Skip to content
/ PayloadInResources Public

Simple AV bypass storing the shellcode in resources and XOR encrypting it.

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

caueb/PayloadInResources

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Caue.cpp
Caue.cpp
 
 
README.md
README.md
 
 
alien.ico
alien.ico
 
 
metadata.rc
metadata.rc
 
 
xorencrypt.py
xorencrypt.py
 
 

Repository files navigation

PayloadInResources

This is a POC based on the research done by White Knight Labs.

  • Sandbox bypass checking if name of the executable is in the path.
  • Store/fetch the shellcode in resources and XOR encrypt/decrypt it.
  • Using unconventional method for process injection. The above is capable of bypassing AV(I tested against Defender), possibly some EDRs.

Usage

  1. XOR encrypt the raw shellcode using the xorencrypt.py:
# python .\xorencrypt.py <payload_file> <output_file> <xor_key>
python .\xorencrypt.py .\calc.bin encrypted.bin ABCD
  1. Modify the metadata.rc to reflect the <output_file> name:
SHELLCODE_RESOURCE RCDATA "encrypted.bin"
  1. Compile the metadata.rc to .res:
rc.exe /r /fo .\metadata.res .\metadata.rc
  1. Modify the Caue.cpp line 52 with the XOR key you used and compile with clang++:
clang++.exe -O2 -Ob2 -Os -fno-stack-protector -g -Xlinker -pdb:none -Xlinker -subsystem:windows -o Caue.exe Caue.cpp metadata.res -luser32 -lkernel32 -fno-unroll-loops -fno-exceptions -fno-rtti

Credits

About

Simple AV bypass storing the shellcode in resources and XOR encrypting it.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages