How to bypass Windows Defender with Custom C++ .EXE Payload Loader (Meterpreter Reverse Shell)
Рет қаралды 16,244
Жыл бұрынBe better than yesterday -
This video showcases how it was possible to modify several publicly available source code and customise a template .EXE payload loader file that will fetch a Meterpreter payload from a remote HTTP server and subsequently, performs a process injection technique which ultimately bypasses Windows Defender. This allowed a fully functional Meterpreter reverse shell on a victim's Windows machine.
The video provides a step-by-step walkthrough guide and a practical demonstration on how you can generate a .EXE payload loader file in C++ that will achieve a Meterpreter reverse shell with custom SSL/TLS Certificate on a Windows machine that has Windows Defender running.
DISCLAIMER:
All content posted on this KZfaq channel is SOLELY FOR Educational and Awareness purposes ONLY. Any actions and/or activities related to the material presented in this KZfaq channel is entirely YOUR responsibility.
We DO NOT promote, support, encourage any illegal activities such as hacking, and we WILL NOT BE HELD responsible in the event of any misuse and abuse of the content resulting in any criminal charges.
Stay connected:
Twitter: / gemini_security
Udemy: www.udemy.com/user/gemini-88/
Github: github.com/gemini-security
Discord: / discord
Looking to donate?
BTC: 19HiqQ2Qw83mxK9dcdoWb8VfAcsNgmp52k
Buy me a coffee!
www.buymeacoffee.com/gemini.c...
Github repository reference:
github.com/TheD1rkMtr/Shellco...
Custom SSL/TLS Certificate for Meterpreter/Metasploit:
docs.metasploit.com/docs/usin...
Gemini Security Awesome Hacking T-Shirts - Support the channel:
www.redbubble.com/people/Gemi...
@inadad8878 6 күн бұрын
I am hungover so my head already hurted before this video. But it was a good video so I kept watching. subscribed
@wolfrevokcats7890 7 ай бұрын
Can't believe it, I was searching for evasion + loader and this is the only video, the only good video with very good explanation + demo. Keep up the good job bro
@gemini_security 7 ай бұрын
Thanks for the kind words!
@jaygarrick6295 Жыл бұрын
Hi, great video thanks for sharing your knowledge. In any video or resource on evasion, it is said to turn off the automatic file submission, just to point out for others who view this video and don't know this
@itsnee Жыл бұрын
Great video! Been following you for awhile now. Loving the content Looking forward to more content!
@gemini_security Жыл бұрын
Hello, Thanks for the positive feedback! It is very much appreciated. You are absolutely spot on with your observations. I am used to using secure copy (scp) for file transfers between my Kali and Windows machine as SSH is already set up and running on my Kali upon boot. A web server is needed for the payload as it is using HTTP-based request to fetch the payload (beacon.bin). I could have transferred the compiled binary .exe file via HTTP as well without using secure copy. Cheers!
@itsnee Жыл бұрын
@@gemini_security Hey! thank you so much for the detailed response. I actually removed that question cuz I noticed that you still needed the HTTP server to deliver the payload. So by that sense the http server was still needed haha sorry for the confusion!
@FoolNameFoolName Жыл бұрын
Great Content ! i try this today and windows Defender flag on this, it may been patch , Love your videos !
@tlykuyiyhaa8382 Жыл бұрын
AWESOME you are the best man i just needed this thax, thank you, thanks. you are the best man of the world
@gemini_security Жыл бұрын
Hello, Thanks for the positive feedback! I'm glad that the content was useful to you. Cheers!
@rizkysays Жыл бұрын
Very very good video. One thing I want to ask from a newbie, can I bypass UAC on the latest version of Windows 10? I'm just asking for the tutorial step by step, so I can find every point you give myself, thank you very much.
@MrVik24 Жыл бұрын
Again great video! Thank you man. Next time can play with macro in doc document to bypass windows defender?
