Hi! very interesting video. I followed every step but it is not working for me. I disable Cloud protection (because it detect the shellcode) and I tested in 2 machines but nothing. The exe run but not reverse shell appear in the Kali. Also I disabled the windows firewall and I test the connection. You mentioned to use printf to check every step. Can you show me an example where and how to use it? thanks!!!
Hello, did you mean that it didn't work despite ensuring that the network connection is fine and windows defender is completely turned off? If that is the case then it is definitely something wrong with your code. you can use printf in your code to ensure that every line of code runs as expected. you can also use printf to print out the data, such as the shellcode and the key, to make sure that it is not empty. you can also checkout the template source code that I've used in the video: github.com/gemini-security/How-to-bypass-Windows-Defender-with-Embedded-Resources-.rsrc- cheers!
@@gemini_security Hello, first of all, thanks for the awesome content you are posting. BUT this isnt working for me either, the encrypted/decrrypted meterpreter revshell is not executed, the cmd window showing the printf message pops up, but nothing else happens. This behavior reminded me of 32bit shells being encrypted with 64bits and vice versa. Just for comparence, a simple msfvenom generated revshell works fine between both Systems.. Kali Win11 So I took a closer look to what our output is and it seems theres something wrong with the compiling, as the payload.exe is compiled even if theres no cipher.bin/key.bin - but guess what - the content BIN1&BIN2 in the .rsrc folder within the exe file is identical even if those files are missing in the working directory while compiling. BIN1 and BIN2 contain a file called 102 (704 bytes) and 103 (16 bytes) as defined in demo.o, but it looks like the payload is missing in BIN1... Next step: I realized that all payloads have the identical size, so just for kicks I AES encrypted a bigger .bin file and compiled it - outcome: an 1,2Mb .bin ends up in a 248,9 Kb - so it seems cipher.bin and key.bin are not picked up by the compiler .. I also used your templates from git, just to be sure I havent made a mistake rebuilding the cpp and cr step by step - same result BTW: the icon is applied without any problems, so the demo.o seems to work , also that the folder BIN1, BIN2 and ICON exist within in the .rsrc folder means the demo.o is kicking in. Any ideas ? :)
@@NikolasKerekes @gemini_security I am the same as you, I have followed all the steps and I can't get communication with the reverseshell. If you have the solution, let me know, thanks.
@@NikolasKerekes yeah, i tried that too, it seems to me like the problem lies with encryption and encoding on .bin files with format raw. I tried the whole program before the aes encryption part and it worked fine, it only stopped giving reverse shell when u applied encryption. So i thought maybe it was a problem with the encryption python script, so i tried to perform the encryption through msfvenom using --encrypt xor --encrypt-key secretkey but that once again failed. but when i tried it without encrypting it on msfvenom it worked once again. to make sure it wasnt faulty encryption on my end i created a simple exe file with the same encryption and encoding i performed on the bin file but that manageed to successfully created connection with my windows pc. the loader does work fine as long as u dont perform any encryption on the binary payload.
No idea. You can add in printf functions to troubleshoot if every line gets executed successfully. Make sure to check your network connectivity between your Windows and Kali as well.
Yes the concept is similar. It takes a payload file and perform some kind of transformation on it, such as encryption. However Scarecrow is much complex and supports a ton of other features. This method is really just a simple proof of concept that is tiny as compared to Scarecrow.
Thanks! It is very much appreciated! I have yet to explore all these hacky hacky techniques on Android. It will be a new area for me. Good content suggestion though! I will definitely keep it in mind for potential future content! Cheers.
Awesome, master!! :) My hat is OFF to you.
Can you do an indepth tutorial on basics of embedding in resources
Fantastic info!
it has been a while brother where were you glad to see you back with a vedio
Thanks! Work has been busy recently and it is getting difficult to upload as regularly.
okk ah well hope to see u once a week if possible with an upload@@gemini_security
god man, i just do that and work so nice
Awesome man, I'm glad it worked for you!
Cheers!
Good stuff
Thanks man! Appreciate the positive comment. Cheers
Thanks man ❤️❤️
I'm glad you've enjoyed it!
