• XSS.stack #1 – первый литературный журнал от юзеров форума

tips to develop a better RunPE (process hollowing) for my crypter

Отслеживать
3c2n90yt57489t3y8794

3c2n90yt57489t3y8794

RAID-массив
Пользователь
Регистрация
01.09.2020
Сообщения
66
Реакции
5
I developed my first crypter in pure C using the standard process hollowing: create a new process thread in suspended state, put the PE inside it and execute the thread.
I use these winapi: CreateProcess GetThreadContext VirtualAllocEx WriteProcessMemory SetThreadContext ResumeThread. And I use a simple XOR encryption with a long random key.
The problem is that it's not undetected, there are around 10 of the most popular AVs that detects it in scantime (I suppose in runtime too). I think the problem is that I use the same winapi everyone use and in a very common way.
I read some blogs about other methods such as injection in other trusted processes, reflective injection or other process hollowing techniques.

Studying and implementing some of them will require a lot of time, so I need some advice, what direction sould be the best for my research? I just want to implement a simple runpe that is undetected, should I try to make my RunPE FUD (if yes, how? maybe I need to obfuscate the api call.. I'm not sure they are the main problem) or it's better to try another more stealth method?
 
1. RunPE is a very outdated code execution technique. Maybe someone has found another way, but the essence of it is the same.
I advise you to try LoadPE (example - https://github.com/reverserb/Simple_PE_Loader).
2. Such encodings as XOR are easily emulated and can have high entropy. I advise you to try RC4/AES, using entropy reduction.
3. Obfuscate WinAPI calls.
4. Try to create in your code some kind of mimicry based on legitimate software.
 
pointer сказал(а):
1. RunPE is a very outdated code execution technique. Maybe someone has found another way, but the essence of it is the same.
I advise you to try LoadPE (example - https://github.com/reverserb/Simple_PE_Loader).
2. Such encodings as XOR are easily emulated and can have high entropy. I advise you to try RC4/AES, using entropy reduction.
3. Obfuscate WinAPI calls.
4. Try to create in your code some kind of mimicry based on legitimate software.
1. RunPE is still gold-standard if you know how to execute it correctly.
2. AES/RC4 makes entropy go crazy, keep up with XOR.
3. Dont use standard WinAPI calls for memoy allocation/writing in other process. Parse NTDLL for API adreses and call it with pointers (Custom GetProcessAdress).

Good luck :)
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Why are you using WINAPI ? to improve your process hollowing you need to do more than encryption / decryption and mount the decrypted image in suspended process .
First : you can use Custom GetModuleHandle and Custom GetProcAddress this very helpful
second you need to bypass some other sheilds scantime bypass is very easy also runtime scan is easy and hard its easy to bypass some sheilds but you will face other sheilds like Behavior sheild .!
The behavior sheild can flag your exe as virus even NO detection in memory just beacouse your exe is acting like malicous exe .

for example : when click exe Insta create suspended process and writing data
also your program contain Flaged WINAPI/NTAPI functions like WriteProcessMemory ReadProcessMemory

So you need to make alots of improvments .

The process hollowing is very old technique if you want it to work you need to make it modern and add Improvments .

Use githubs for learning not for developing
 
pointer сказал(а):
1. RunPE is a very outdated code execution technique. Maybe someone has found another way, but the essence of it is the same.
I advise you to try LoadPE (example - https://github.com/reverserb/Simple_PE_Loader).
2. Such encodings as XOR are easily emulated and can have high entropy. I advise you to try RC4/AES, using entropy reduction.
3. Obfuscate WinAPI calls.
4. Try to create in your code some kind of mimicry based on legitimate software.
if you try this i recommend cryptopp's hexencoder and hexdecoder, it's fucking amazing and uncommonly used
 
0x43rypt0n сказал(а):
Why are you using WINAPI ? to improve your process hollowing you need to do more than encryption / decryption and mount the decrypted image in suspended process .
First : you can use Custom GetModuleHandle and Custom GetProcAddress this very helpful
second you need to bypass some other sheilds scantime bypass is very easy also runtime scan is easy and hard its easy to bypass some sheilds but you will face other sheilds like Behavior sheild .!
The behavior sheild can flag your exe as virus even NO detection in memory just beacouse your exe is acting like malicous exe .

for example : when click exe Insta create suspended process and writing data
also your program contain Flaged WINAPI/NTAPI functions like WriteProcessMemory ReadProcessMemory

So you need to make alots of improvments .

The process hollowing is very old technique if you want it to work you need to make it modern and add Improvments .

Use githubs for learning not for developing
I created custom GetProcAddress (obfuscated all winapi), I reduced my detection by 50%, now I have 4/28 detections and I still have Avira lol (it seems hard to bypass in scantime).
Do you have some docs/threads/blogs about these shields to bypass? Or some new modern methods (other than hollowing) that are also simple/fast to learn and implement? (any other info is appreciated)
 
Последнее редактирование:
jaber69 сказал(а):
what you using for detection's antiscan.me or virus total antiscan.me keeps giving me error every time upload and check any other ideas for checking against antivirus instead off downloading and trying
if you know pm me please
antiscanme is down for along time, try something known that doesn't distribute, some say it but in the end they sell everything
 
It's simple: IAF (Import address table filtering) and EAF (Export address table filtering).

Your program is currently using know malware abused functions, you should try getting this functions manually using PEB and implement sorta of API hashing.

PS: Some AVs doesn't hook ntdll functions (NtAllocateVirtualMemory, RtlCaptureContext, NtResumeThread, etc...) is better use those.
PS: GetProcAddress is a very know function that malware abuse, re-implement this with PEB.
PS: Also, probably your malware has know malware strings, try implement sorta of string obfuscation or something like that.
3c2n90yt57489t3y8794 сказал(а):
seems hard to bypass in scantime
Yes, EDRs/XDRs/MDRs/SIEMs will use more advanced features, like return address checking, call stack unwinding and more, just study more that u will bypass those.
 
jaber69 сказал(а):
what you using for detection's antiscan.me or virus total antiscan.me keeps giving me error every time upload and check any other ideas for checking against antivirus instead off downloading and trying
antiscan.me is a skid scanner witch manipulates the result, consider using avcheck.net
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх