Re-reinventing the wheel
This is an continuation from the post 重复造轮子-Reinventing the wheel, nothing much new.
Ever since I posted the last post, there were not many AVs on virustotal is able to detect such file yet: https://www.virustotal.com/gui/file/9a72a09cab7111e228c5414b234c2256abe82425611d588e7a0b626b50d42eae/detection
However, when it comes to runtime, windows defender is still able to detect some malicious behavior going on in the process, although it is not going to delete the file, and I am able to get a reverse shell. (not meterpreter shell, not even possible as far as I tried)
(not detected in static scan)
(able to get reverse shell)
(detected malicious process, but the binary file won’t get deleted)
This is not desired as in a red teaming engagement, we always want our action be stealthy as possible, we don’t want defender report any malicious file or process.
I tried various msfvenom payload and encoding, none of them worked. The defender almost reports malicious process simultaneously once I run the binary.
I almost going to give up on this trick until I found this post: https://xavibel.com/2019/08/07/bypassing-kaspersky-antivirus-2018/
We add a delay to let some seconds pass while AV is scanning the file, we will reach the maximum time scan allowed for scanning a single file and the scan is going to stop. After that the real binary code is going to be executed outside the Kaspersky sandbox.
I was wondering if that would work for windows defender as well, so I tried to manually add some useless instructions at the beginning of the execution.
Note that ollydbg only works for 32 bit binary, so I compiled the binary into 32 bit using
i686-w64-mingw32-gcc test.c -o test.exe -lkernel32 -Os -s
another thing is that when the binary is loaded into debugger, it will stops at ntdll.dll, and I need to trace it until it lands in the binary itself and hijack the execution into the useless but time-consuming instruction:
(it will start from ntdll)
(when it lands in binary itself)
I just need to hijack the first instruction to the code cave, and
pushad to backup the registers, start to execute useless instruction many many times, then
popad to restore the registers and jump back to restore the original execution.
pushad // backup register
I executed the binary, and after a while, I received a shell, without being prompted by windows defender!
I thought my work is done.
However, after ten seconds or so, the familiar warning from windows defender still popped out.
I guess this trick does not work, and windows defender is possibly doing a round check on all the running process.
When I was going to put a full stop on this, I tried to run
taskkill /im test2.exe /f after I got my reverse shell.(This would usually kill your reverse shell, because you killed your “parent” process). However this time, windows defender just kept quiet forever, and my reverse shell didn’t drop.
(The reverse shell retains, and windows defender keeps silent forever)
This is kind of weird, possibly because the
APC Queue Code Injection technique is doing something different when invoking child process (correct me if I am wrong).
I used TCPView from sysinternal to check the connection and its corresponding process:
You cannot check if a non-existent process is malicious or not.