Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chainski/pandaloader

A WIP shellcode loader tool which bypasses AV/EDR, coded in C++, and equipped with a minimal console builder.
https://github.com/chainski/pandaloader

bypass-antivirus crypter edr-bypass etw-bypass etw-evasion evasion malware obfuscation payload-generator pe-loader persistence powershell redteam shellcode shellcode-encoder shellcode-loader xor-encryption

Last synced: 2 months ago
JSON representation

A WIP shellcode loader tool which bypasses AV/EDR, coded in C++, and equipped with a minimal console builder.

Awesome Lists containing this project

README 

        








  

    Top Language

  

    Stars

  

    Forks

  

    Issues

  

    Commit Activity

  


  

    License

  

    Contributors

  

  Views

  

    Repo Size




PandaLoader



PandaLoader is a WIP shellcode loader designed to evade detection by using various anti-analysis techniques and features such as virtual machine (VM) detection, process injection, and payload decryption.



# Features

```

[~] Add Windows Defender Exclusions [admin required]

[~] Persistence [optional] 

[~] Mutex : Only a single instance of PandaLoader will be running at any given time

[~] Anti-VM Techniques: Ensures that the loader doesn't execute in a virtualized environment, which is commonly used for malware analysis.

[~] Obfuscation: Uses compile-time string obfuscation to hinder static analysis.

[~] XOR Encryption with Dynamic Key Generation: Protects the shellcode from being easily detected by antivirus tools.

[~] APC Injection: A stealthy method to execute code in the context of another process.

[~] ETW Patching: Prevents certain Windows logging mechanisms from being used to detect the malware's activities.

[~] Self-Dectruct [optional]

```



# How It Works 



#### Anti-VM Checks (IF ENABLED IN BUILDER)

Before loading the shellcode, PandaLoader performs extensive anti-VM checks to determine if it's running in a virtualized environment. This includes:

- Process Scanning: It checks for the presence of specific processes associated with VM environments (e.g., `vboxmouse.sys`, `vmwareuser.exe`).

File and Directory Scanning: It searches for files and directories related to `VM tools`, such as `VirtualBox` or `VMware`.

Machine Process Count: It checks if the number of running processes is below 100, which could indicate a `VM` or sandbox environment.

ETW (Event Tracing for Windows) Patch: It patches functions related to `ETW` to prevent the logging of events, which could be used for analysis.

If any `VM` indicators are detected, the loader will terminate.

- Payload Retrieval :

The shellcode is downloaded from a remote URL specified in the `SHELLCODE_URL` when using the builder.

It uses the WinINet API to download the payload into a `std::vector` buffer.

- Payload Decryption :

The decryption key is specified by the `XOR_DECRYPTION_KEY` which is the one generated using the builder.

The decryption is performed by the `XORDecrypt()` function, which iterates through the payload and `XORs` each byte with the corresponding byte in the key.

- Process Injection :

PandaLoader creates a suspended process, defaults to (`wmiprvse.exe` in this case) using `CreateProcessA`.

It then allocates memory in the target process using `VirtualAllocEx`, with `MEM_COMMIT` and `MEM_RESERVE` flags, making the allocated memory readable, writable, and executable (`PAGE_EXECUTE_READWRITE`).

The decrypted shellcode is written into the allocated memory using `WriteProcessMemory`.

After writing the shellcode, the memory permissions are adjusted to `PAGE_EXECUTE_READ` using `VirtualProtect` to reduce the chances of detection by security software.

- Shellcode Execution :

The shellcode is executed by queuing it as an APC (Asynchronous Procedure Call) to the suspended process thread using `QueueUserAPC`.

The thread is then resumed using `ResumeThread`, which causes the shellcode to be executed in the context of the target process.

- Persistence and Cleanup :

If persistence is enabled `ENABLE_STARTUP`, the loader copies itself to a specific directory and creates a scheduled task to run on startup.

If the `MELT` option is enabled, the loader deletes itself after successful execution to reduce the footprint on the victim machine.



