https://iwantmore.pizza/posts/PEzor.html

Red teamers often have the necessity of bypassing AV solutions and I recently needed a more powerful tool than x0rro in order to perform some tasks and bypass a solution that I was targeting. At the end of my development journey, I was satisfied enough with the result that I decided to open-source the design and the implementation processes that I have followed in order to build my solution.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/2634f4b6-4b5b-4190-8cd4-a588a00d6af2/pezor-mimikatz.jpg

PEzor Mimikatz

Intro

Due to some research I am currently doing, I needed a tool that could shape in a different form pre-existing executables in order to evade known signatures implemented in endpoint security solutions and evaluate the robustness of their detection engines. I have a strong preference over POSIX operating systems and so I wanted something that I would be able to run on a GNU/Linux distro without requiring an entire Windows/Visual Studio installation in order to compile the executable: for this reason, I have choosen the Mingw-w64 development environment, but I am sure that the code can be ported to official development environments as well. The only requirement that we have to met is to provide a LLVMbased toolchain in order to execute raw syscalls since it’s the only compiler supported by the library that we are using to inline the execution of syscalls. What it looks like a limitation right now, it will instead become very handy when we will think about how to make polymorphic the generated executable in order to evade trivial signatures.

The phases of the development that will be described in detail are:

  1. set up the development environment with Mingw-w64 and LLVM
  2. shellcode injection with syscall inlining via NTDLL in-memory scraping (x86-64 only)
  3. user-land hooks removal from in-memory NTDLL to retrieve correct syscall numbers
  4. upgrade the shellcode injector to a full PE packer with Donut
  5. ensure the produced shellcode is always different at each build with sgn
  6. ensure the compiled loader is always different at each build with LLVM obfuscation
  7. implement some simple anti-debug tricks for the initial loader

Setting up the Development Environment

We need to set up a toolchain that uses Mingw-w64 together with LLVM/Clang. First let’s install the development environment with apt:

apt install mingw-w64 clang build-essential

After that, we can proceed to integrate them together by using the Wclang project.

git clone --depth 1 <https://github.com/tpoechtrager/wclang.git> &&
cd wclang &&
cmake -DCMAKE_INSTALL_PREFIX=_prefix_ . &&
make &&
make install &&
cd ..