Skip to content

SaadAhla/PE-Obfuscator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

PE-Obfuscator

PE obfuscator with Evasion in mind , needs Admin Privilege in order to load RTCore64 driver.

Video:

PE-Obfuscator.mp4

The Obfuscator :

- Gets xored Fileless PE from a remote server
- Drop the Loader in the disk 
- Add random section to that Loader
- Add the xored Fileless PE to the new created Loader section

The Loader :

- Unhook ntdll from knowndlls
- Drop RTCore64 to the disk
- Load/Install RTCore64
- Exploit RTCore64 to Remove Kernel Callbacks
- xor PE
- Map/Load PE from the added Section
- Stomped a big module that fit the PE.

Credits :

https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
https://github.com/br-sn/CheekyBlinder
https://github.com/lawiet47/STFUEDR
https://papers.vx-underground.org/papers/Windows/Infection/2015-03-06%20-%20PE%20Infection%20-%20Add%20a%20PE%20section%20-%20with%20code.txt

About

PE obfuscator with Evasion in mind

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published