[若渴計畫] Challenges and Solutions of Window Remote Shellcode

Challenges and Solutions of Window
Remote Shellcode @若渴
2017.11.19
<ajblane0612@gmail.com>
AjMaChInE
Outline
• Overview of window remote shellcode
• Some challenges and solutions
– Antivirus
– EMET
– Firewall
– Intrusion-Detection System (IDS)/ Intrusion-
Prevention System (IPS)
• Reference
Remote Shellcode [0][1]
pipeprotocol process terminal process
command
sh
Windows Shellcode Skeleton in
Assembly [12]
• Getting EIP
• Decoder
• Getting addresses of required functions
• Setup socket
• Spawning a shell
Getting EIP – Why [12][13]
• What is the problem with such a hardcoded
address?
Compiler
move that code
to another
address space
????
Getting EIP [12]
Getting Addresses of Required
Functions [2]
Finding kernel32.dll
LoadLibraryA
GetProcAddress
System calls
not reliable
How to Finding kernel32.dll in ASLR?
[2][3][4]
Process Environment
Block(PEB)
fs:[0x30]
Structured Exception
Handling(SEH)
fs:[0]
Thread Environment Block
+0x4 TOPSTACK
fs:[0x18] not reliable
Finding kernel32.dll- PEB
“The process of determining the kernel32.dll base address
involves making use of the Process Environment Block (PEB). The
operating system allocates a structure for every running process
that can always be found at fs:[0x30] from within the process.
The PEB structure holds information about the process’ heaps,
binary image information, and, most importantly, three linked
lists regarding loaded modules that have been mapped into
process space. The linked lists themselves differ in purposes
from showing the order in which the modules were loaded to
the order in which the modules were initialized. The
initialization order linked list is of most interest as the order in
which kernel32.dll is initialized is always constant as the second
module to be initialized.” [2]
Finding kernel32.dll- SEH
“Windows NT based versions the top-most entry in the SEH list
can always be found at fs:[0] from within the process. With this
in mind, one can walk the list of installed exception handlers
until they reach the last one. When the last one is reached the
address of the function pointer can be used as a starting point
for walking down in increments of 64KB, or 16 × 4096 byte
pages. In Windows, DLL’s will only align on 64KB boundaries. At
each 64KB boundary a check can be performed to see if the two
characters at that point are ‘MZ’. These two characters mark the
MSDOS header that is prepended to portable executables.” [2]
Address Resolution of Required
Functions
• PEB parsing [5]
– This method uses the Process Environment Block(PEB)
data structure to locate the base addresses of loaded DLLs
and finding their function addresses with parsing the
Export Address Table(EAT)
• Hash API search [5]
– For quickly finding required functions
EAT
IAT
DLL
Required Functions
hash hash?=
Functions You maybe Want to [6]
• WinExec
• CreateProcessW
• CreateProcessA
• LoadLibraryExA
• LoadLibraryExW
• OpenFile
• CreateThread
• CreateRemoteThread
• GetProcAddress
• LoadModule
• CreateFileA
• CreateFileW
• _lopen
• _lcreat
• CopyFileA
• CopyFileW
• CopyFileExA
• CopyFileExW
• MoveFileA
• MoveFileExW
• LockFile
• GetModuleHandleA
• VirtualProtect
• OpenProcess
• GetModuleHandleW
• MoveFileWithProgressA
• MoveFileWithProgressW
• DeleteFileA
Challenges of Shellcode for Antivirus
[7][8]
• Static signature analysis
– Signature analysis is based on a blacklist method
– EX: YARA [9]
• Static heuristic analysis
– In this case the AV will check the code for patterns which are known
to be found in malwares. There are a lot of possible rules, which
depends on the vendor
• Dynamic analysis
– These days most AV will rely on a dynamic approach. When an
executable is scanned, it is launched in a virtual environment for a
short amount of time. Combining this with signature verification and
heuristic analysis allows detecting unknown malwares even those
relying on encryption. Indeed, the code is self-decrypted in AV
sandbox; then, analysis of the “new code” can trigger some suspicious
behavior.
Bypassing Challenges of Shellcode for
Antivirus [7][8]
• Bypassing static signature analysis/ static
heuristic analysis
– Decryption [10][11]
– Obfuscation [7]
– Non-standard languages for windows binaries
[25]
• Bypassing dynamic analysis
Obfuscation
The Veil-Framework [25]
• Obfuscated code
• Encrypted code
• Non-standard languages for windows binaries
– Python, Ruby, Perl, Go, etc.
Bypassing Dynamic Analysis [7][8]
• Allocate and fill 100M memory
• Hundred million increments
• Attempt to open a system
process
• Attempt to open a non-existing
URL
• Action which depends on local
username
• What the fuck is NUMA?
• What the fuck are FLS?
• Check process memory
• Time distortion
• What is my name?
• I am my own father
• First open a mutex
• Load fake library
• Is debugger present
• Number of Cores
• Trap flag manipulation
Bypassing Dynamic Analysis - Hundred
Million Increments [8]
AV detection
emulator
Proper Ways To Execute Shellcodes
[7][8]
• HeapCreate/HeapAlloc
• LoadLibrary/GetProcAddress
• GetModuleHandle/GetProcAddress
• Multi-Threading
Challenges of Shellcode for EMET
• Preventing EAT parsing techniques
Bypassing Challenges of Shellcode for
EMET
• IAT parsing [23]
– Also holding the WIN API function addresses by
the application
Challenges of Shellcode for Firewalls
• Inbound detection
• Outbound detection
