Skip to content

Latest commit

 

History

History
30 lines (27 loc) · 1.28 KB

README.md

File metadata and controls

30 lines (27 loc) · 1.28 KB

PayloadInResources

This is a POC based on the research done by White Knight Labs.

  • Sandbox bypass checking if name of the executable is in the path.
  • Store/fetch the shellcode in resources and XOR encrypt/decrypt it.
  • Using unconventional method for process injection. The above is capable of bypassing AV(I tested against Defender), possibly some EDRs.

Usage

  1. XOR encrypt the raw shellcode using the xorencrypt.py:
# python .\xorencrypt.py <payload_file> <output_file> <xor_key>
python .\xorencrypt.py .\calc.bin encrypted.bin ABCD
  1. Modify the metadata.rc to reflect the <output_file> name:
SHELLCODE_RESOURCE RCDATA "encrypted.bin"
  1. Compile the metadata.rc to .res:
rc.exe /r /fo .\metadata.res .\metadata.rc
  1. Modify the Caue.cpp line 52 with the XOR key you used and compile with clang++:
clang++.exe -O2 -Ob2 -Os -fno-stack-protector -g -Xlinker -pdb:none -Xlinker -subsystem:windows -o Caue.exe Caue.cpp metadata.res -luser32 -lkernel32 -fno-unroll-loops -fno-exceptions -fno-rtti

Credits