My first

and Last
Shellcode Loader

Dobin Rutishauser

Red Team Lead, Raiffeisen Schweiz

Slides: https://bit.ly/4dGhBXl

Commsec Track 29 AUG

 2
Loader About Me

SSL/TLS Recommendations
Developer // TerreActive // OWASP Switzerland

Pentester // Compass Security Burp Sentinel - Semi Automated Web Scanner

// BSides Vienna

Developer // UZH
Automated WAF Testing and XSS Detection
// OWASP Switzerland Barcamp
SOC Analyst // Infoguard
Fuzzing For Worms - AFL For Network Servers
// Area 41
RedTeam Lead // Raiffeisen
Develop your own RAT - EDR & AV Defense
// Area 41

Memory Corruption Exploits & Mitigations Avred - Analyzing and Reverse Engineering AV
// BFH - Bern University of Applied Sciences Signatures
// HITB
Gaining Access
// OST - Eastern Switzerland University of Applied Sciences
 3
Loader Content

Intro to Loader, 5min 01 How loader works

Antivirus, 10min 02 Payload detection & bypass

EDR, 20min 03 EDR Input & Attacks

Supermega & Cordyceps, 20min 04 Make Shellcode & EXE Injection

Anti-EDR, 5min+ 05 Analysis & Conclusion

Intro
Loader Intro

Target Audience
● RedTeamers
● Doing initial access with their C2 (CobaltStrike, Sliver, Havoc…)
● Have some EDR knowhow, but confused

Me:
● Not much interest in specific (detectable) anti-EDR techniques
● Interest in how stuff overall works

Create C2 Pack in Send .exe

??? Profit
Implant .exe to victim
Loader Motivation: Initial Access with C2
Loader Motivation: Initial Access with C2

https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
Loader Why

“EDR bypass this”

“EDR bypass that”
“New EDR bypass technique”
“How i bypassed EDR”
“Usermode unhooking to bypass EDR”

● People dont understand EDR

● People dont know what they are bypassing
● People develop super advanced low level Anti-EDR
techniques which create more telemetry than they solve
Processes
Loader Program vs. Process

Program.exe Process
Header
Code
Code

Data
Data

Harddisk RAM

Windows Loader
Loader File vs. Process Analysis

Program.exe Process
Antivirus Header Memory scanning
Signatures Code Sandbox
Yara Code EDR
File Hash Debugger
Imports
Disassembler Data
Decompiler Data

Static Analysis Dynamic Analysis

Behaviour Analysis
Loader Memory Region Permissions

Program.exe Process
Header
Code Read, Execute
Code

Data
Data Read, Write
Loader Memory Region Backed vs. Unbacked

Program.exe Process
Header
Code Backed
Code

Data
Data Backed

VirtualAlloc’d Unbacked
Loader
Loader Process Memory Regions
Shellcode Loader Example
Loader Shellcode: Calc
Loader Shellcode: Calc
Loader Shellcode: Loader

Need:
● Shellcode (payload)
● VirtualAlloc memory
● Copy shellcode to memory
● Exec memory
Loader Shellcode Loader: 1/3 VirtualAlloc

Code
VirtualAlloc(RWX)
Data Create new region in process

Payload

RWX Region
Loader Shellcode Loader: 2/3 Copy

Code

Data

Payload
Copy Payload to RWX Region

RWX Region
Loader Shellcode Loader: 3/3 Exec

Code

Data
execute payload
Payload (shellcode / memory region)

RWX Region
Loader Shellcode Loader Structure

● The payload / shellcode to execute

○ In .data, .rdata, .text, from a file
○ Encoded, encrypted, base64, xor’d…
● The writeable/executable memory Alloc
○ VirtualAlloc() RWX
○ NtAllocateVirtualMemory()
RWX
○ HeapAlloc()
● The copy Decode
○ for() loop Shellcode
○ memcpy() / memmove()
Copy
○ RtlCopyMemory(), CopyMemory(),
MoveMemory()
● The execution Exec
○ Just jmp to it: ((void(*)())exec)();
○ CreateThread(), QueueUserWorkItem()
○ QueueUserApc()
○ Windows functions which use a callback
● Shellcode can be a reflective DLL
Shellcode Loader
In other languages
Loader Shellcode Loader: .NET / C#
Loader Shellcode Loader: Powershell
Loader Shellcode Loader: VBA
Loader Shellcode Loader: Remote Process Injection