• Usually, firewall allow connection to popular
services like port 25(SMTP), 53(DNS),
80(HTTP), etc.
Bypassing Challenges of Shellcode for
Firewalls
• Bypassing inbound detection
– Reverse remote shellcode
• Bypassing outbound detection (進去了要怎出
來),EX [12] :
Bypassing Outbound Detection
• DLL/PE Injection to iexplore.exe, telnet, ftp,
SSH and alike [13]
• One-way shellcode [2][12]
• Meterpreter HTTP, HTTPS and DNS stagers [21]
DLL Injection Overview – Step 1/2 [17]
DLL Injection Overview – Step 3/4 [17]
Execution Methods of DLL Injection
[15]
• CreateRemoteThread()
• NtCreateThreadEx()
• QueueUserAPC()
• SetWindowsHookEx()
• RtlCreateUserThread()
• Code cave via SetThreadContext()
• Reflective DLL
DLL/PE Injection to iexplore.exe [13]
• Querying the register key, rather than referring to
“c:...iexplore.exe”
• CreateProcess() to open and keep browser
windows hidden
• WaitForInputIdle() to give processes time for
initialization
• WaitProcessMemory() to copy networking code
• CreateRemoteThread() to run code
• The injected procedure connects the web site and
sends HTTP request
Reflective DLL Injection [16][18]
Reflective DLL (= DLL-format PE file loader)
reflective DLL
is loaded by
reflective DLL
DLL/PE/Process Hollowing
Injection[19][20]
One-way Shellcode – Find Socket [12]
(using anonymous pipe)
One-way Shellcode – Reuse Socket [12]
The problem of the “Find Socket” method:
• If the socket already been closed
(the SO_REUSEADDR socket option)
One-way Shellcode – Rebind Socket
[12]
The problem of the “Rebind Socket” method:
• using SO_EXCLUSIVEADDRUSE, thus reusing
the address is not possible
The Meterpreter:
a stager, and and
stage [21][22][24]
An Up-to-Standards Secure Corporate Environment
with the meterpreter/reverse_winhttp Payload [14][22]
Bypassing An Up-to-Standards Secure Corporate
Environment with the meterpreter/reverse_winhttp
Payload [14][22]
Thread 1Thread 2
local proxy with port 8080
reverse_winhttp
LHOST=127.0.0.1
LPORT=8080
NTLM authentication
+ HTTP requests
trust local proxy and go
through the corporate
proxy
Reference
• [0] How To Make A Reverse TCP Backdoor In Python - Part 1
– https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-1/1038
• [1] How To Make A Reverse TCP Backdoor In Python - Part 2
– https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-2/1040
• [2] Understanding Windows Shellcode
– http://www.hick.org/code/skape/papers/win32-shellcode.pdf
• [3] Windows Reverse Shell Shellcode I.
– http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
• [4] Windows Reverse Shell Shellcode II.
– http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/
• [5] Art of Anti Detection 3 – Shellcode Alchemy
– https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/
• [6] NT shellcodes prevrntion Demystified
– http://www.phrack.org/issues/63/15.html#article
• [7] Art of Anti Detection – 1 Introduction to AV and Detection Techniques
– https://www.exploit-db.com/docs/40900.pdf
• [8] Bypass Antivirus Dynamic Analysis - Limitations of the AV Model and How to Exploit Them
– https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf
• [9] YARA
– http://virustotal.github.io/yara/
• [10] Code Segment Encryption
– http://blog.sevagas.com/?Code-segment-encryption
• [11] Hide Meterpreter Shellcode in Executable
– http://blog.sevagas.com/Hide-meterpreter-shellcode-in-executable
• [12] History and Advances in Windows Shellcode
– http://phrack.org/issues/62/7.html
– https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf
• [13] Using Process Infection to Bypass Windows Software Firewalls
– http://phrack.org/issues/62/7.html
• [14] Evade Egress Restrictions with Staged Payloads
– https://blog.cobaltstrike.com/2013/11/15/evade-egress-restrictions-with-staged-payloads/
• [15] Inject All the Things
– http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/
– https://github.com/fdiskyou/injectAllTheThings/
– Microsoft Visual Studio Express 2013 for Windows Desktop
• [16] Reflective DLL Injection
– https://www.dc414.org/wp-content/uploads/2011/01/242.pdf
– https://github.com/stephenfewer/ReflectiveDLLInjection
• [17] Windows DLL Injection Basics
– http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
• [18] DOUBLEPULSAR Usermode Analysis: Generic Reflective DLL Loader
– https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-
loader/
• [19] Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process
Injection Techniques
– https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-
common-and-trending-process
– https://github.com/secrary/InjectProc
• [20] Process Hollowing
– https://github.com/m0n0ph1/Process-Hollowing
• [21] Metasploit - The Exploit Learning Tree
– https://www.exploit-db.com/docs/27935.pdf
• [22] Meterpreter Stage AV/IDS Evasion with Powershell
– https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/
– https://github.com/Arno0x/PowerShellScripts/blob/master/proxyMeterpreterHideout.ps1
• [23] Teaching Old Shellcode New Tricks
– https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2017-
Teaching_Old_Shellcode_New_Tricks.pdf
– https://github.com/secretsquirrel/fido
• [24] Deep Dive Into Stageless Meterpreter Payloads
– https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/
• [25] The Art of AV Evasion - or Lack Thereof
– https://www.slideshare.net/CTruncer/the-art-of-av-evasion-or-lack-thereof
– https://github.com/Veil-Framework/Veil
1 of 39

Recommended

High Availability PostgreSQL with Zalando Patroni by
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniZalando Technology
25K views48 slides
Percona toolkit by
Percona toolkitPercona toolkit
Percona toolkitKarwin Software Solutions LLC
17.9K views84 slides
Ixgbe internals by
Ixgbe internalsIxgbe internals
Ixgbe internalsSUSE Labs Taipei
1.9K views42 slides
How Netflix Tunes EC2 Instances for Performance by
How Netflix Tunes EC2 Instances for PerformanceHow Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for PerformanceBrendan Gregg
524.1K views63 slides
如何使用 Xhprof 分析網站效能 (真實案例2) by
如何使用 Xhprof 分析網站效能 (真實案例2)如何使用 Xhprof 分析網站效能 (真實案例2)
如何使用 Xhprof 分析網站效能 (真實案例2)Cyril Wang
4.2K views34 slides
Linux 4.x Tracing Tools: Using BPF Superpowers by
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
210.2K views68 slides

More Related Content

What's hot

Linux Performance Analysis: New Tools and Old Secrets by
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
603.9K views75 slides
DerbyCon 2019 - Kerberoasting Revisited by
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
10.3K views27 slides
remote-method-guesser - BHUSA2021 Arsenal by
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
1.6K views78 slides
Linux networking by
Linux networkingLinux networking
Linux networkingArie Bregman
1.3K views85 slides
0wn-premises: Bypassing Microsoft Defender for Identity by
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
1.6K views26 slides
Performance Wins with eBPF: Getting Started (2021) by
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
1.4K views30 slides

What's hot(20)

