itsMe Posted April 27, 2023 Share Posted April 27, 2023 This is the hidden content, please Sign In or Sign Up PE obfuscator with Evasion in mind , needs Admin Privilege in order to load RTCore64 driver. The Obfuscator : - Gets xored Fileless PE from a remote server - Drop the Loader in the disk - Add random section to that Loader - Add the xored Fileless PE to the new created Loader section The Loader : - Unhook ntdll from knowndlls - Drop RTCore64 to the disk - Load/Install RTCore64 - Exploit RTCore64 to Remove Kernel Callbacks - xor PE - Map/Load PE from the added Section - Stomped a big module that fit the PE. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts