Applying XOR on a raw shellcode


UniByAv is a simple obfuscator that take a raw shellcode and generate executable that are Anti-Virus friendly, really useful to check antivirus solutions.

The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode.

I’m going to update the code over the time to also support some of the evasion technique that I was using.

Evasion techniques

  • process
    Check if a specific process is running. If it does not run the binary exit without running the payload.
  • time
    Check if SleepEx was hooked. If it return bogus information it exit without running the payload.
  • domain
    Check if the current user is part of the defined domain. If it is not the case it exit without running the payload.

Installation

Simply clone the github repository and resolve some dependencies:

git clone https://github.com/Mr-Un1k0d3r/UniByAv.git
# apt install mingw-w64
# apt install wine

More information and downloads

[embed]https://github.com/Mr-Un1k0d3r/UniByAv[/embed]