Changed loader code to prevent false detection my Windows Defender An…

…tivirus and others (seems to be due to Shellcode being used for 32->64 transition) #10 #11 #22
leecher1337 · Feb 1, 2020 · ecc2b5e · ecc2b5e · pcmicro · Feb 19, 2020
1 parent b10bbb1
commit ecc2b5e
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 1 deletion.
diff --git a/ntvdmpatch/release/ldntvdm/syswow64/10.0/ldntvdm.dll b/ntvdmpatch/release/ldntvdm/syswow64/10.0/ldntvdm.dll
diff --git a/ntvdmpatch/release/ldntvdm/syswow64/6.1/ldntvdm.dll b/ntvdmpatch/release/ldntvdm/syswow64/6.1/ldntvdm.dll
diff --git a/ntvdmpatch/release/ldntvdm/syswow64/6.2/ldntvdm.dll b/ntvdmpatch/release/ldntvdm/syswow64/6.2/ldntvdm.dll
diff --git a/ntvdmpatch/src/ldntvdm/ldntvdm/wow64inj.c b/ntvdmpatch/src/ldntvdm/ldntvdm/wow64inj.c
@@ -9,7 +9,7 @@
 #ifndef _WIN64
 #include "ldntvdm.h"
 
-
+#ifdef NO_XOR
 // see '/msf3/external/source/shellcode/x86/migrate/executex64.asm'
 BYTE migrate_executex64[] = 
 "\x55\x89\xE5\x56\x57\x8B\x75\x08\x8B\x4D\x0C\xE8\x00\x00\x00\x00"
@@ -62,6 +62,60 @@ BYTE ldr_load_library_x64[] =
 "\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb"
 "\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
 "\xd5";
+#else
+// XORed crap to evade false positive detection by M$ antivirus
+BYTE migrate_executex64[] =
+"\x00\xdc\xb0\x03\x02\xde\x20\x5d\xde\x18\x59\xbd\x55\x55\x55"
+"\x55\x0d\xd6\x95\x70\xd6\xb9\x5d\xdc\xb7\x92\x17\x51\x66\x55"
+"\x55\x55\xdc\x57\xbd\x5c\x55\x55\x55\xd6\x91\x41\x0a\x0b\x08"
+"\x97\x5d\x55\xde\x69\x71\xaa\x7f\x1d\x64\x95\x02\xaa\x83\x0a"
+"\x05\x92\x11\x71\x51\x76\x55\x55\x55\xdc\x69\x71\xaa\x79\x71"
+"\x55";
+
+BYTE migrate_wownativex[] =
+"\xa9\x1d\xdc\x9b\x1d\xdc\xb2\x1d\xd6\xb1\xa5\xbd\x9d\x55\x55"
+"\x55\x14\x04\x14\x05\x07\x04\x03\x1d\x64\x87\x30\x1d\xde\x07"
+"\x35\x1d\xde\x07\x4d\x1d\xde\x07\x75\x1d\xde\x27\x05\x1d\x5a"
+"\xe2\x1f\x1f\x18\x64\x9c\x1d\x64\x95\xf9\x69\x34\x29\x57\x79"
+"\x75\x14\x94\x9c\x58\x14\x54\x94\xb7\xb8\x07\x14\x04\x1d\xde"
+"\x07\x75\xde\x17\x69\x1d\x54\x85\x33\xd4\x2d\x4d\x5e\x57\x20"
+"\x27\xde\xd5\xdd\x55\x55\x55\x1d\xd0\x95\x21\x32\x1d\x54\x85"
+"\x05\xde\x1d\x4d\x11\xde\x15\x75\x1c\x54\x85\xb6\x03\x1d\xaa"
+"\x9c\x14\xde\x61\xdd\x1d\x54\x83\x18\x64\x9c\x1d\x64\x95\xf9"
+"\x14\x94\x9c\x58\x14\x54\x94\x6d\xb5\x20\xa4\x19\x56\x19\x71"
+"\x5d\x10\x6c\x84\x20\x8d\x0d\x11\xde\x15\x71\x1c\x54\x85\x33"
+"\x14\xde\x59\x1d\x11\xde\x15\x49\x1c\x54\x85\x14\xde\x51\xdd"
+"\x1d\x54\x85\x14\x0d\x14\x0d\x0b\x0c\x0f\x14\x0d\x14\x0c\x14"
+"\x0f\x1d\xd6\xb9\x75\x14\x07\xaa\xb5\x0d\x14\x0c\x0f\x1d\xde"
+"\x47\xbc\x1a\xaa\xaa\xaa\x08\x18\x64\x9c\x14\x04\x1d\xd8\x13"
+"\x4d\x05\xaa\x23\x45\xaa\x23\x5d\x14\x04\x14\x04\x1c\xed\x54"
+"\x55\x55\x55\x55\x55\x55\x55\x1d\x64\x87\x1d\xde\x5b\x14\xef"
+"\x9d\x6d\xf1\x15\xaa\x80\x1d\xd0\x95\x21\x59\x1d\xed\x55\x55"
+"\x55\x55\x55\x55\x55\x55\xbe\x5f\x1d\xed\x54\x55\x55\x55\x55"
+"\x55\x55\x55\x1d\xd6\x91\x05\x1d\xdc\xa9\x96\x55";
+
+BYTE ldr_load_library_x64[] =
+"\xa9\x1d\xd6\xb1\xa5\xbd\x9d\x55\x55\x55\x14\x04\x14\x05\x07"
+"\x04\x03\x1d\x64\x87\x30\x1d\xde\x07\x35\x1d\xde\x07\x4d\x1d"
+"\xde\x07\x75\x1d\xde\x27\x05\x1d\x5a\xe2\x1f\x1f\x18\x64\x9c"
+"\x1d\x64\x95\xf9\x69\x34\x29\x57\x79\x75\x14\x94\x9c\x58\x14"
+"\x54\x94\xb7\xb8\x07\x14\x04\x1d\xde\x07\x75\xde\x17\x69\x1d"
+"\x54\x85\x33\xd4\x2d\x4d\x5e\x57\x20\x27\xde\xd5\xdd\x55\x55"
+"\x55\x1d\xd0\x95\x21\x32\x1d\x54\x85\x05\xde\x1d\x4d\x11\xde"
+"\x15\x75\x1c\x54\x85\xb6\x03\x1d\xaa\x9c\x14\xde\x61\xdd\x1d"
+"\x54\x83\x18\x64\x9c\x1d\x64\x95\xf9\x14\x94\x9c\x58\x14\x54"
+"\x94\x6d\xb5\x20\xa4\x19\x56\x19\x71\x5d\x10\x6c\x84\x20\x8d"
+"\x0d\x11\xde\x15\x71\x1c\x54\x85\x33\x14\xde\x59\x1d\x11\xde"
+"\x15\x49\x1c\x54\x85\x14\xde\x51\xdd\x1d\x54\x85\x14\x0d\x14"
+"\x0d\x0b\x0c\x0f\x14\x0d\x14\x0c\x14\x0f\x1d\xd6\xb9\x75\x14"
+"\x07\xaa\xb5\x0d\x14\x0c\x0f\x1d\xde\x47\xbc\x1a\xaa\xaa\xaa"
+"\x08\x1c\xdc\xb4\x19\xd8\xd0\x41\x54\x55\x55\x1c\xd8\x0d\x5d"
+"\x06\x1c\xde\x4d\x06\x1c\xdc\xb5\x1d\x64\x9c\x1d\x64\x87\x14"
+"\xef\x46\xc9\xea\xe8\xaa\x80\xee\xb5\x48\x7f\x5f\x14\xef\xf3"
+"\xc0\xe8\xc8\xaa\x80\x1d\xd6\x91\x7d\x69\x53\x29\x5f\xd5\xae"
+"\xb5\x20\x50\xee\x12\x46\x27\x3a\x3f\x55\x0c\x14\xdc\x8f\xaa"
+"\x80\x55";
+#endif
 