Loader.exe Teams.exe
Process Process

OpenProcess()
Code Code

Data VirtualAllocEx() Data

WriteProcessMemory()
Shellcode
RWX
Shellcode
Loader Shellcode Loader: Remote Process Injection
Anti Virus Detection
Loader Loader: Unencrypted Payload

RWX Alloc RWX

Copy Payload

Exec
Loader Loader: Unencrypted Payload

loader.exe
OS

Code
Write-File Event

Data
Scan File
Payload AV
Signature Scan
Loader DEMO 1

DEMO: Show AV finds unencrypted metasploit

AntiVirus - Encrypted Payload
Loader Loader: Unencrypted Payload

RWX Alloc RWX

Payload
Copy
Encrypted

Exec
Loader Loader: Encrypted payload

“Encryption” can be anything

Code ● XOR
● ROT13
● ADD 1
Data ● ZIP
● Base64

Payload Signature Scan Theres no need to:

Encrypted ● AES, RC4 etc.
● Low entropy / steganography
● Hide it / steganogrphy / low entropy
(like SVG, CSS, UUID, CSV)
Loader DEMO 2

DEMO: Show AV with encrypted metasploit

AntiVirus
AV Emulator
Loader AV Emulator

AV Emulator:
● “Interpret” PE file
● Virtual CPU, Windows

It is not:
● Virtualization
● Sandbox
● Full Emulation (Bochs)
● Wine
Loader AV Emulator

Emulate binary until condition is met Emulating

Signature Memory Scan after that EXE

Cut-off condition:
● Time Cut-Off
● Number of instructions reached?
● Number of API Calls
● Amount of memory used

Memory Scan
Loader Anti AV Emulator

Payload
Encrypted

Alloc
Anti
Process Copy Payload
Emulation
Exec

AV Emulation
Loader Anti AV Emulator

Payload
Encrypted

Alloc
Anti
Process Copy Payload
Emulation
Exec

AV Emulation

Static Code Analysis

Loader DEMO 3

DEMO: AV does NOT find encrypted metasploit with Anti-Emulation

● Show Anti-Emulation
Detection in Middleboxes
Dynamic Analysis
Loader Middleboxes

Sandbox
AV
Email
Gateway

AV AV
Web
Client Malware
Proxy

AV
Teams
Sharepoint
Loader Execution Guardrails

● AD Domain
Execution guardrails: ● Username
● Installed Software
● Environment check ● IP Address
● Environmental keying
● Sandbox / VM detection
● Vmtools installed
● # CPUs, RAM
● Vmware Drivers
Loader Anti AV Emulator

Payload
Encrypted

Alloc
Execution
Process Copy Payload
Guardrails
Exec

Sandbox
Loader Design
Conclusion
Loader Loader Summary

Payload
Encrypted

Alloc
Execution Anti
Process Copy Payload
Guardrails Emulation
Exec

Middleboxes (off target)

AV Emulator

Static Analysis
Loader Loader Problem

Payload
Encrypted

Alloc
Execution Anti
Process Copy Payload
Guardrails Emulation
Exec

Telemetry
Memory Scan EDR
EDR Fundamentals
Loader EDR

EDR:
● Agent on each System
● Find malicious processes
Loader EDR

EDR is blackbox
Many different EDR
Rapid development EDR
Input Alerts
Therefore: Blackbox
● Focus on what the EDR sees
● Not the detections itself
● Whats the input?
● Create a framework to reason
about EDR
Loader EDR - Bubbles of Bane

Signatures

File Mem
Scan Scan
AV EDR

Behaviour
Telemetry
EDR
EDR Input: Usermode-Hooks
Loader Usermode Hooks

kernel32.dll Ntdll.dll syscall Kernel

OpenProcess NtOpenProcess NtOpenProcess

kernel32.dll Ntdll.dll
syscall Kernel
VirtualAllocEx NtAllocateVirtualMemory NtAllocateVirtualMemory

