Security Research

In part 1 we demonstrated how our basic shellcode loader would work in order to pop calc.exe. Now we have our basic proof of concept working and a baseline detection rate. But if you take another look at the VirusTotal detections you’ll see that one of the primary detection flags is for ‘Meterpreter’. Well thats expected and also not very fun! Currently AVs are able to easily identify the meterpreter shellcode which blows our cover straight away. Although, it is somewhat concerning that a good portion of AVs did not detect it. ...

This one is a little side quest I went on when trying to evade defender. After spending some time using Windows as my host I decided I wanted to go back to linux. Now I had a lab setup in HyperV but nothing of real importance so I decided to just start fresh this time (Using arch btw). Now something that had always attracted my attention is VM detection. I previously had a VFIO gaming setup which meant I was able to pass through a GPU and some other components directly to my VM giving it near native performance. This setup was great however the main downside was that you still couldn’t play majority of competitive games because they would detect the VM and stop it all there. Interestingly enough there were always people who claimed to have bypassed this but it was always kept pretty hush hush as the methods woulds be patched. ...

This quest begins like many others. From a quest giver. In this case that quest giver is me in a temporary state of overconfidence. So the idea was simple. After having played around with Zig and getting some basic malware functionality working I decided I wanted to dive further into the world of maldev. Particularly around the world of obfuscation and evasion. I figured a good starting point would be to write a simple shellcode loader which can execute a basic Meterpreter payload without being detected by Windows Defender. ...