  4. @peterwintrsmith for enlightening me, regarding the internals of ntdll.dll hooking by EDR.

More Repositories

1

DarkWidow

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing
C
532
star
2

SharpGmailC2

Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol
C#
256
star
3

Learning-EDR-and-EDR_Evasion

I will be uploading all the codes which I created with the help either opensource projects or blogs. This is a step by step EDR learning path for me.
C++
254
star
4

reveng_rtkit

Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.
C
231
star
5

CheckHooks-n-load

A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, as well as FUD till now (24/02/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.
C++
97
star
6

AMSI-patches-learned-till-now

I have documented all of the AMSI patches that I learned till now
C++
66
star
7

C2_Server

C2 server to connect to a victim machine via reverse shell
Python
49
star
8

DareDevil

Stealthy Loader-cum-dropper/stage-1/stager targeting Windows10
C#
37
star
9

reveng_loader

C# loader capable of running stage-1 from remote url, file path as well as file share
C#
14
star
10

ETW_patches_from_userMode_learned_till_now

ETW patches from userMode learned till now
C++
9
star
11

Executable_Files

Database for custom made as well as publicly available stage-2 or beacons or stageless payloads, used by loaders/stage-1/stagers, or for further usage of C2 as well
PowerShell
9
star
12

GDB-Cheat-Sheet

8
star
13

VulnCon-WorkShop-Slides

VulnCon WorkShop - Maldev Workshop : Offensive TradeCraft - Syscalls to Stack Spoofing
5
star
14

RemoveFalsePositives

Just a small python script which spits out unsigned char representation for Hooked Underlying Ntapis (Which are False Positives) , for c/cpp Usage
Python
2
star
15

TryHackMe

THM Walkthroughs
PowerShell
2
star
16

HTB

Shell
1
star
17

SSH_Bruter

Bruteforces ssh creds.
Python
1
star
18

Simple_Port_Scanner

Scans Single port as well as Multiple Ports
Python
1
star
19

C-for-Everyone-Programming-Fundamentals

All the topics and concepts of C programming that I have learned so far. The things covered in this repo are all beginner-friendly.
C
1
star
20

reveng007

1
star
21

reveng007.github.io

1
star