WinApi NtApi

Usermode Usermode
Hook Hook Kernel
Loader Usermode Hooks

Process

Syscall
Ntdll.dll
Hooked Windows
Kernel

Hook EDR
DLL
Usermode Hooks
Loader Usermode Hooks: Patching ntdll.dll

Kernel32.dll:: Ntdll.dll::
App.exe
OpenProcess() NtOpenProcess()
jmp callback
syscall
syscall OS
Kernel

Amsi.dll
NtCreateFileTrampoline()

notify

EDR
Loader Usermode Hooks

Typically hooked functions:

● VirtualAlloc, VirtualProtect
● MapViewOfFile, MapViewOfFile2
● VirtualAllocEx, VirtualProtectEx
● QueueUserAPC
● SetThreadContext
● WriteProcessMemory,
ReadProcessMemory
EDR Input List
Loader EDR Inputs

Process EtwWrite()
Kernel Callbacks

ETW
syscall OS
ntdll.dll
ETW-TI
EDR
amsi.dll pipe Usermode Hooks
EDR Input
Kernel Callbacks
Loader Kernel Callbacks

void CreateProcessNotifyRoutine(parent_process, pid, createInfo)

void CreateThreadNotifyRoutine(ProcessId, ThreadId, Create);
void LoadImageNotifyRoutine(FullImageName, ProcessId, ImageInfo);
void ObCallback(RegistrationContext, PreInfo);
Loader Kernel Callbacks
EDR Input
ETW
Loader ETW
Loader ETW Providers
Loader ETW Providers, Loader relevant

ETW Provider Info

Microsoft-Windows-Kernel-Process ● Process Start/Stop

● Thread Start/Stop
● Image Loads

Microsoft-Windows-Security-Auditing ● Process Start/Stop

● Security Operations

Microsoft-Antimalware-* ● Defender Internals

<tbd>
Loader ETW Provider: Microsoft-Windows-Kernel-Process

Microsoft-Windows-Kernel-Process: Provides events related to process creation and termination. It can help
detect suspicious processes being spawned.

● Process Start/Stop
● Thread Start/Stop
● Image Load/Unload
● Some more

ProcessStart data:
● ProcessID
● CreateTime
● ParentProcessID
● ImageName

Basically same as Kernel Callbacks

Loader ETW Provider: Microsoft-Windows-Security-Auditing
Loader Two Sides of ETW

Process (Etw)EventWrite()

ETW
OS

ETW
EDR

ETW
EDR Input
ETW-TI
Loader ETW-TI

ETW-Threat Intelligence
The good shit

Few consumers (Defender?)

Req PPL’d and signed process
EDR Input
Query Process
Loader Query Process Information

Most events only have very little information

● PID
● ThreadID
● What happened (Image allocation at address x)
Loader EDR: Query Overview

Process Kernel Callbacks Process

EtwWrite()

syscall ETW
ntdll.dll OS
ETW-TI

amsi.dll AMSI

PEB EDR
Process Info
EPROCESS
Callstack
Memory Scan

File Scan
File
Loader EDR: Query Process Information

Query Process Information: Process

● Parent Process Id
● Image filename (source exe)
● Command line parameters
● Loaded DLL’s

Note:
● PPID Spoofing
● Command line argument Spoofing PEB EPROCESS

NtQueryInformationProcess()
Loader EDR: Memory Scanning

Process

Signature scan (like in files)

Performance intensive - only on trigger
Code

Data
Loader EDR: Callstack Analysis

Callstack:
● On NtApi Call (AMSI or syscall)
● List of addresses of all previous parent functions
Loader EDR: Callstack Analysis

Process Process

.text

syscall OS
ntdll.dll

AMSI
EDR
amsi.dll

Callstack

Stack
Loader Callstack analysis - Elastic

Elastic has callstack analysis rules for:

● Direct syscalls Callstack analysis for:
● Callback-based evasion ● VirtualAlloc, VirtualProtect
● Module Stomping ● MapViewOfFile, MapViewOfFile2
● Library loading from unbacked ● VirtualAllocEx, VirtualProtectEx
region ● QueueUserAPC
● Process created from unbacked ● SetThreadContext
region ● WriteProcessMemory,
ReadProcessMemory
EDR Performance
Loader EDR Performance

If EDR is slow dev’s go to Mac. Cant let this happen.

