No traces, no breakage
Youssef B.
AppSec EXPERT - SENIOR OFFENSIVE SECURITY RESEARCHER - [OSCP] - [OSWE] - [LPT ECCOUNCIL] - [PENTESTIT-Russia] - [CASP+]
In this short article, I will show you the basics of how to make your viruses/ransomware/shellcode invisible... Actually, it's mostly about techniques to understand how you get infected and how great Microsoft features could be used in a malicious manner, if you read this article from the light side of the Force...
This should allow you to think about building the security of your assets starting from the basics.
Powershell cannot natively interact with the win32 APIs, however we can use C# in our Powershell session to import win32 APIs. Thank you .NET...
In the Powershell script below, I execute notepad.exe without any information being written to the hard drive. Everything (writing, execution,...) is done into the memory. Absolutely no trace on disk.
So why all this stuff?
If it was a virus or a shellcode, we could get caught by antiviruses as Powershell and .NET leave artifacts on the hard drive. So, what I used here to avoid getting caught by antivirus software monitoring the disk is called: reflection (https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/reflection).
Regarding the detail of the script, I will let you do your homework. You just have to know that in order to get it work, you have to build everything, play with the memory addresses, allocation, ...
领英推荐
What then?
You could say (and maybe you already guessed it):
ok but my antivirus is able to check the memory.
Yes, it can!
And I would answer:
But I can bypass this sh...
And that's why antiviruses or any other cybersecurity tool needs to be updated.
But more than that, we need to understand that it is important to keep cybersecurity alive. It's not just about tools to deploy and Excel spreadsheets to fill out (by the way you can use this script to open Notepad or any other gentle (ransom) tool you want, via a macro (Excel or Word)).