Linux Performance Analysis: New Tools and Old Secrets by Brendan Gregg
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg603.9K views
DerbyCon 2019 - Kerberoasting Revisited by Will Schroeder
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder10.3K views
remote-method-guesser - BHUSA2021 Arsenal by Tobias Neitzel
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
Tobias Neitzel1.6K views
0wn-premises: Bypassing Microsoft Defender for Identity by Nikhil Mittal
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal1.6K views
Performance Wins with eBPF: Getting Started (2021) by Brendan Gregg
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg1.4K views
Abusing Microsoft Kerberos - Sorry you guys don't get it by Benjamin Delpy
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy43.1K views
PowerShell for Practical Purple Teaming by Nikhil Mittal
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal5.3K views
Blazing Performance with Flame Graphs by Brendan Gregg
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg323.6K views
Top 10 Web Security Vulnerabilities by Carol McDonald
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald7.7K views
Threat Hunting Web Shells Using Splunk by jamesmbower
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower603 views
Berkeley Packet Filters by Kernel TLV
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
Kernel TLV6.4K views
Linux Memory Management with CMA (Contiguous Memory Allocator) by Pankaj Suryawanshi
Linux Memory Management with CMA (Contiguous Memory Allocator)Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)
Pankaj Suryawanshi1.8K views
MySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation by Colin Charles
MySQL Server Backup, Restoration, And Disaster Recovery Planning PresentationMySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
Colin Charles11.1K views
COM Hijacking Techniques - Derbycon 2019 by David Tulis
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
David Tulis5.7K views
Linux Performance Profiling and Monitoring by Georg Schönberger
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
Georg Schönberger8.5K views
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ... by CODE BLUE
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE2K views
twlkh-linux-vsyscall-and-vdso by Viller Hsiao
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
Viller Hsiao4.5K views
Introduction to MITRE ATT&CK by Arpan Raval
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval986 views

Viewers also liked

Docker Networking by
Docker NetworkingDocker Networking
Docker NetworkingKingston Smiler
3.4K views13 slides
Walk through an enterprise Linux migration by
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
668 views30 slides
Scale Up with Lock-Free Algorithms @ JavaOne by
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneRoman Elizarov
968 views107 slides
Advanced memory allocation by
Advanced memory allocationAdvanced memory allocation
Advanced memory allocationJoris Bonnefoy
820 views39 slides
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017) by
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
750 views26 slides
numPYNQ @ NGCLE@e-Novia 15.11.2017 by
numPYNQ @ NGCLE@e-Novia 15.11.2017numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017NECST Lab @ Politecnico di Milano
206 views15 slides

Viewers also liked(20)

Scale Up with Lock-Free Algorithms @ JavaOne by Roman Elizarov
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOne
Roman Elizarov968 views
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017) by Patricia Aas
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas750 views
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever... by OCCIware
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware586 views
Graduating To Go - A Jumpstart into the Go Programming Language by Kaylyn Gibilterra
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming Language
Kaylyn Gibilterra293 views
Communication hardware by Hans Mallen
Communication hardwareCommunication hardware
Communication hardware
Hans Mallen13.9K views
In-Memory Computing Essentials for Architects and Engineers by Denis Magda
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
Denis Magda1.2K views
In-depth forensic analysis of Windows registry files by Maxim Suhanov
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
Maxim Suhanov10K views
Deep dive into Coroutines on JVM @ KotlinConf 2017 by Roman Elizarov
Deep dive into Coroutines on JVM @ KotlinConf 2017Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017
Roman Elizarov5.8K views

Similar to [若渴計畫] Challenges and Solutions of Window Remote Shellcode

openioc_scan - IOC scanner for memory forensics by
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
5.4K views32 slides
Typhoon Managed Execution Toolkit by
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
753 views78 slides
Docker interview Questions-3.pdf by
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdfYogeshwaran R
252 views13 slides
Uncloaking IP Addresses on IRC by
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCDerek Callaway
2.5K views54 slides
Formbook - In-depth malware analysis (Botconf 2018) by
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
3.7K views56 slides
Using hypervisor and container technology to increase datacenter security pos... by
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
344 views43 slides

Similar to [若渴計畫] Challenges and Solutions of Window Remote Shellcode(20)

openioc_scan - IOC scanner for memory forensics by Takahiro Haruyama
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama5.4K views
Docker interview Questions-3.pdf by Yogeshwaran R
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdf
Yogeshwaran R252 views
Uncloaking IP Addresses on IRC by Derek Callaway
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
Derek Callaway2.5K views
Formbook - In-depth malware analysis (Botconf 2018) by Rémi Jullian
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian3.7K views
Using hypervisor and container technology to increase datacenter security pos... by Black Duck by Synopsys
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos... by Tim Mackey
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey829 views
Security research over Windows #defcon china by Peter Hlavaty
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty375 views
Windows internals by Piyush Jain
Windows internalsWindows internals
Windows internals
Piyush Jain559 views
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by... by CODE BLUE
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE824 views
Lateral Movement - Hacker Halted 2016 by Xavier Ashe
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe250 views
Lateral Movement: How attackers quietly traverse your Network by EC-Council
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council1.7K views
Ch 6: The Wild World of Windows by Sam Bowne
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
Sam Bowne138 views
Discovering Vulnerabilities For Fun and Profit by Abhisek Datta
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
Abhisek Datta324 views
Owning computers without shell access 2 by Royce Davis
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis2.4K views
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like... by Felipe Prado
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado106 views
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam... by CODE BLUE
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE1K views
CNIT 127 Ch 6: The Wild World of Windows by Sam Bowne
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne1.5K views
Remote code execution in restricted windows environments by Borja Merino
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environments
Borja Merino53 views