Perf Impact What

1 Event
3 Events Correlation
10 Process Query
100 Memory Scan
1000 File Scan
Loader Time in Event Processing

Input Events

EDR
time

Query Process Info (QPI)

Loader Sysmon

Process
Kernel Callbacks

ETW
OS
ETW

Process Info Sysmon

Memory Scan

● MD5 hashes of images

● Callstack (ProcessAccess)
● Current Working Directoy
EDR Example Attacks
Usermode-hook patch
Loader Usermode Hooks

kernel32.dll Ntdll.dll syscall Kernel

OpenProcess NtOpenProcess NtOpenProcess

kernel32.dll Ntdll.dll
syscall Kernel
VirtualAllocEx NtAllocateVirtualMemory NtAllocateVirtualMemory

WinApi NtApi

Usermode
Hook
Loader Usermode-hook patch

Remove Userspace-Hooks by patching ntdll.dll

VirtualProtect(ntdll.dll, RX->RW)
memcpy(ntdll.dll, …)
VirtualProtect(ntdll.dll, RW->RX)
.text

EDR
sus?
ntdll.dll
“EDR bypass”
Loader Usermode Hooks: Patching ntdll.dll

Kernel32.dll:: Ntdll.dll::
App.exe
OpenProcess() NtOpenProcess()
jmp callback
Indirect Syscall syscall
syscall OS
Kernel
Direct Syscall syscall

Amsi.dll
:-(
NtCreateFileTrampoline()

EDR
Callstack Spoofing
Loader Callstack Spoofing

Callstack:
● List of addresses of all previous parent functions
Loader Callstack Spoofing

Callstack patch: Modify process/thread stack return addresses

Loader Callstack Spoofing

Process

.text NtApi
OS
Unbacked
shellcode
Patch
Stack EDR
Query Callstack
Stack
Image Spoofing
Loader Image Spoofing

notepad.exe
Start Suspended

Overwrite Memory .text

C2

Resume Process
Module Stomping
Loader Module Stomping

notepad.exe

LoadLibrary(“openssl.dll”)

Overwrite Memory openssl.dll

C2
.text
Start Thread
Memory Encryption
Loader Memory Encryption

Active Sleep

.text
.text EDR
encrypted
Sleep()

Memory Scan
.data
.data
encrypted
EDR Attacks Summary
Loader EDR Attacks Overview

Userspace-hook patch Modifying backed RX memory region

ETW patch Modifying backed RX memory region
Image Spoofing Modifying backed RX memory region
Module Stomping Modifying backed RX memory region
Memory Encryption Modifying unbacked RX memory region
Callstack spoofing Modify process/thread stack
Commandline spoofing Overwrite commandline in PEB
PPID spoofing PROCINFO on ProcessCreate(), in EPROCESS
 SuperMega Loader
Cordyceps Technique
Loader Loader injection

program.exe

Carrier

= Loader Loader
Payload
encoded

PIC, Putty, 7zip, ...

Shellcode
Loader Code Similarity Scanning

Malware Detection:
Code Similary Scanning

Compare code in EXE files with

known bad
● Find new versions of malware
● Find code of existing malware in
new files
● “Are QBot and PikaBot related?”
● “This looks like QBot”
Loader Machine Learning

Machine Learning
1) Train Neural Network on malware files
2) ???
3) Profit?

But, what is the similarity in the following

malware?
● Mimikatz
● CobaltStrike
● Nmap
● Metasploit
● Qbot
● Rubeus
● Psexec
Loader Why file injection?

