Comments (8)
tnx yeah I fixed the typos problem, regarding the KAV detection for loader.exe, I think that's could happen in some cases as KAV is good in mem scan but I am sure for DLL release will not be able to detect! have you tried?
from mortar.
tnx yeah I fixed the typos problem, regarding the KAV detection for loader.exe, I think that's could happen in some cases as KAV is good in mem scan but I am sure for DLL release will not be able to detect! have you tried?
hi I try this just now but the result might let you down , it can still be scanned after a few seconds . May be we need find an other way to evade mem scan .at the end you did a great job ๏ผ๏ผand
thanks reply!
from mortar.
I think it is fine, everything can be bypassed, could you please share me the following information
- KAV version +database version
- x64 or x68
- can you try to change the following values at this line https://github.com/0xsp-SRD/mortar/blob/main/Lib/runner.pas#L180 in the source code into
ReadProcessMemory(PI.hProcess, Pointer(CONT.rdx + $10), @Addr, 8, Ret);
and compile it EXE or DLL and forward the results again
from mortar.
hi, I modified the code as you said and get the same result . i can not find database version and just a
Update time . i get the kav Advanced Suite trial version from here https://www.kaspersky.co.in/downloads
from mortar.
KAV has been defeated successfully, do the following :
- put the encrypted bin.enc in your current user path for example c:\users\tester
- use any dll injector (reflective loader/ dll injection / side loading )
- choose cmd.exe process to inject and successfully get bypass
here is the video of bypass
https://video.0xsp.com/conversations/eb396ad5-f9f1-5afa-b171-30b812c8a9de
from mortar.
Hello lawrenceamer, hope you are well.
I have a question, how can I call the export function "dec" and execute it when I injected the dll into "cmd.exe" process, or what is the technique, the reflective injector you are used to do that.
because when I injected the dll into the cmd.exe process it is just injected and didn't execute "dec" function to run the ".enc" payload and get my shell.
from mortar.
Hi @Jack-Reve, try to call your decrypt function in agressor.lpr (e.g. in line 214). based on my understanding you need to call it manually, since the dll has no DllMain entry point and only two export functions. After that, open a cmd, cd to the folder where your bin.enc is saved and inject the agressor.dll into this cmd.
@lawrenceamer this way I was able to bypass Sophos, maybe you want to add it to your list in README.md ;)
from mortar.
@goofsec thanks. You may also try the following technique to bypass KAV and others @Jack-Reve
- put the bin.enc on the user folder e.g c:/users/tester/
- Open any dll injector tool
- select x64 process want to inject with the aggressor
- bypass the memory scan
from mortar.
Related Issues (20)
- DLL Error and Defender Detecting Payload HOT 2
- Unable to bypass Cortex XDR HOT 3
- Detected by windows defender HOT 4
- Having issues using. HOT 1
- Inject dll into cmd.exe process and call "dec" function to execute my ".enc" payload. HOT 1
- cobalt strike beacon dies after encryption HOT 6
- Compiling issues HOT 7
- Error: identifier idents no member "rdx" HOT 1
- Can't get shellcode or binary to execute HOT 30
- Agressor.dll doesn't work HOT 4
- The agressor.dll doesn't load the encrypted payload HOT 6
- Compile error HOT 1
- I want to pass command HOT 5
- dll removed by defander
- Stealthier injection HOT 3
- how can i make agressor dll ?
- Applying this technique to other tools HOT 9
- Microsoft defender started detecting HOT 5
- ESET getting flagged HOT 1
- Compile Instructions HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mortar.