More from Aj MaChInE

An Intro on Data-oriented Attacks by
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAj MaChInE
301 views18 slides
A Study on .NET Framework for Red Team - Part I by
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IAj MaChInE
493 views28 slides
A study on NetSpectre by
A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
211 views27 slides
Introduction to Adversary Evaluation Tools by
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
1.2K views45 slides
[若渴] A preliminary study on attacks against consensus in bitcoin by
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoinAj MaChInE
345 views46 slides
[RAT資安小聚] Study on Automatically Evading Malware Detection by
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
795 views71 slides

More from Aj MaChInE(19)

An Intro on Data-oriented Attacks by Aj MaChInE
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE301 views
A Study on .NET Framework for Red Team - Part I by Aj MaChInE
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE493 views
A study on NetSpectre by Aj MaChInE
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE211 views
Introduction to Adversary Evaluation Tools by Aj MaChInE
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE1.2K views
[若渴] A preliminary study on attacks against consensus in bitcoin by Aj MaChInE
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE345 views
[RAT資安小聚] Study on Automatically Evading Malware Detection by Aj MaChInE
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE795 views
[若渴] Preliminary Study on Design and Exploitation of Trustzone by Aj MaChInE
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE281 views
[若渴]Study on Side Channel Attacks and Countermeasures by Aj MaChInE
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE858 views
[若渴計畫] Introduction: Formal Verification for Code by Aj MaChInE
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE718 views
[若渴計畫] Studying ASLR^cache by Aj MaChInE
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE430 views
[若渴計畫] Black Hat 2017之過去閱讀相關整理 by Aj MaChInE
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE434 views
[若渴計畫] Studying Concurrency by Aj MaChInE
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE4K views
閱讀文章分享@若渴 2016.1.24 by Aj MaChInE
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE1.3K views
[若渴計畫2015.8.18] SMACK by Aj MaChInE
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE1.2K views
[SITCON2015] 自己的異質多核心平台自己幹 by Aj MaChInE
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE2.6K views
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU by Aj MaChInE
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE1.3K views
[若渴計畫]由GPU硬體概念到coding CUDA by Aj MaChInE
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE4.8K views
[若渴計畫]64-bit Linux Return-Oriented Programming by Aj MaChInE
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE2.2K views
[MOSUT] Format String Attacks by Aj MaChInE
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE2.6K views

Recently uploaded

American Psychological Association 7th Edition.pptx by
American Psychological Association  7th Edition.pptxAmerican Psychological Association  7th Edition.pptx
American Psychological Association 7th Edition.pptxSamiullahAfridi4
82 views8 slides
Use of Probiotics in Aquaculture.pptx by
Use of Probiotics in Aquaculture.pptxUse of Probiotics in Aquaculture.pptx
Use of Probiotics in Aquaculture.pptxAKSHAY MANDAL
95 views15 slides
231112 (WR) v1 ChatGPT OEB 2023.pdf by
231112 (WR) v1  ChatGPT OEB 2023.pdf231112 (WR) v1  ChatGPT OEB 2023.pdf
231112 (WR) v1 ChatGPT OEB 2023.pdfWilfredRubens.com
151 views21 slides
Education and Diversity.pptx by
Education and Diversity.pptxEducation and Diversity.pptx
Education and Diversity.pptxDrHafizKosar
135 views16 slides
ICS3211_lecture 08_2023.pdf by
ICS3211_lecture 08_2023.pdfICS3211_lecture 08_2023.pdf
ICS3211_lecture 08_2023.pdfVanessa Camilleri
127 views30 slides
Are we onboard yet University of Sussex.pptx by
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
93 views7 slides

Recently uploaded(20)

