itsMe Posted July 23, 2023 Share Posted July 23, 2023 This is the hidden content, please Sign In or Sign Up PE obfuscator with Evasion in mind needs Admin Privilege in order to load the RTCore64 driver. The Obfuscator: – Gets xored Fileless PE from a remote server – Drop the Loader in the disk – Add a random section to that Loader – Add the xored Fileless PE to the newly created Loader section The Loader: – Unhook ntdll from knowndlls – Drop RTCore64 to the disk – Load/Install RTCore64 – Exploit RTCore64 to Remove Kernel Callbacks – xor PE – Map/Load PE from the added Section – Stomped a big module that fit the PE. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts