Giters

TheD1rkMtr / PE-Obfuscator

PE obfuscator with Evasion in mind

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PE-Obfuscator

PE obfuscator with Evasion in mind , needs Admin Privilege in order to load RTCore64 driver.

Video:

PE-Obfuscator.mp4

The Obfuscator :

- Gets xored Fileless PE from a remote server
- Drop the Loader in the disk 
- Add random section to that Loader
- Add the xored Fileless PE to the new created Loader section

The Loader :

- Unhook ntdll from knowndlls
- Drop RTCore64 to the disk
- Load/Install RTCore64
- Exploit RTCore64 to Remove Kernel Callbacks
- xor PE
- Map/Load PE from the added Section
- Stomped a big module that fit the PE.

Credits :

https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
https://github.com/br-sn/CheekyBlinder
https://github.com/lawiet47/STFUEDR
https://papers.vx-underground.org/papers/Windows/Infection/2015-03-06%20-%20PE%20Infection%20-%20Add%20a%20PE%20section%20-%20with%20code.txt

About

PE obfuscator with Evasion in mind

Languages

Language:C 87.6%Language:C++ 12.4%Language:Python 0.0%