7zip.exe
File injection:
● Harder to find the malicious code
○ Lots of “code” .text
○ Code similarity searches fail
○ No “Good code stuffing” Loader
● Existing Meta information in the PE Shellcode
○ Metadata like Company, Issuer
○ Imports / IAT
● Whats the alternative?
○ Write your own loader which results in a
5kb file?
○ EXES generated from C2 frameworks?
○ Burned Public loaders?
Loader Basic File Injection Mode = 1,1 Mode = 2,1

Middle of .text Middle of .text

Plain Overwrite main() Patch entry point Patch call

EXE EXE EXE EXE

Header Header Header Header

Loader
Loader Loader

.text .text .text .text

Loader RedBackdoorer

https://github.com/mgeeky/ProtectMyTooling/blob/master/RedBackdoorer.py
Loader Disassembled PE Entry Point (main)
SuperMega
Shellcode generation
Loader SuperMega: Shellcode Creation

ASM
C Shellcode
Text
Loader SuperMega: Shellcode Creation

char *dest = VirtualAlloc(

NULL, 202844, 0x3000, RW);

for (int n=0; n<202844; n++) {

dest[n] = supermega_payload[n];
}

if (MyVirtualProtect(
dest, 202844, RX, &res) == 0) {
return 7;
}

(*(void(*)())(dest))();
Loader SuperMega: Shellcode Creation

jinja2 cl.exe masm_shc ml64.exe pefile

.c .c .asm .asm .exe .bin

Template Rendered Compiled Cleaned Compiled Shellcode

Loader Demo

Demo SuperMega UI
● C -> ASM
● Phases
● Options
Cordyceps
Loader Cordyceps Motivation

Improve “From C project, through

assembly, to shellcode”
Goal:
● Less signaturable
● Less obviously malware

Make it look as genuine as possible

 Cordyceps
Original Loader PEB Walk
Loader PEB Walk

Calling functions in shellcode:

● Locate the PEB
● Access Ldr data structure: PEB->Ldr
○ Traverse module list (find “ntdll.dll”)
■ Get export table of module
■ Resolve function address
Loader PEB Walk

PEB Walk
NO
Find this

kernel32.dll Ntdll.dll syscall

Kernel
VirtualAllocEx NtAllocateVirtualMemory NtAllocateVirtualMemory

WinApi NtApi
Loader PEB Walk
Loader PEB Walk
Loader PEB Walk

● Why cant we call functions like the program itself?

○ Avoiding the PEB walk
IAT calls
The normal way
Loader IAT Call
Loader IAT Call

.text

Call iat:
MessageBoxW

IAT
Call User32.dll:
MessageBoxW()
User32.dll
MessageBoxW()
Loader IAT Call

Call IAT:

IAT:
Loader IAT Call

6 bytes

0x140001017 + 0x1063 - 6 = 0x140002080

0x140002080
Cordyceps
IAT Reuse
Loader Cordyceps: IAT reuse

Problem:
IAT reuse:
● MASM doesnt support relative call’s
● Goal: Get rid of PEB_WALK
● Solution: Patch shellcode in the infected
● Solution: Relative call to IAT
binary
Loader Cordyceps: IAT reuse
Loader Cordyceps: IAT reuse
Loader Cordyceps: IAT reuse
Loader Cordyceps: IAT reuse

C Loader loader.exe
loader.exe

ASM Text

Shellcode Shellcode
ASM Text
With Placeholder Fixed
With Placeholder Replace
placeholder

Shellcode IAT
With Placeholder inject
Loader Cordyceps: IAT reuse

● Find RVA of placeholder (\xd8\x4a\xcc\x09\x26\x9e)

● Find RVA of IAT entry (GetEnvironmentVariableW())
● Create relative “call” instruction
● Replace placeholder with “call” instruction

Note: This is not IAT hooking, its normal IAT usage

Loader Cordyceps: IAT reuse

Replaced

RVA of call address + RVA IAT = call with offset

Loader Demo

Demo SuperMega UI
● Templates
Cordyceps
.rdata Reuse
Loader Problem: Shellcode Data Reference

