FUD-UUID-Shellcode is another shellcode injection technique using C++ that attempts to bypass Windows Defender using XOR encryption sorcery and UUID strings madness.
Firstly, generate a payload in binary format( using either CobaltStrike or msfvenom ) for instance, in msfvenom, you can do it like so( the payload I’m using is for illustration purposes, you can use whatever payload you want ):
msfvenom -p windows/messagebox -f raw -o shellcode.bin
Then convert the shellcode( in binary/raw format ) into a UUID string format using the Python3 script, bin_to_uuid.py:
./bin_to_uuid.py -p shellcode.bin > uuid.txt
xor encrypt the UUID strings in the uuid.txt using the Python3 script, xor_encryptor.py.
./xor_encryptor.py uuid.txt > xor_crypted_out.txt
Copy the C-style array in the file, xor_crypted_out.txt, and paste it in the C++ file as an array of unsigned char i.e. unsigned char payload[]{your_output_from_xor_crypted_out.txt}
This shellcode injection technique comprises the following subsequent steps:
VirtualAllocxor decrypts the payload using the xor key valueUuidFromStringA to convert UUID strings into their binary representation and store them in the previously allocated memory. This is used to avoid the usage of suspicious APIs like WriteProcessMemory or memcpy.EnumChildWindows to execute the payload previously loaded into memory( in step 1 )memcpy or WriteProcessMemory which are known to raise alarms to AVs/EDRs, this program uses the Windows API function called UuidFromStringA which can be used to decode data as well as write it to memory( Isn’t that great folks? And please don’t say “NO!” 🙂 ).xor key(line 85) to what you wish. This also has to be done in the ./xor_encryptor.py python3 script by changing the KEY variable. The keys have to match!executable filename value(row 90) to your filename.mingw was used but you can use whichever compiler you prefer. 🙂make
The binary was scanned using antiscan.me on 01/08/2022.
Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…