# PandaLoader Builder Usage Guide

The PandaLoader Builder is a tool designed to help you create a custom payload loader by performing several steps, including shellcode encryption and remote hosting.

- Open `PandaBuilder.cmd`

- Input Shellcode: Start by providing your raw shellcode as input to the Builder. `eg: shellcode.bin`

- Shellcode Encryption: The Builder will encrypt your shellcode using `XOR` encryption. This step is essential for obfuscating the payload, to bypass `AV/EDR` etc.

- Upload Encrypted Shellcode: After encryption, you will be prompted to upload the encrypted shellcode to a remote server.

- Provide Download Link: Once the shellcode is uploaded, the Builder will ask for the `download link` to the shellcode. This link is necessary for the next step.

- Building the Loader: Using the provided download link, the Builder will compile a custom C++ stub (the loader). This loader is designed to download and execute the encrypted shellcode from the remote server.

- Compile the Loader: The final step is compiling the loader using `Mingw-w64`, a cross-compiler for Windows. Ensure that `Mingw-w64` is installed on your system before running the Builder.

- **NOTE: If startup is selected the Builder will generate an uninstaller for you to remove the Loader.**



# Requirements:

- Operating System: Any x64 Windows system.

- Compiler: Mingw-w64 must be installed.



# Downloads

[MinGW builds](https://github.com/brechtsanders/winlibs_mingw/releases)



# Detections 0/26

https://avcheck.net/id/dfYuFYeviJV8



> [!TIP]

> Please avoid raising issues related to detections, as it is not productive. The goal of this project is to support teaching and learning.

This project is fully undetectable (FUD) on its release day (August 2024). However, a free, publicly available, and open-source loader will not stay undetected for long. 

Modifying the stub to avoid detection is challenging, and any progress made will likely be rendered useless due to constant AV signature updates within a few days.

Therefore, no updates will be provided to address detection issues, however PandaLoader offers a fully functional implementation that is easy to modify and extend. 



# Contributing



Contributions are welcome, You can be a small part of this project!



# References

- https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101

- https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/register-scheduledtask?view=windowsserver2022-ps

- https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection

- https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa

  

# Credits

- https://github.com/TheWover/donut `converts NATIVE and .NET payloads into raw shellcode`

- https://github.com/ac3ss0r/obfusheader.h `compile-time obfuscation`

- https://github.com/EvilBytecode/GoDefender `Anti-VM techniques`

- https://github.com/7etsuo/windows-api-function-cheatsheets `injection methods` 

- https://github.com/mustjoon/evade-stager-c/tree/main `staged loader method` 



# License

This project is licensed under the MIT License - see the [LICENSE](https://github.com/Chainski/PandaLoader/blob/main/LICENSE) file for details



# Disclaimer

Important Notice: This tool is intended for educational purposes only.

This software, referred to as PandaLoader, is provided strictly for educational and research purposes. 

Under no circumstances should this tool be used for any malicious activities, including but not limited to unauthorized access, data theft, or any other harmful actions.



Usage Responsibility:

By accessing and using this tool, you acknowledge that you are solely responsible for your actions. 

Any misuse of this software is strictly prohibited, and the creator (Chainski) disclaims any responsibility for how this tool is utilized. 

You are fully accountable for ensuring that your usage complies with all applicable laws and regulations in your jurisdiction.



No Liability:

The creator (Chainski) of this tool shall not be held responsible for any damages or legal consequences resulting from the use or misuse of this software. 

This includes, but is not limited to, direct, indirect, incidental, consequential, or punitive damages arising out of your access, use, or inability to use the tool.



No Support:

The creator (Chainski) will not provide any support, guidance, or assistance related to the misuse of this tool. Any inquiries regarding malicious activities will be ignored.



Acceptance of Terms:

By using this tool, you signify your acceptance of this disclaimer. If you do not agree with the terms stated in this disclaimer, do not use the software.