Defender

In part 1 we demonstrated how our basic shellcode loader would work in order to pop calc.exe. Now we have our basic proof of concept working and a baseline detection rate. But if you take another look at the VirusTotal detections you’ll see that one of the primary detection flags is for ‘Meterpreter’. Well thats expected and also not very fun! Currently AVs are able to easily identify the meterpreter shellcode which blows our cover straight away. Although, it is somewhat concerning that a good portion of AVs did not detect it. ...

This quest begins like many others. From a quest giver. In this case that quest giver is me in a temporary state of overconfidence. So the idea was simple. After having played around with Zig and getting some basic malware functionality working I decided I wanted to dive further into the world of maldev. Particularly around the world of obfuscation and evasion. I figured a good starting point would be to write a simple shellcode loader which can execute a basic Meterpreter payload without being detected by Windows Defender. ...