American Psychological Association 7th Edition.pptx by SamiullahAfridi4
American Psychological Association  7th Edition.pptxAmerican Psychological Association  7th Edition.pptx
American Psychological Association 7th Edition.pptx
SamiullahAfridi482 views
Use of Probiotics in Aquaculture.pptx by AKSHAY MANDAL
Use of Probiotics in Aquaculture.pptxUse of Probiotics in Aquaculture.pptx
Use of Probiotics in Aquaculture.pptx
AKSHAY MANDAL95 views
Education and Diversity.pptx by DrHafizKosar
Education and Diversity.pptxEducation and Diversity.pptx
Education and Diversity.pptx
DrHafizKosar135 views
Are we onboard yet University of Sussex.pptx by Jisc
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
Jisc93 views
UWP OA Week Presentation (1).pptx by Jisc
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
Jisc87 views
Community-led Open Access Publishing webinar.pptx by Jisc
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
Jisc91 views
Structure and Functions of Cell.pdf by Nithya Murugan
Structure and Functions of Cell.pdfStructure and Functions of Cell.pdf
Structure and Functions of Cell.pdf
Nithya Murugan455 views
EIT-Digital_Spohrer_AI_Intro 20231128 v1.pptx by ISSIP
EIT-Digital_Spohrer_AI_Intro 20231128 v1.pptxEIT-Digital_Spohrer_AI_Intro 20231128 v1.pptx
EIT-Digital_Spohrer_AI_Intro 20231128 v1.pptx
ISSIP359 views
AUDIENCE - BANDURA.pptx by iammrhaywood
AUDIENCE - BANDURA.pptxAUDIENCE - BANDURA.pptx
AUDIENCE - BANDURA.pptx
iammrhaywood77 views
Dance KS5 Breakdown by WestHatch
Dance KS5 BreakdownDance KS5 Breakdown
Dance KS5 Breakdown
WestHatch69 views
11.30.23 Poverty and Inequality in America.pptx by mary850239
11.30.23 Poverty and Inequality in America.pptx11.30.23 Poverty and Inequality in America.pptx
11.30.23 Poverty and Inequality in America.pptx
mary850239149 views
Narration ppt.pptx by TARIQ KHAN
Narration  ppt.pptxNarration  ppt.pptx
Narration ppt.pptx
TARIQ KHAN131 views
Class 10 English lesson plans by TARIQ KHAN
Class 10 English  lesson plansClass 10 English  lesson plans
Class 10 English lesson plans
TARIQ KHAN280 views
The basics - information, data, technology and systems.pdf by JonathanCovena1
The basics - information, data, technology and systems.pdfThe basics - information, data, technology and systems.pdf
The basics - information, data, technology and systems.pdf
JonathanCovena1106 views

