Bypass Windows Defender with C++ .DLL Payload File - Meterpreter Reverse Shell

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] thank you hello all welcome to another video for this video we will be going through step by step how we can cross compile a Windows dll File on a Kali system dll files are usually the preferred type of payload to deliver to a victim's Windows machine as it allows proxy execution via another binary usually assigned and certified legitimate Windows system binary this is especially useful when the environment has some sort of application white listing enforce which means that your payload files in exe format will definitely not work once we cover that in the Hands-On demonstration later on in the video it will clear things up more as shown in the screen here this is a template C plus plus file that will display a message box when executed we have exported the function name hello world which means that the function hello world will be available for external programs to call and execute It Let's cross compile it on our Kali system and generate a Windows URL file [Music] cool let's transfer it over to our Windows machine one way we can execute a dll file is via the Run dll32.exe legitimate Windows binary let's execute the dll file we've run dll32 we can do so by specifying the dll name and the exported function name in this case it will be hello world great it worked now let's get started this GitHub repo over here is highly recommended it provides various references on how you can execute Shell Code the code here will compile to exe program which is not what we want however we can use the sources here to create our own dll payload all credits belong to the author here so be sure to check out this amazing GitHub repo the link to the GitHub page will be provided in the video's description first we will need a process injection technique in our dll template file let's use the simple loader Source over here we can copy everything in the main function and paste it in our template dll file let's leave everything as it is and try to compile it this will not work because we haven't modified the Shell Code for our own IP address this is fine for now so we can just leave it as it is foreign [Music] so it was able to compile successfully let's transfer the generated dll payload file over to our Windows machine as expected it is being detected as malicious this is because of the msf random Shell Code let's empty out the shell code and recompile it again [Music] [Music] alright let's transfer this to our Windows machine as shown in the screen here this time around there is no detection this means that the technique to execute the shell code is okay but the Shell Code itself is being detected let's try to encrypt the Shell Code and see if this will bypass Windows Defender now let's go over to the AES encryption GitHub repo the AES C plus plus source code is shown over here it seems that the author has taken the process injection technique here to another level by utilizing the NT functions in ntdll estate this means that instead of calling the functions such as virtual unlock virtual protect from kernel32.dll it is going one level lower by calling the same functions in ntdll directly instead we don't have to do this so we can just ignore this part and keep it simple as it is what we want here is the AES decryption function and the lines of code that are related to the AES decryption routine let's copy the AES decrypt function along with all necessary include files and Library statements [Music] okay this should be let's try to compile it let's try to fix the compilation errors [Music] [Music] okay great it is able to compile now what we need next is the python script that will print out the AES encrypted payload and the AES key to decrypt it let's copy the python script available here the python script will basically take in a raw Shell Code file and perform AES encryption on it it will then print out the AES encrypted Shell Code which will be properly formatted along with the key that we will need to include in our template C plus file alright now we have the EES script let's generate a reverse shell with msf Venom foreign let's execute the python script and point it to the beacon.bin raw payload file let's copy the output both the AES encrypted Shell Code and the AES key into our template C plus file since we are using the variable name payload let's change the AES Shell Code variable name to payload as well [Music] awesome let's compile it [Music] now let's transfer it to our Windows machine as shown on the screen here there is no detection now let's try to execute the dll file with run dll32 again foreign shell with the dll payload file by passing Windows Defender completely with all of the features turned on now let's try it again with a metabritter payload let's generate a metabritter reverse shell with msf Venom [Music] alright now let's execute the python strip again to get the AES encrypted payload and the AES key we will need to copy the AES encrypted Shell Code and paste it in our template C plus file as shown in the screen it is very big this is because it is a stageless payload [Music] pasting this output in via the Nano editor will take some time the waiting time is edited out great let's not forget to copy and paste in the es key as well foreign with the newly inserted metabritter payload and generate a new dll file transfer it to our Windows machine and execute it again with run dll32 nice it worked again as shown here we are able to get a functional metabritter reverse shell as well having a dll is really useful for example we can easily modify the exported name of the dll to have another legitimate Windows binary to execute it one such example is by changing the exported name from Hello World to be dll register server you can then use another legitimate Windows binary such as the rec server 32 reg svr32 Windows binary to execute the dll file the rack server 32 Windows binary will execute the dll register function within a dll file so if your dll payload file contains an exported function name dll register server the rec server 32 Windows binary will execute it to you awesome it worked again this is amazing as shown over here it is really useful and practical to have a dll payload file instead of an exe payload file a few years back it was really popular to use Microsoft teams to perform proxy execution via a dll file this allowed persistence on a compromise machine as whenever the victim turns on his computer Microsoft teams will be Auto started and the dll payload will then be executed what this means is that basically Microsoft teams will look for a number of dlls on the system to load and it was identified that some of the dlls are missing you can simply rename your dll payload file to the dll that Microsoft teams is trying to load and Microsoft teams will help you execute your dllp Loop this article shown over here explains the issue and also provides some useful reference on how you can identify missing dlls loaded by other programs the link to the article will be shared in the video's description so be sure to check it out alright I will be concluding the video here I hope you all have enjoyed the content please help to like the video and subscribe to the channel it will really help out the channel a lot thanks all I appreciate it see you all soon in the next video bye foreign

Info

Channel: Gemini Cyber Security

Views: 6,554

Rating: undefined out of 5

Keywords: ethical hacking, hacking, ethical hacker, hacker, vulnerability, bypass, security assessment, penetration testing, penetration tester, web app security, network security, cyber security, it security, offensive security, red team, red teaming, vulnhub, oscp, how to, learn hacking, crest, wargames, learn linux, linux, kali, overthewire, overthewire.org, bandit, bandit overthewire, blackhat

Id: gFtyz7hTzBs

Channel Id: undefined

Length: 11min 39sec (699 seconds)

Published: Mon Apr 03 2023