@gemini_security Жыл бұрын
Hello, Thanks for the positive feedback and content suggestion. It is very much appreciated. It will definitely be interesting to come up with a video on Macro execution and Windows Defender bypass. I will try to get a copy of Microsoft Word and see how it goes from there. Cheers!
@KarimZreika 8 ай бұрын
Hi mate you mentioned that you can run the lhost and port directly in the exe file instead of running a cmd command to start the template exe (with beacon.bin) with hard coding it ? Can you show us a method to hard code this part?
@EliteSoulja360 Жыл бұрын
Hey bro solid videos! I’ve been playing around with Payloads also. Can you please create a video to test against elastic agent?
@gemini_security Жыл бұрын
Hello, Thanks for the positive feedback, it is very much appreciated! I did a quick look on Elastic security solutions and it seems to be commercial. Do they offer free trial that comes with the security products? Cheers!
@EliteSoulja360 Жыл бұрын
@@gemini_security yes they do. They offer a 14 day trial bro
@CyberCelt. 9 ай бұрын
First off this was a fantastic video and I got a Cobalt Strike working undetected. I struggled with Sliver as the 4096 buffer limitation seemed to be an issue and when I increased it much larger it wouldn't compile, maybe as a character array is limited ot something. Any tips on that please? Thanks
@gemini_security 9 ай бұрын
Thanks! Yes you are correct. Apparently the function to download the remote shellcode has a size constraint. Not sure why it was implemented like that in WinhttpShellcode example (github.com/TheD1rkMtr/Shellcode-Hide/blob/main/4%20-%20Fileless%20Shellcode/2%20-%20Using%20WinHttp/WinhttpShellcode/WinhttpShellcode.cpp) You should be able to get rid of the size limit by using another implementation of downloading the shellcode remotely. I would suggest you to take a look at the GetData function within this .cpp source code (github.com/TheD1rkMtr/FilelessPELoader/blob/main/FilelessPELoader/FilelessPELoader.cpp). It is pretty similar and only minor adjustments will be required. Cheers.
@essabreahmed1391 Жыл бұрын
thank, great work
@gemini_security Жыл бұрын
Hello, I'm glad you have enjoyed the video, thanks for watching! Cheers.
@tlykuyiyhaa8382 Жыл бұрын
@@gemini_security hey man, I have followed your instructions but when I went to try it in windows I get an error that says "This application cannot be run on the computer"
@tlykuyiyhaa8382 Жыл бұрын
@@gemini_security do you know how to repair it?
@latif975 Жыл бұрын
thanks bro
@gemini_security Жыл бұрын
Hello, I'm glad you have enjoyed the video, thanks for watching! Cheers.
@arvinnaidu5963 9 ай бұрын
Hi, great video, thanks for sharing. Would like to ask as I try to do what you just did but the moment I enter "name.exe beacon.bin" it shows alloc_mem with the value and then auto close, so the behavior is normal ? If not, what the corrective action for it ? It would be helpful, thanks in advance
@nyshone Жыл бұрын
Does "shell" command in meterpreter also get flagged for you by defender? Or migrating to another process?
@gemini_security Жыл бұрын
Hello, Thanks for the comment. I was able to quickly try it with the 'shell' command to drop into a command prompt interface and It is indeed being detected by Windows Defender after consecutively executing commands over 'shell'. It is being detected as behaviour anomaly by Windows Defender. I suspect it is being detected from the way Meterpreter 'shell' is executing the commands. For example, many of Cobalt Strike's features use the 'fork and run' execution method and many AV/EDR vendors out there implemented a detection based on this 'fork and run' behaviour. (hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/appendix-a_beacon-opsec-considerations.htm) To combat the detection, Beacon Object File (BOF) was quickly introduced so that commands can be executed in-line instead of the 'fork and run' behaviour. This could be the case for the behaviour detection on the 'shell' command for Meterpreter as well. Cheers!