Shellcode is code only

How to handle data? (function call arguments)
Loader Problem: Shellcode Data Reference

Instruct compiler to push data on stack

Loader Problem: Shellcode Data Reference

Or, alternatively:
● Interleave data in code
● Jump over it
Loader Cordyceps: .rdata reuse

Both solutions look suspicious

Solution similar to IAT-reuse:

.text
● Inject data into .rdata section
● Patch shellcode in exe to reference it shellcode
○ Relative load

Inject code ref

.rdata

Inject data Shellcode data

Loader Cordyceps: .rdata reuse
Cordyceps Technique
Loader Cordyceps Technique

Cordyceps:
Inject shellcode into executable .text

Patch injected shellcode:

● IAT reuse
● .rdata reuse

Result: Cant differentiate from genuine program

● No IOC’s
● No shellcode detection possible

The restrictions of shellcode dont apply

when EXE injections is performed

Like in “The last of us”

Loader Demo 4

Demo: Demo 3 Metasploit Meterpreter execution

● Defender: No detection
● MDE: Detection
Anti EDR
Loader Goal: Avoid Memory Scan Trigger

File Carrier / Loader Unencrypted Payload

With Encrypted
Payload File Scan Mem Scan
AV EDR

Behaviour
Telemetry
EDR
Loader EDR Design

● High performance required

● Little information available
● A lot of noise in the system

● Focus: Unbacked memory

○ Unbacked RWX memory
○ Threads starting in unbacked memory .code
○ Calls into kernel from unbacked .code Backed
memory
○ Unbacked RX memory (going RW)
● Backed = already AV Scanned
VirtualAlloc Unbacked
Loader EDR Deconditioning

What will trigger a Memory Scan?

1 VirtualAlloc RW 1 VirtualAlloc(RW)
2 memcpy 2 memcpy
3 VirtualProtect RX 3 VirtualProtect RX
4 CreateNewThread() 4 jmp
Cordyceps
EDR deconditioning
Loader EDR Deconditioning

Make EDR tired of scanning our memory

Copy carrier functionality

Sirallocalot:
● Do 10 times:
○ Do 100 times:
■ Alloc memory RW with shellcode_len
■ Copy fake data into memory
■ Change to RX
■ Leave it for a bit
○ Free 100
Loader EDR Deconditioning

Like pavlov’s dogs

Ring the bell a lot

Loader Demo 5

Demo with sirallocalot MDE

Conclusion
Loader Basic Assumption

● It seems there is not enough information to identify loader based on telemetry

○ Only Process / Thread / Image loads
○ Loader doesnt use networking, file or registry access
● Telemetry may be there for loader mischief
○ unbacked RW -> RX changes
○ Modifying backed regions
● But not used
Loader Self-Stomping

Loader is integrated in backed image section

● Makes it trustworthy

.text
SuperMega
Loader

Payload
Shellcode C2 doing its thing
Unbacked
Loader Bubbles of Bane

Supermega:
● No signature
○ Or easy changeable
File Scan Mem Scan ● Very little telemetry
AV EDR ○ All look normal
○ From backed memory
● Will not trigger mem scan
○ But susceptible to
on-demand mem scan
Behaviour
○ pe-sieve, moneta
Telemetry
EDR
Loader Anti EDR Techniques used for SuperMega Loader

RedTeam Technique Applied? Aka

ETW patch? No ETW bypass

Usermode-hook patch? No AMSI patch, EDR Unhooking RefleXXion, ScareCrow

Module stomping? No DLL stomping

Image spoofing? No Process Hollowing

Memory encryption? No Sleepmask Ekko, Gargoyle, Foliage

direct/indirect syscalls? No EDR bypass SysWhisper 1/2/3

Callstack spoofing? No

Mess with other process? No Process injection

PPID or Argument spoofing? No

Loader EDR Checkboxes for SuperMega Loader

Carrier code signatured? No

Windows API Calls coming from unbacked memory? No

Windows API Calls have a suspicious callstack? No

Change memory region from RX to RW? No

Hardware / Software breakpoints? No

APC calls? No

Unbacked RWX memory? No

Unbacked RX memory? Yes

Suspicious sleep state? No

Reflective DLL used? No

Loader Things to avoid in payload

Payload should not do fancy memory things

● No Stagers
● No Reflective DLL Staged:
windows/meterpreter/reverse_tcp

Stageless:
windows/meterpreter_reverse_tcp
Loader Loader vs. Payload

Loader Payload

Loader loads the payload

● CobaltStrike, Sliver, Brute ratel, havoc…
● Give the payload best possible changes