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

  • 1. Challenges and Solutions of Window Remote Shellcode @若渴 2017.11.19 <ajblane0612@gmail.com> AjMaChInE
  • 2. Outline • Overview of window remote shellcode • Some challenges and solutions – Antivirus – EMET – Firewall – Intrusion-Detection System (IDS)/ Intrusion- Prevention System (IPS) • Reference
  • 3. Remote Shellcode [0][1] pipeprotocol process terminal process command sh
  • 4. Windows Shellcode Skeleton in Assembly [12] • Getting EIP • Decoder • Getting addresses of required functions • Setup socket • Spawning a shell
  • 5. Getting EIP – Why [12][13] • What is the problem with such a hardcoded address? Compiler move that code to another address space ????
  • 7. Getting Addresses of Required Functions [2] Finding kernel32.dll LoadLibraryA GetProcAddress System calls not reliable
  • 8. How to Finding kernel32.dll in ASLR? [2][3][4] Process Environment Block(PEB) fs:[0x30] Structured Exception Handling(SEH) fs:[0] Thread Environment Block +0x4 TOPSTACK fs:[0x18] not reliable
  • 9. Finding kernel32.dll- PEB “The process of determining the kernel32.dll base address involves making use of the Process Environment Block (PEB). The operating system allocates a structure for every running process that can always be found at fs:[0x30] from within the process. The PEB structure holds information about the process’ heaps, binary image information, and, most importantly, three linked lists regarding loaded modules that have been mapped into process space. The linked lists themselves differ in purposes from showing the order in which the modules were loaded to the order in which the modules were initialized. The initialization order linked list is of most interest as the order in which kernel32.dll is initialized is always constant as the second module to be initialized.” [2]
  • 10. Finding kernel32.dll- SEH “Windows NT based versions the top-most entry in the SEH list can always be found at fs:[0] from within the process. With this in mind, one can walk the list of installed exception handlers until they reach the last one. When the last one is reached the address of the function pointer can be used as a starting point for walking down in increments of 64KB, or 16 × 4096 byte pages. In Windows, DLL’s will only align on 64KB boundaries. At each 64KB boundary a check can be performed to see if the two characters at that point are ‘MZ’. These two characters mark the MSDOS header that is prepended to portable executables.” [2]
  • 11. Address Resolution of Required Functions • PEB parsing [5] – This method uses the Process Environment Block(PEB) data structure to locate the base addresses of loaded DLLs and finding their function addresses with parsing the Export Address Table(EAT) • Hash API search [5] – For quickly finding required functions EAT IAT DLL Required Functions hash hash?=
  • 12. Functions You maybe Want to [6] • WinExec • CreateProcessW • CreateProcessA • LoadLibraryExA • LoadLibraryExW • OpenFile • CreateThread • CreateRemoteThread • GetProcAddress • LoadModule • CreateFileA • CreateFileW • _lopen • _lcreat • CopyFileA • CopyFileW • CopyFileExA • CopyFileExW • MoveFileA • MoveFileExW • LockFile • GetModuleHandleA • VirtualProtect • OpenProcess • GetModuleHandleW • MoveFileWithProgressA • MoveFileWithProgressW • DeleteFileA
  • 13. Challenges of Shellcode for Antivirus [7][8] • Static signature analysis – Signature analysis is based on a blacklist method – EX: YARA [9] • Static heuristic analysis – In this case the AV will check the code for patterns which are known to be found in malwares. There are a lot of possible rules, which depends on the vendor • Dynamic analysis – These days most AV will rely on a dynamic approach. When an executable is scanned, it is launched in a virtual environment for a short amount of time. Combining this with signature verification and heuristic analysis allows detecting unknown malwares even those relying on encryption. Indeed, the code is self-decrypted in AV sandbox; then, analysis of the “new code” can trigger some suspicious behavior.
  • 14. Bypassing Challenges of Shellcode for Antivirus [7][8] • Bypassing static signature analysis/ static heuristic analysis – Decryption [10][11] – Obfuscation [7] – Non-standard languages for windows binaries [25] • Bypassing dynamic analysis
  • 16. The Veil-Framework [25] • Obfuscated code • Encrypted code • Non-standard languages for windows binaries – Python, Ruby, Perl, Go, etc.
  • 17. Bypassing Dynamic Analysis [7][8] • Allocate and fill 100M memory • Hundred million increments • Attempt to open a system process • Attempt to open a non-existing URL • Action which depends on local username • What the fuck is NUMA? • What the fuck are FLS? • Check process memory • Time distortion • What is my name? • I am my own father • First open a mutex • Load fake library • Is debugger present • Number of Cores • Trap flag manipulation
  • 18. Bypassing Dynamic Analysis - Hundred Million Increments [8] AV detection emulator
  • 19. Proper Ways To Execute Shellcodes [7][8] • HeapCreate/HeapAlloc • LoadLibrary/GetProcAddress • GetModuleHandle/GetProcAddress • Multi-Threading
  • 20. Challenges of Shellcode for EMET • Preventing EAT parsing techniques
  • 21. Bypassing Challenges of Shellcode for EMET • IAT parsing [23] – Also holding the WIN API function addresses by the application
