Bypass Windows Defender with C++ .DLL Payload File - Meterpreter Reverse Shell
Рет қаралды 8,852
Жыл бұрынBe better than yesterday -
This video showcases how it was possible to modify several publicly available tools and customise a template C++ file that will perform shellcode process injection which bypasses Windows Defender, obtaining a fully functional reverse shell on a victim's Windows machine.
It was possible to generate a .DLL payload file with cross-compilation on a Kali machine that performs shellcode process injection with AES encryption by utilising references from a publicly available Github repository.
The video provides a step-by-step walkthrough guide and a practical demonstration on how you can generate a .DLL payload file in C++ that will achieve a Meterpreter reverse shell on a Windows machine that has Windows Defender running.
The video also provides a high-level explanation on why .DLL payload files are useful, and shares an article which discuss a practical use case referencing Microsoft Teams, whereby .DLL payload files can be leveraged for persistence and proxy execution.
DISCLAIMER:
All content posted on this KZfaq channel is SOLELY FOR Educational and Awareness purposes ONLY. Any actions and/or activities related to the material presented in this KZfaq channel is entirely YOUR responsibility.
We DO NOT promote, support, encourage any illegal activities such as hacking, and we WILL NOT BE HELD responsible in the event of any misuse and abuse of the content resulting in any criminal charges.
Stay connected:
Twitter: / gemini_security
Udemy: www.udemy.com/user/gemini-88/
Github: github.com/gemini-security
Discord: / discord
Github repository reference:
github.com/TheD1rkMtr/Shellco...
Github repository with the source code used:
github.com/gemini-security/By...
Microsoft Teams article reference:
milosilo.com/hacking/microsof....
Gemini Security Awesome Hacking T-Shirts - Support the channel:
www.redbubble.com/people/Gemi...
@NoahLA 11 күн бұрын
bro is underrated asf
@claudio1206z 6 күн бұрын
its working for u?
@b4dboy_17 Жыл бұрын
thnx bro for showcasing TheD1rkMtr tools, eager to see more , take love
@gemini_security Жыл бұрын
Hello, You are very welcome. I am glad that you have enjoyed it. Cheers.
@nunoalexandre6408 Жыл бұрын
Love it!!!!!!!!!!!!!!!!!!
@nhoxxz2282 Жыл бұрын
Thank you very much for comparing your knowledge great brother
@gemini_security Жыл бұрын
Hello, Thank you very much for your positive feedback, it is very encouraging. I am glad that you've enjoyed the content. Cheers.
@fokyewtoob8835 Жыл бұрын
Great content brother thank you for sharing your knowledge with us!
@alwan7777 Жыл бұрын
nice 💪
@gemini_security Жыл бұрын
Hello, Thank you very much! I appreciate it. Cheers
@TamonashGupta 6 ай бұрын
Update on December 2023. Now the DycryptAES function is detected as meterpreter malware. Yes you read it right. DycryptAES=METERPRETER according to Windows defender. The very existence of this function in your code triggering the windows defender. I tested this by removing all other functions from the dll code and only keeping this function. Remember that in this code there are no shellcode. But as soon as the dll is dropped the defender is starting to scream malware!!!
@senmaths6930 Ай бұрын
Very interesting! What are your thoughts on incorporating our custom AES code instead of relying on DecryptAES? Alternatively, what other suggestions do you have?
@_marcobaez 5 ай бұрын
It worked perfectly! No detection at all, however, I can't get it to connect back to Kali on port 8443? (Tried different ports too, and tried listening direclty on mfsconsole but nothing :/, any idea?
@nyshone Жыл бұрын
Do you think XORing each byte with your pre-defined value could also achieve same result? It would also entirely change signature of the shellcode.
@gemini_security Жыл бұрын
Hello, Yes that will change the signature of the shellcode as well. I've played with XOR quite a bit but found it to be ineffective. Windows Defender was able to pick up the shellcode as malicious despite it being XOR encrypted. My test case was simple - 1. Providing an XOR encrypted shellcode with the passphrase in the source code to decrypt it would trigger a detection. 2. Providing an XOR encrypted shellcode WITHOUT the passphrase in the source code to decrypt it WOULD NOT trigger a detection. This concluded that Windows Defender was able to decrypt the XOR encrypted shellcode if the passphrase is in the source code. It was very impressive. This was not the case for AES encryption hence it was used in the video. We could probably get away with it if we host the passphrase remotely and only fetches it upon execution and use it to decrypt the XOR encrypted shellcode. Could be worth a try. Cheers.
@nyshone Жыл бұрын
@@gemini_security I really enjoy your content, do you have a discord perhaps? Either server or personal one.
@nero2k619 Жыл бұрын
@@gemini_security Interesting observation altough I never had problems with defender detecting my XOR function. I had noticed in the past that simply turning off compiler optimisation and changing the XOR function a bit by adding garbage values helps in evading defender with cloud protection enabled.
