0%

#1-Methods to execute shellcode bypassing Huorong and 360 antivirus software(To be continued)

Thread hijaking using AES encrypted shellcode

STEP 1

Generate the shellcode via the way you like

For example , I using Cobalt Strike to generate shellcode (besides, to generate other kinds of shellcode, you can also use msfvenom etc.)

Go to Attacks - Packages - Payload Generator

image-20200424232131679

Choose your Listener and set the Output as C#.

After clicked the Generate button, you’ll get a C# source code file like this.

image-20200424232502242

The shellcode we need is what included in the “{}”,so delete the token like byte[]… buf… new… and the extra space symbol.

Finally the real shellcode you get is like is

image-20200424232836137

Copy these hexadecimal character sets and go to step 2

STEP 2

Open AVIATOR_x64.exe (This is an amazing tool which can help you to encrypt the shellcode easily and automatically generate the executable file for thread hijacking written by Ch0pin)

Set the AES key & IV of your shellcode then paste what you got in step 1 to Payload text area.

image-20200424234332613

Click the Encrypt button and select the path of the final executable file.(u can also set the custom icon)

Select OS Arch, choose the Injection method and the target procedure.

image-20200424235304641

At last, click the Generate Exe button.

image-20200424235242069

; ) Got it !

Let’s see the bypass effect of this method.

image-20200424235947776

Run the ev1l.exe while Huorong and 360 is running background.

ezgif-7-0b1c7c1fe723