  • 22. Challenges of Shellcode for Firewalls • Inbound detection • Outbound detection • Usually, firewall allow connection to popular services like port 25(SMTP), 53(DNS), 80(HTTP), etc.
  • 23. Bypassing Challenges of Shellcode for Firewalls • Bypassing inbound detection – Reverse remote shellcode • Bypassing outbound detection (進去了要怎出 來),EX [12] :
  • 24. Bypassing Outbound Detection • DLL/PE Injection to iexplore.exe, telnet, ftp, SSH and alike [13] • One-way shellcode [2][12] • Meterpreter HTTP, HTTPS and DNS stagers [21]
  • 25. DLL Injection Overview – Step 1/2 [17]
  • 26. DLL Injection Overview – Step 3/4 [17]
  • 27. Execution Methods of DLL Injection [15] • CreateRemoteThread() • NtCreateThreadEx() • QueueUserAPC() • SetWindowsHookEx() • RtlCreateUserThread() • Code cave via SetThreadContext() • Reflective DLL
  • 28. DLL/PE Injection to iexplore.exe [13] • Querying the register key, rather than referring to “c:...iexplore.exe” • CreateProcess() to open and keep browser windows hidden • WaitForInputIdle() to give processes time for initialization • WaitProcessMemory() to copy networking code • CreateRemoteThread() to run code • The injected procedure connects the web site and sends HTTP request
  • 29. Reflective DLL Injection [16][18] Reflective DLL (= DLL-format PE file loader) reflective DLL is loaded by reflective DLL
  • 31. One-way Shellcode – Find Socket [12] (using anonymous pipe)
  • 32. One-way Shellcode – Reuse Socket [12] The problem of the “Find Socket” method: • If the socket already been closed (the SO_REUSEADDR socket option)
  • 33. One-way Shellcode – Rebind Socket [12] The problem of the “Rebind Socket” method: • using SO_EXCLUSIVEADDRUSE, thus reusing the address is not possible
  • 34. The Meterpreter: a stager, and and stage [21][22][24]
  • 35. An Up-to-Standards Secure Corporate Environment with the meterpreter/reverse_winhttp Payload [14][22]
  • 36. Bypassing An Up-to-Standards Secure Corporate Environment with the meterpreter/reverse_winhttp Payload [14][22] Thread 1Thread 2 local proxy with port 8080 reverse_winhttp LHOST=127.0.0.1 LPORT=8080 NTLM authentication + HTTP requests trust local proxy and go through the corporate proxy
  • 37. Reference • [0] How To Make A Reverse TCP Backdoor In Python - Part 1 – https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-1/1038 • [1] How To Make A Reverse TCP Backdoor In Python - Part 2 – https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-2/1040 • [2] Understanding Windows Shellcode – http://www.hick.org/code/skape/papers/win32-shellcode.pdf • [3] Windows Reverse Shell Shellcode I. – http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/ • [4] Windows Reverse Shell Shellcode II. – http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/ • [5] Art of Anti Detection 3 – Shellcode Alchemy – https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/ • [6] NT shellcodes prevrntion Demystified – http://www.phrack.org/issues/63/15.html#article • [7] Art of Anti Detection – 1 Introduction to AV and Detection Techniques – https://www.exploit-db.com/docs/40900.pdf • [8] Bypass Antivirus Dynamic Analysis - Limitations of the AV Model and How to Exploit Them – https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf • [9] YARA – http://virustotal.github.io/yara/
  • 38. • [10] Code Segment Encryption – http://blog.sevagas.com/?Code-segment-encryption • [11] Hide Meterpreter Shellcode in Executable – http://blog.sevagas.com/Hide-meterpreter-shellcode-in-executable • [12] History and Advances in Windows Shellcode – http://phrack.org/issues/62/7.html – https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf • [13] Using Process Infection to Bypass Windows Software Firewalls – http://phrack.org/issues/62/7.html • [14] Evade Egress Restrictions with Staged Payloads – https://blog.cobaltstrike.com/2013/11/15/evade-egress-restrictions-with-staged-payloads/ • [15] Inject All the Things – http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/ – https://github.com/fdiskyou/injectAllTheThings/ – Microsoft Visual Studio Express 2013 for Windows Desktop • [16] Reflective DLL Injection – https://www.dc414.org/wp-content/uploads/2011/01/242.pdf – https://github.com/stephenfewer/ReflectiveDLLInjection • [17] Windows DLL Injection Basics – http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
  • 39. • [18] DOUBLEPULSAR Usermode Analysis: Generic Reflective DLL Loader – https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll- loader/ • [19] Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques – https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey- common-and-trending-process – https://github.com/secrary/InjectProc • [20] Process Hollowing – https://github.com/m0n0ph1/Process-Hollowing • [21] Metasploit - The Exploit Learning Tree – https://www.exploit-db.com/docs/27935.pdf • [22] Meterpreter Stage AV/IDS Evasion with Powershell – https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/ – https://github.com/Arno0x/PowerShellScripts/blob/master/proxyMeterpreterHideout.ps1 • [23] Teaching Old Shellcode New Tricks – https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2017- Teaching_Old_Shellcode_New_Tricks.pdf – https://github.com/secretsquirrel/fido • [24] Deep Dive Into Stageless Meterpreter Payloads – https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ • [25] The Art of AV Evasion - or Lack Thereof – https://www.slideshare.net/CTruncer/the-art-of-av-evasion-or-lack-thereof – https://github.com/Veil-Framework/Veil