 typedef struct _WOW64CONTEXT
 {
@@ -93,6 +147,21 @@ typedef struct _WOW64CONTEXT
 typedef BOOL(WINAPI * X64FUNCTION)(DWORD dwParameter);
 typedef DWORD(WINAPI * EXECUTEX64)(X64FUNCTION pFunction, DWORD dwParameter);
 
+void inject_dll_init()
+{
+#ifndef NO_XOR
+	static BOOL bInizialized = FALSE;
+	int i;
+
+	if (bInizialized) return;
+	for (i = 0; i < sizeof(migrate_executex64); i++) migrate_executex64[i] ^= 55;
+	for (i = 0; i < sizeof(migrate_wownativex); i++) migrate_wownativex[i] ^= 55;
+	for (i = 0; i < sizeof(ldr_load_library_x64); i++) ldr_load_library_x64[i] ^= 55;
+	bInizialized = TRUE;
+#endif
+}
+
+
 /*
 * Attempt to gain code execution in a native x64 process from a wow64 process by transitioning out of the wow64 (x86)
 * enviroment into a native x64 enviroment and accessing the native win64 APIs.
@@ -104,6 +173,7 @@ DWORD inject_via_remotethread_wow64(HANDLE hProcess, LPVOID lpStartAddress, LPVO
 	X64FUNCTION pX64function = NULL;
 	WOW64CONTEXT * ctx = NULL;
 
+	inject_dll_init();
 	// alloc a RWX buffer in this process for the EXECUTEX64 function
 	if (pExecuteX64 = (EXECUTEX64)VirtualAlloc(NULL, sizeof(migrate_executex64), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE))
 	{
@@ -146,6 +216,7 @@ BOOL inject_dll_x64(HANDLE hProcess, WCHAR *wszDLL)
 	LPBYTE lpRemoteLibraryBuffer;
 	HANDLE hThread;
 
+	inject_dll_init();
 	uStr.Length = uStr.MaximumLength = (USHORT)lstrlenW(wszDLL)*sizeof(WCHAR);
 	uStr.Buffer = NULL;
 	if (!(lpRemoteLibraryBuffer = VirtualAllocEx(hProcess, NULL, sizeof(ldr_load_library_x64) - 1 + uStr.Length + sizeof(UNICODE_STRING), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)) ||