C2 should protect itself

● Leave it to the experts
○ Memory encryption
○ Callstacks
Loader EDR: Query Overview

Process Kernel Callbacks Process

EtwWrite()

syscall ETW
ntdll.dll OS
ETW-TI

amsi.dll AMSI
pipe

EDR
PEB Process Info
EPROCESS
Callstack
Memory Scan

File Scan
File
Loader Loader Design

When doing your own loader: Payload

Encrypted

Alloc
EXE Execution Anti EDR
Decode Payload
Loader Guardrails Emulation Deconditioning
Exec

● EDR bypass really necessary? (usermode hook patching)

● Strong encryption / entropy really important? Alternatives:
● Focus on: ● DLL Sideloading
○ Backed memory
○ No RWX
○ No RX -> RW
○ Clean Callstacks
● Careful with process injection
Loader Correct Anti-EDR

SuperMega & Cordyceps

With Anti-Emulator, and sirallocalot EDR deconditioner

Is able to load:
Nonstaged Winhttp Metasploit with disabled stdapi, and CobaltStrike 4.9 default
config
● On Win10/Win11 Defender with no alerts
● On Win11 MDE with low-rated alerts

As of August 2024
Loader Outlook

● Execution Guardrails are very powerful

○ Do them early
● Injecting shellcode into .exe’s is… nice
○ Looks genuine. Can thwart automated analysis
○ Makes manual analysis maybe a bit harder
○ Different than creating your own malicious exe’s
○ Different than shellcode inject through some other means
● Injecting shellcode into .dll’s is cool
● SuperMega loader is… ok
○ Writing C to inject as shellcode into an .exe is a nice workflow to have
○ Good against file based scanning
○ Not a super special new anti EDR or memory scanning
○ But difficult of being AV sig’ed
● RWX reuse maybe better against memory analysis tools
● Need framework for loader-chaining
Loader My First and Last Shellcode Loader

My First Shellcode Loader

● Using Linux exploit development know-how
● Learning a lot about Windows

My Last Shellcode Loader

● Works forever
● Debugging sucks
Loader Stuff

More details:
https://blog.deeb.ch/posts/how-edr-works
https://blog.deeb.ch/posts/exe-injection
https://blog.deeb.ch/posts/supermega

SuperMega Loader:
https://github.com/dobin/SuperMega

Soon:
https://github.com/dobin/RedEdr
Loader References

Matt Hand - Evading EDR

https://github.com/hasherezade/masm_shc
From a C project through assembly, to shellcode
https://www.elastic.co/security-labs
https://github.com/mgeeky/ProtectMyTooling/blob/master/
RedBackdoorer.py
Additoinal Loader Tricks
Loader Self Stomping

● Inject dll in .text (pre-loaded, encrypted)

● Fixup:
.text .text
○ RW it (part of .text)
○ Decrypt, apply reloc’s etc. SuperMega SuperMega
○ RX it again Loader Loader
● Result: DLL in modified .text
○ Backed memory region Payload DLL
Payload DLL
Encrypted
Loader Undersized alloc trick

VirtualProtect sets the permission of the page(s) (4kb)

Use size=1, get the other 4095 bytes for free
EDR will only scan 1 byte?

// Use size 1, still change all the page

VirtualProtect(shellcode_rw, 1, RX)
Loader UPX as EXE

● UPX has RWX sections

○ Obfuscate payload with Shikata ga nai obfuscator
Loader Advanced C2

Proposal

CobaltStrike 4.10

CobaltStrike CobaltStrike CobaltStrike

Loader Backend Caller
“Stub”