-
Notifications
You must be signed in to change notification settings - Fork 27
Techniques
These techniques only can use with (powershell) reverse shell. You can see the techniques as (C) file on mcreatortechniques.py.
creator > show techniques
****
(0) : Don't want to use any technique
(1) : strstr # Default
(2) : toomuchmem
(3) : increment
strstr : Normally when an anti-virus starts to scan file first of all AV's copies original_file.exe to original_file_copy.exe so if something happens it's not gonna happen to original file. So Basically what "strstr" does is it will check if the original_filename changed by AV products, if file is changed then encryptedshellcode won't run in dynamic memory by decryptshellcodeinmemory function:
"if(original_filename == filename){
decryptshellcodeinmemory()
} else {
do_nothing()
}
"
toomuchmem : It will put so much memory to beginning of file, so when a computer's memory runs a file it can take more than "100000000" bytes in memory. But when Anti-virus products run it in virtual memory it won't take more than "500000". So if malware can run after "100000000" bytes then it means it's actual computer but if it can't run after "100000000" bytes then that means it's an anti-virus product scanning our malware.
Increment : Increment is same as "toomuchmem". But it does it in different way you can see technique's soruces at here : https://github.com/blacknbunny/mcreator/blob/master/mcreatortechniques.py