@wolfrevokcats7890 7 ай бұрын
2:26 thanks for the awesome video, btw can you share the modified code @ 2:26? It would be better if your code editor has line number easier to refer. Thanks
@gemini_security 7 ай бұрын
Hey man! Thanks for the suggestion! I'll try to stick with sublime text editor as much as I can instead of Nano. Here is the template code used: github.com/gemini-security/Bypass-Windows-Defender-with-CPP-.DLL-Payload-File---Meterpreter-Reverse-Shell
@dens4t Жыл бұрын
how can i inject our payload (exe file) into existing process in windows?
@gemini_security Жыл бұрын
Hello, It is very tedious to inject a PE executable payload file into existing process. The headers of the file, table addresses, etc. will all have to be considered. Usually, the PE executable payload file will be converted into shellcode, and using Windows API such as CreateRemoteThread, it can be possible to inject the shellcode into a remote process on Windows. Here is a good reference on how you can do that: www.ired.team/offensive-security/code-injection-process-injection/process-injection (Under Executing Shellcode in Remote Process) There is a C++ project called the FilelessPELoader which showcases how it was possible to load a PE executable payload file (EXE) into memory directly. However this is done within the current process (FilelessPELoader.exe) and not in a remote process: github.com/TheD1rkMtr/FilelessPELoader Cheers.
@Henriqueoi Жыл бұрын
How do I create a payload with the port I want? I want a dll like that, but without using meterpeter, but a server of mine to execute shell commands
@gemini_security Жыл бұрын
Hello, Thanks for the comment. I am looking into creating a content about bare minimal reverse shell that will fetch and execute shell commands without any C2/frameworks like Meterpreter. Cheers!
@ofekvegas1015 Жыл бұрын
Please is there an option for a guide on bypassing antivirus like eset..?
@gemini_security Жыл бұрын
Hello, Thanks for suggesting a potential content. Do you have a reference URL link to the ESET product that you are interested in? Is it publicly available? Cheers.
@ofekvegas1015 Жыл бұрын
@@gemini_security
@hiddengo3232 Жыл бұрын
Pentest Active directory using sliver c2
@overthinker1877 Жыл бұрын
Why u don't share the last payload u make it into your repository to make it easy for us
@gemini_security Жыл бұрын
Hello, Thanks for the suggestion. It has been uploaded over here: github.com/gemini-security/Bypass-Windows-Defender-with-CPP-.DLL-Payload-File---Meterpreter-Reverse-Shell Cheers.
@mrri8403 Жыл бұрын
I assume what’s next is turning this DLL into exe? Or embedding it to exe ? Also would it bypass smart screen filter etc ? Sorry I’m noob . Thank you.
@mrri8403 Жыл бұрын
I read somewhere one can use donut to convert shell code to exe or other formats … I guess the issue would then be getting your exe signed by a trusted certificate . Another technique would be using DLL side loading to bypass uac . Can you make a video on DLL side loading ?
@gemini_security Жыл бұрын
Hello, You can execute the DLL payload with several different legitimate Microsoft binaries, such as the rundll32.exe binary as demonstrated in the video. Cheers.
@matthewlawry5785 6 ай бұрын
@@gemini_security nice stuff! Pretty new to malware as well. This has got me stumped. What would be the delivery strategy here? Given you already have access to the victim machine, you can execute the dll with another exe process but in the wild this would be the victim so they would not be running a command such as this? How would execution look in the wild?
@SonVan-zh8rj Жыл бұрын
does it work on reverse_tcp ?
@gemini_security Жыл бұрын
Hello, It will most definitely work with a plain reverse tcp shell without Meterpreter. The detection rate for Meterpreter payloads are much higher. Cheers
@ELIAS-og5vf Жыл бұрын
Bro i have exe File How to extract shellcode from it
@gemini_security Жыл бұрын
Hello, Personally I have not tried it before, but it could be worth giving it a shot: Converting PE (.exe) files to shellcode (not all forms of PE are supported): github.com/hasherezade/pe_to_shellcode Converting .NET executables to shellcode: github.com/TheWover/donut Cheers!
@peterzoro2749 Жыл бұрын
how you generated the key char array from string? can we reverse this process at kzfaq.info/get/bejne/naykrN1ozbrecqc.html
@gemini_security Жыл бұрын
Hello, The AES Key generation is defined in the python script over here: github.com/TheD1rkMtr/Shellcode-Hide/blob/main/3%20-%20Encrypting/1%20-%20AES/AES_cryptor.py As shown in the code, it is using the python function urandom() to generate the random string bytes. You should be able to hardcore the string that you want to define instead of using urandom(). You should convert your string to bytes before passing it to the AESencrypt function. I haven't tried it myself to use a pre-defined string as the key but looking at the code, the theory above should work out. Cheers.
@infinix_6586 Жыл бұрын
Make bootsector malware...
@gemini_security Жыл бұрын
Hello, Many thanks for the video suggestion. Bootsector-based malware is not something I am familiar with, but definitely worth exploring. I will definitely consider making a video on it in the future. Cheerrs
@sanmayjena9080 7 ай бұрын
@@gemini_security lm-external-libs.dll file please
Gemini Cyber Security
Рет қаралды 9 М.
Gemini Cyber Security
Рет қаралды 3,5 М.
Tyler Ramsbey
Рет қаралды 31 М.