❗ Another Small personal Project POC form my side. Completely Free and Open Source. Doesn't belong to my Company's Asset!

Main Idea: Dynamic Evasion

A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition and load that in-memory using this PELoader.

Actually this image made me to do this Project. (Thanks to @matterpreter)

1. First dumping the Hooked Function and then wait for User Input => Name of implant to download From remote.

2. Once the implant is ready (Doesn't use any hooked functions which are dumped previously), the implant is hosted on the payload Server and inputed as implant name into this PE Loader.

3. Then implant Header needs to edited using any hex editor, in my case => I edited from MZ to ÉZ and then Downloaded from the Website in that state. This is done just to trick EDR that the downloaded binary is not any PE binary. Much much thanks to @peterwintrsmith for this suggestion! 😄

Editing Demon.exe (HavocC2 bin):

Before the Usage of this PE header EDITING technique:

After the Usage of this PE header EDITING technique:

Demo:

bandicam.2023-02-16.03-54-16-649.mp4

Video Link: https://drive.google.com/file/d/1Y7MqPWR13fY0WqNGUTXPgYVbiMy-j41d/view?usp=sharing

Internal Findings:

1. Bypassing Get-InjectedThread.ps1 by @jaredcatkinson:

I used EnumThreadWindows not CreateRemoteThread, to run shellcode version of ntdll in-memory!

2. Bypassing DefenderCheck: by @matterpreter

3. AntiScan.me Scan:

4. Capa Scan:

5. Moneta Scan:

6. Pe-sieve Scan:

PS C:\Users\HP\Desktop\Tools\DefenseTools> .\pe-sieve64.exe /pid 18164 /shellc /data 3
PID: 18164
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[*] Scanning: C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\CheckHook_PELoader\checkHooks-n-load.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\winhttp.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\webio.dll
[*] Scanning: C:\Windows\System32\mswsock.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\winnsi.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\System32\sspicli.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\mscoree.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\cryptsp.dll
[*] Scanning: C:\Windows\System32\wkscli.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\samcli.dll
[*] Scanning: C:\Windows\System32\srvcli.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\dhcpcsvc.dll
[*] Scanning: C:\Windows\System32\schannel.dll
[*] Scanning: C:\Windows\System32\mskeyprotect.dll
[*] Scanning: C:\Windows\System32\ntasn1.dll
[*] Scanning: C:\Windows\System32\ncrypt.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\ncryptsslp.dll
[*] Scanning: C:\Windows\System32\bcryptprimitives.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\rsaenh.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\dpapi.dll
Scanning workingset: 298 memory regions.
[!] Scanning detached: 00007FF770A10000 : C:\Users\HP\Desktop\Windows\MaldevTechniques\3.Evasions\CheckHook_PELoader\checkHooks-n-load.exe
[-] Could not read the remote PE at: 00007FF770A10000
[*] Workingset scanned in 985 ms
[+] Report dumped to: process_18164
[!] Image size at: 7ff770a10000 undetermined, using calculated size: 2f000
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\7ff770a10000.checkHooks-n-load.exe as VIRTUAL
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\7ffe237e0000.kernel32.dll as REALIGNED
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\140000000.exe as REALIGNED
[*] Dumped module to: C:\Users\HP\Desktop\Tools\DefenseTools\\process_18164\29883e50000.shc as VIRTUAL
[+] Dumped modified to: process_18164
[+] Report dumped to: process_18164
---
PID: 18164
---
SUMMARY:

Total scanned:      46
Skipped:            0
-
-Hooked:             1
Replaced:           0
Hdrs Modified:      0
IAT Hooks:          0
-Implanted:          2
-Implanted PE:       2
Implanted shc:      0
Unreachable files:  0
-Other:              1
-
-Total suspicious:   4
---

Resourses:

1. @peterwintrsmith and @Jean_Maes_1994, as always helping and guiding me! 😄!
2. https://stackoverflow.com/questions/38672719/post-request-in-winhttp-c
3. https://github.com/aaaddress1/RunPE-In-Memory
4. detecting-hooked-syscall-functions by @spotheplanet
5. posts.specterops.io by @matterpreter
6. @SEKTOR7net as always for his Evasion Course!