@marlonforrest3291 6 ай бұрын
Defender detects meterpreter once you decide to migrate to another process or drop a common shell. Couldn't find any ready to use solutions for that. Only Ninjasploit. But i couldn't get it to work. Mb you try?
@shivpratapsingh2084 5 ай бұрын
Its was a great tutorial! I need a help, I tried this on my VM, everything is fine the beacon.bin file is getting sent, and getting received at client side, but I am not getting the shell on metasploit, IDK why There are no errors on client side.
@alwan7777 Жыл бұрын
to be honest, bro, I like this bypassing content. saean for persistence techniques etc bro
@gemini_security Жыл бұрын
Hello, I'm glad you have enjoyed the video. Many thanks for the positive feedback and suggestions. It is very much appreciated. Cheers.
@KarimZreika 8 ай бұрын
Hi mate, is there anyway to run the lhost and port directly in the exe file instead of running a cmd command to start the template exe (with beacon.bin) ?
@gemini_security 8 ай бұрын
yeah it should be able to. can try hardcoding it into the source code.
@KarimZreika 8 ай бұрын
@@gemini_security Ok what can of code can I use to try hard code it in the cpp source code?
@KarimZreika 8 ай бұрын
@@gemini_security I have now tried running a .ps1 script to initiate it, but what command should I use for powershell? How can it find or use the template directory regardless or what dir the template.exe is into?
@Mohitkumar-ug8jq Жыл бұрын
Could you please tell me one thing to bypass windows defender what should be someones thought process??
@gemini_security Жыл бұрын
Hello, It is a step-by-step, trial and error process which can be really time-consuming. Usually it goes something like this: 1. what do you want to achieve with the bypass? a minimal reverse shell? A C2-featured reverse shell such as Meterpreter, Cobalt Strike, etc.? 2. prepare the payload appropriately for objective identified in step 1 (shellcode? .EXE? .DLL?) 3. plan how should the payload be executed (shellcode in source? shellcode remotely? what process injection technique to use? CreateThread? CreateRemoteThread? QueueAPC?) 4. if payload is detected - how can you obfuscate/encode/encrypt it? (compress? base64 encode? XOR? AES? RSA?) 5. if technique is detected - what are the other alternatives? Every step taken should be tested against Windows Defender. In this manner, it will be easier to identify what is being caught by Windows Defender. If you were to code the entire thing first and subsequently it gets caught by Windows Defender, it will be tedious to identify which part of your code is being flagged and detected. It is very important to be aware of what is available out there - you do not need to necessarily know the exact technical details on how it works. Knowing what is available out there will enable you to search for it and you will be able to progress from there on. Cheers!
@amirakmel123 Жыл бұрын
@@gemini_securityyou got a sub in a second bro keep making this kinds of work❤
@tushar6767 Жыл бұрын
Did you removed .ink malware video I can't find it on your playlist
@gemini_security Жыл бұрын
Hello, The .LNK malware video is here - kzfaq.info/get/bejne/e8WTlaWdutG7mp8.html Cheers!
@KarimZreika 8 ай бұрын
Finally got it to work silently! Also... Can the http server listening to 8000 have unlimited listening?
@gemini_security 8 ай бұрын
yeah sure, you can set a web server such as Apache or Nginx on it
@KarimZreika Жыл бұрын
Hi mate, request gives me 404 instead of 200? What do you think is the problem ?
