This is an continuation from the post 重复造轮子-Reinventing the wheel, nothing much new.

Ever since I posted the last post, there were not many AVs on virustotal is able to detect such file yet: https://www.virustotal.com/gui/file/9a72a09cab7111e228c5414b234c2256abe82425611d588e7a0b626b50d42eae/detection

image-20200809234800350

However, when it comes to runtime, windows defender is still able to detect some malicious behavior going on in the process, although it is not going to delete the file, and I am able to get a reverse shell. (not meterpreter shell, not even possible as far as I tried)

image-20200809235314995

(not detected in static scan)

image-20200810000100492

(able to get reverse shell)

image-20200810000210789

(detected malicious process, but the binary file won’t get deleted)

This is not desired as in a red teaming engagement, we always want our action be stealthy as possible, we don’t want defender report any malicious file or process.

I tried various msfvenom payload and encoding, none of them worked. The defender almost reports malicious process simultaneously once I run the binary.

I almost going to give up on this trick until I found this post: https://xavibel.com/2019/08/07/bypassing-kaspersky-antivirus-2018/

TL;DR

We add a delay to let some seconds pass while AV is scanning the file, we will reach the maximum time scan allowed for scanning a single file and the scan is going to stop. After that the real binary code is going to be executed outside the Kaspersky sandbox.

I was wondering if that would work for windows defender as well, so I tried to manually add some useless instructions at the beginning of the execution.

Note that ollydbg only works for 32 bit binary, so I compiled the binary into 32 bit using i686-w64-mingw32-gcc test.c -o test.exe -lkernel32 -Os -s

another thing is that when the binary is loaded into debugger, it will stops at ntdll.dll, and I need to trace it until it lands in the binary itself and hijack the execution into the useless but time-consuming instruction:

image-20200810002728234

(it will start from ntdll)

image-20200810003308519

(when it lands in binary itself)

I just need to hijack the first instruction to the code cave, and pushad to backup the registers, start to execute useless instruction many many times, then popad to restore the registers and jump back to restore the original execution.

1
2
3
4
5
6
7
8
9
pushad                          // backup register
xor ecx, ecx // zero out ecx, take it as the counter
pushad // useless instruction
popad // useless instruction
cmp ecx, 0xEEEEEEEE // execute 0xEEEEEEEE times
jnz 0x7fff8
popad // restore register
mov dword ptr ds:[405394], 0 // restore corrupted instructions
jmp 0xffffed12 // jump back to continue normal execution

image-20200810005517695

I executed the binary, and after a while, I received a shell, without being prompted by windows defender!

image-20200810005923668

I thought my work is done.

However, after ten seconds or so, the familiar warning from windows defender still popped out.

I guess this trick does not work, and windows defender is possibly doing a round check on all the running process.

When I was going to put a full stop on this, I tried to run taskkill /im test2.exe /f after I got my reverse shell.(This would usually kill your reverse shell, because you killed your “parent” process). However this time, windows defender just kept quiet forever, and my reverse shell didn’t drop.

image-20200810011610285

(The reverse shell retains, and windows defender keeps silent forever)

This is kind of weird, possibly because the APC Queue Code Injection technique is doing something different when invoking child process (correct me if I am wrong).

I used TCPView from sysinternal to check the connection and its corresponding process:

image-20200810012101782

You cannot check if a non-existent process is malicious or not.