Ares
This project is a PoC loader written in C/C++ based on the Transacted Hollowing technique. It features:
— PPID spoofing
— Dynamic function resolution with API hashing
— NTDLL unhooking
— AES256 CBC Encryption
— CIG to block non-Microsoft-signed binaries
https://github.com/Cerbersec/Ares
#edr #evasion #cpp
This project is a PoC loader written in C/C++ based on the Transacted Hollowing technique. It features:
— PPID spoofing
— Dynamic function resolution with API hashing
— NTDLL unhooking
— AES256 CBC Encryption
— CIG to block non-Microsoft-signed binaries
https://github.com/Cerbersec/Ares
#edr #evasion #cpp
GitHub
GitHub - Cerbersec/Ares: Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique
Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique - Cerbersec/Ares
👍1
Malware Analysis: Syscalls
Great guide and overview about Syscalls and how to start diagnosing them.
https://jmpesp.me/malware-analysis-syscalls-example/
#maldev #cpp #syscall
Great guide and overview about Syscalls and how to start diagnosing them.
https://jmpesp.me/malware-analysis-syscalls-example/
#maldev #cpp #syscall
RefleXXion
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
https://github.com/hlldz/RefleXXion
#edr #evasion #cpp #redteam
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
https://github.com/hlldz/RefleXXion
#edr #evasion #cpp #redteam
FunctionStomping
This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities.The big advantage of this technique is that it isn't overwritting an entire module or PE, just one function and the target process can still use any other function from the target module.
https://github.com/Idov31/FunctionStomping
#edr #evasion #stomping #maldev #cpp
This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities.The big advantage of this technique is that it isn't overwritting an entire module or PE, just one function and the target process can still use any other function from the target module.
https://github.com/Idov31/FunctionStomping
#edr #evasion #stomping #maldev #cpp
This media is not supported in your browser
VIEW IN TELEGRAM
EmbedExeLnk
Embedding an EXE inside a LNK with automatic execution
https://www.x86matthew.com/view_post?id=embed_exe_lnk
#embed #lnk #exe #cpp
Embedding an EXE inside a LNK with automatic execution
https://www.x86matthew.com/view_post?id=embed_exe_lnk
#embed #lnk #exe #cpp
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
KernelCallbackTable Injection
KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
#edr #bypass #injection #cpp #maldev
KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
#edr #bypass #injection #cpp #maldev
💤 laZzzy
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
👍5
🎯 Meterpreter vs Modern EDR
This blog post explains how making minor adjustments to the Meterpreter shellcode dropper can effectively evade modern EDRs. Three modifications are employed on the Meterpreter reference dropper. These modifications involve encrypting the Meterpreter shellcode using the XOR algorithm, incorporating valid metadata via a manifest file, and relocating the Meterpreter shellcode from the .text section to the .data section.
https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023
#av #edr #meterpreter #xor #cpp
This blog post explains how making minor adjustments to the Meterpreter shellcode dropper can effectively evade modern EDRs. Three modifications are employed on the Meterpreter reference dropper. These modifications involve encrypting the Meterpreter shellcode using the XOR algorithm, incorporating valid metadata via a manifest file, and relocating the Meterpreter shellcode from the .text section to the .data section.
https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023
#av #edr #meterpreter #xor #cpp
RedOps - English
Meterpreter vs Modern EDR(s) - RedOps
👍11🔥2
⚙️ MultiDump
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
🔥14❤🔥5👎3
This media is not supported in your browser
VIEW IN TELEGRAM
Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc.
🚀 Steps:
— Find the OneDrive.exe in running processes;
— Get the handle of OneDrive.exe;
— Query remote process memory information;
— look for RWX memory regions;
— Write shellcode into found region of OneDrive.exe;
— Fork OneDrive.exe into a new process;
— Set the forked process's start address to the cloned shellcode;
— Terminate the cloned process after execution.
🔗 https://github.com/Offensive-Panda/RWX_MEMEORY_HUNT_AND_INJECTION_DV
#winapi #onedrive #injection #maldev #cpp
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5
This media is not supported in your browser
VIEW IN TELEGRAM
🌀Voidgate
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
🔗 Source
https://github.com/vxCrypt0r/Voidgate
#av #edr #evasion #hwbp #cpp
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
🔗 Source
https://github.com/vxCrypt0r/Voidgate
#av #edr #evasion #hwbp #cpp
❤12🔥5👍4❤🔥3👎1
⚙️ Remote Session Enumeration
The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.
🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/
🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp
#windows #qwinsta #session #winapi #cpp
The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.
🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/
🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp
#windows #qwinsta #session #winapi #cpp
👍8