@gemini_security Жыл бұрын
Hello, 404 means that the file/payload you've requested cannot be found. Very likely the name of your payload is wrong or you are hosting the web server in a separate directory. Make sure that the file that you are requesting is valid and available on the web server that you are hosting with. You can perform a sanity test using your browser to visit your web server and see if the payload file is available. Cheers
@KarimZreika Жыл бұрын
@@gemini_security Thanks mate, it seemed the file I was hosting was in a different directory, moving it to the right one gave me the correct 200 request :) Cheers mate, ps, would be great if you can make a video for FUD silent miners or something you can execute from a shell or meterpreter sessions that injects mining code :)
@cristianandrade3207 9 ай бұрын
Your videos are very good and useful. Can you provide me help to get AESKey variable and AESshellcode from a file? because my bin file is very big. Thank you very much in advance
@gemini_security 9 ай бұрын
Hello, You can try to use Python to read the .cpp file, perform match and replace to insert the AES shellcode and AES key into a new .cpp file, then compile the .cpp file. I have demonstrated this in the following video, starting from the 06:16 timestamp: kzfaq.info/get/bejne/er56gbqav7Crm6M.html Cheers
@cristianandrade3207 9 ай бұрын
Thanks, greate job
@Chinmoy-bf6cz 11 ай бұрын
Make more video about windows defender bypass
@zmemes69 7 ай бұрын
yeah you can bypass windows defender easily but there is chrome stops any exe that is unsigned even if it is signed needs to be common in their scope
@kobki66 4 ай бұрын
hi. how to encrypt custom exe file? is it possible?
@BigG9982 3 ай бұрын
yeah it its but that alone would not make your rat undetected if this was your question. you need to more steps to make it fud
@hshezzss-nn9uy 7 ай бұрын
牛逼的❤
@gemini_security 7 ай бұрын
谢谢您666
@martinmelan2766 Жыл бұрын
still work?
@user-kg5bp6rw3l Жыл бұрын
Can you show how to make Async Payload bypass Windows Defender? NiceVideos
@gemini_security Жыл бұрын
Hello, If I am not mistaken by Async payload you are referring to 'callbacks' style payloads that will check-in and fetch commands from a remote server to execute? That is a great suggestion for content, I will definitely look into it. Thanks! Cheers.
@user-kg5bp6rw3l Жыл бұрын
@@gemini_security If you can also looking into converting EXE payloads to VBS to invade AVs and WD, that will be great
@baryton_ 11 ай бұрын
which virtulation machine u usin?
@gemini_security 11 ай бұрын
Hello, I am using Parallels Desktop for Mac to run my Virtual Machines. On some videos I am using another Windows laptop that is running VMWare Workstation. Cheers
@baryton_ 11 ай бұрын
@@gemini_security is Parallels D. free?
@gf0x90 4 ай бұрын
yeah but when you start typing commands in the meterpreter, you get caught by defender
@kidnamedfinger.productions 3 ай бұрын
Meterpreter is just for demonstration, no real hacker would use it in practice.
@wolfrevokcats7890 7 ай бұрын
3:42 the code is being detected now even with payload like "\x00\x00\x00\x00"
@gemini_security 7 ай бұрын
Hey man! Unfortunately most of the time when a video gets uploaded and after a few days the same payload/technique/code wouldn't work anymore. It will be good to code your own shellcode loader with the demonstrations in the videos that I've posted. My most recent 2 videos provide examples on how you can start working on your own shellcode loader. Here is the part 1: kzfaq.info/get/bejne/nr2SmcyXup64pHU.html
@mukto2004 Жыл бұрын
Discord channel?
@elijahekerendu1634 Жыл бұрын
love the video but i must say u will be disturbed here on youtube for revealing this much. do u offer coding courses?
@2bambam55 2 ай бұрын
Yes I do
@GertBowker 7 ай бұрын
can I download this template.cpp somewhere ? template.cpp:182:5: error: ‘getShellcode_Run’ was not declared in this scope 182 | getShellcode_Run(argv[1], argv[2], argv[3]);
@gemini_security 7 ай бұрын
Hi, as shown in the video, the source code can be found in the Github repository: github.com/TheD1rkMtr/Shellcode-Hide
Gemini Cyber Security
Рет қаралды 9 М.
BePractical
Рет қаралды 7 М.
Tyler Ramsbey
Рет қаралды 30 М.
Rojahs Montari
Рет қаралды 165
Tyler Ramsbey
Рет қаралды 14 М.