Implement techniques learned from MalDevAcademy for building a malware that can bypass AVs as well as sandboxes.
- Payload Storage:
- Payload Placement in the
.rsrcsection: used for placing the shellcode in the.rsrcsection of the PE file. - Payload Staging: used for loading the payload from the internet (the current repo) with a fixed and stack string of URL. This is the current technique that is being used in the project.
- Payload Placement in the
- Encryption: payload is encrypted with RC4 algorithm.
- Brute-Force Decryption: the hardcoded key is encrypted with KeyGuard and requires brute-force decrytion with a hint byte for retrieving the original key.
- (Non-Elevated) Process Enumeration: used for searching for specific and non-elevated processes in the system by using
NtQuerySystemInformation,NtOpenProcessToken, andNtQueryInformationTokenfunctions. - PPID Spoofed and Debugged/Suspended Process Creation: used for creating a process with a spoofed PPID and in a debugged/suspended state that can be utilized by the Early Bird APC Injection technique.
- API Hashing: used for hiding the malicious API imports in the Import Address Table (IAT) by hashing the API names and resolving them in run-time. This is implemented by using the custom
GetModuleHandleandGetProcAddressfunctions for resolving the hash values generated by the Hasher project in this repo. - Remote Payload Execution:
- Local/Remote Mapping Injection: used for allocating mapped memory in a local/remote process and injecting shellcode into it.
- Eearly Bird APC Injection: used for injecting shellcode into a APC queue of a remote process. This technique is being used in the project.
- WhisperHell: it is a combination of Hell's Gate and SysWhispers3 used for bypassing userland hooking by utilizing the SSN searching technique of Hell's Gate and indirect syscall technique of SysWhispers3.
- Anti-Analysis: including self-deletion (utilizing Alternate Data Stream), a mouse click counter (utilizing the
SetWindowsHookExWfunction) and execution delay (utilizing theNtDelayExecutionfunction). - Entropy Reduction: use EntropyReducer for reducing the entropy of the encrypted payload.
- IAT Camouflage: used for creating fake IAT entries by tricking the compiler into thinking that the benign and unused API functions are being used in the code.
- CRT Library Independent: totally remove the dependency on the CRT library of Visual Studio by using some custom and intrinsic functions for reducing the size and the entropy of the binary.
Problems.pdf or https://insomnia1102.online/002-Cyber-Security/MalDev/MalDev---Bypassing-AVs
The command used for signing the binary:
.\Signer.ps1 -Password (ConvertTo-SecureString "<password>" -AsPlainText -Force) -BinaryPath ".\x64\Release\BypassingAVs.exe"NOTE: the signed binary sometimes gets detected by AVs, so it is recommended to use the binary without signing it.
- Create Process With
NtCreateUserProcess - NTDLL Unhooking
- Communication With C2 Server