Secondary Categories: 02-Malware
Description:
When it comes to dynamic analysis our payload is usually executed in a sandbox environment to monitor actions it performs such as modifying a registry key or create a connect to a remote server. Most sandbox environments can not emulate a real computer or network environment. So there are several logic checks that can be performed before the shellcode is executed.
- Is the system domain joined?
- Less than 4Gb of RAM?
- Less than 2 Cores?
- Is the timezone in UTC?
- Setting the memory protections to Read only on shellcode then changing it to read-execute once its time to execute the payload
Some good sample code snippets can be found here
If the shellcode loader is written in any of the following languages AMSI (Anti Malware Scan Interface) can be used to detect if there is any malicious activity.
- Powershell
- Jscript
- VBScript
- C#
- WMI
- VBA
When any program is ran amsi.dll is injected into the process and utilizes the AmsiScanBuffer and AmsiScanString API functions to detect malware. These functions can be patched similarly to EtwEventWrite API function.
We can also use this C# AMSI bypass method found here. We can use the amsi.fail project to check our payloads or PEStudio to see a more detailed view of the payload information
Resources:
| Title | URL |
|---|---|
| Code Samples | https://github.com/Arvanaghi/CheckPlease |
| AMSI C# Bypass | https://github.com/rasta-mouse/AmsiScanBufferBypass |
| Useful Libraries for Malware Development | https://captmeelo.com/redteam/maldev/2022/02/16/libraries-for-maldev.html?s=09 |
| AES Library | https://github.com/kokke/tiny-AES-c |
| Compile Time (User and Kernel mode string encryptor) - skCrypter | https://github.com/skadro-official/skCrypter |
| Hide WinAPI functions from Import Address Table (IAT) | https://github.com/JustasMasiulis/lazy_importer |
| Inline Syscall Resolver | https://github.com/JustasMasiulis/inline_syscall |