Hi! very interesting video. I followed every step but it is not working for me. I disable Cloud protection (because it detect the shellcode) and I tested in 2 machines but nothing.
The exe run but not reverse shell appear in the Kali. Also I disabled the windows firewall and I test the connection.
You mentioned to use printf to check every step. Can you show me an example where and how to use it?
thanks!!!
Hello, did you mean that it didn't work despite ensuring that the network connection is fine and windows defender is completely turned off? If that is the case then it is definitely something wrong with your code.
you can use printf in your code to ensure that every line of code runs as expected. you can also use printf to print out the data, such as the shellcode and the key, to make sure that it is not empty.
you can also checkout the template source code that I've used in the video: github.com/gemini-security/How-to-bypass-Windows-Defender-with-Embedded-Resources-.rsrc-
cheers!
@@gemini_security Hello, first of all, thanks for the awesome content you are posting.
BUT this isnt working for me either, the encrypted/decrrypted meterpreter revshell is not executed, the cmd window showing the printf message pops up, but nothing else happens. This behavior reminded me of 32bit shells being encrypted with 64bits and vice versa.
Just for comparence, a simple msfvenom generated revshell works fine between both Systems.. Kali Win11
So I took a closer look to what our output is and it seems theres something wrong with the compiling, as the payload.exe is compiled even if theres no cipher.bin/key.bin -
but guess what - the content BIN1&BIN2 in the .rsrc folder within the exe file is identical even if those files are missing in the working directory while compiling.
BIN1 and BIN2 contain a file called 102 (704 bytes) and 103 (16 bytes) as defined in demo.o, but it looks like the payload is missing in BIN1...
Next step: I realized that all payloads have the identical size, so just for kicks I AES encrypted a bigger .bin file and compiled it -
outcome: an 1,2Mb .bin ends up in a 248,9 Kb - so it seems cipher.bin and key.bin are not picked up by the compiler ..
I also used your templates from git, just to be sure I havent made a mistake rebuilding the cpp and cr step by step - same result
BTW: the icon is applied without any problems, so the demo.o seems to work , also that the folder BIN1, BIN2 and ICON exist within in the .rsrc folder means the
demo.o is kicking in.
Any ideas ? :)
@@NikolasKerekes @gemini_security I am the same as you, I have followed all the steps and I can't get communication with the reverseshell. If you have the solution, let me know, thanks.
@@NikolasKerekes yeah, i tried that too, it seems to me like the problem lies with encryption and encoding on .bin files with format raw. I tried the whole program before the aes encryption part and it worked fine, it only stopped giving reverse shell when u applied encryption.
So i thought maybe it was a problem with the encryption python script, so i tried to perform the encryption through msfvenom using --encrypt xor --encrypt-key secretkey but that once again failed.
but when i tried it without encrypting it on msfvenom it worked once again.
to make sure it wasnt faulty encryption on my end i created a simple exe file with the same encryption and encoding i performed on the bin file but that manageed to successfully created connection with my windows pc.
the loader does work fine as long as u dont perform any encryption on the binary payload.
Thank you very much.
You're welcome! I hope you have found the video to be useful and interesting.
Cheers.
I tested in window 10 and it's not getting back revese shell. do you know why?
No idea. You can add in printf functions to troubleshoot if every line gets executed successfully. Make sure to check your network connectivity between your Windows and Kali as well.
@@gemini_security same here, the printf functions is work in every line though.
maybe because using port forwarding?
it gives an error " CryptDecrypt failed: 87" @@gemini_security
have you tried with meterpreter payload?
Nope. But it should work. Let me know how it goes!
The meterpreter payload is illegal
is this similar with scarecrows do?
Yes the concept is similar. It takes a payload file and perform some kind of transformation on it, such as encryption.
However Scarecrow is much complex and supports a ton of other features. This method is really just a simple proof of concept that is tiny as compared to Scarecrow.
It’s detected
the app crash, why?!
so much learning from 1 videos..
please teach some technique like this to APK file.
thanks.
*subscribe*
Thanks! It is very much appreciated!
I have yet to explore all these hacky hacky techniques on Android. It will be a new area for me. Good content suggestion though! I will definitely keep it in mind for potential future content!
Cheers.