AI prompts
base on Encrypted shellcode Injection to avoid Kernel triggered memory scans # Caro Kann
<p align="center">
<img src="https://github.com/S3cur3Th1sSh1t/Caro-Kann/blob/main/images/CaroKann.jpg?raw=true" alt="Caro Kann defense" width="400" height="400">
</p>
Encrypted shellcode Injection to avoid memory scans triggered from Kernel (ETWti / Kernel Callbacks). Specific combinations of Windows APIs, e.g. for injection into a remote process can lead to a memory scan:
<p align="center">
<img src="https://github.com/S3cur3Th1sSh1t/Caro-Kann/blob/main/images/ScanTrigger.png?raw=true" alt="ScanTrigger">
</p>
Typically, the scan can be triggered from Userland via hooks on the execute primitive such as `NtCreateThreadEx`. But more and more EDR vendors also tend to trigger scans from Kernel, for example after the Kernel Callback `PsSetCreateThreadNotifyRoutine()` a scan could be triggered. But what if there is no executable memory section with known malicious code? Well, no alert for an detection I guess.
<ins>The idea is as follows:</ins>
- Inject encrypted <ins>known malicious</ins> payload into an `RW` section
- Inject custom non <ins>known malicious</ins> shellcode into an `RX` section
- Create a remote Thread on the second shellcode
<p align="center">
<img src="https://github.com/S3cur3Th1sSh1t/Caro-Kann/blob/main/images/Inject.png?raw=true" alt="Inject">
</p>
<ins>The custom shellcode will than:</ins>
- Sleep for an amount x (to avoid memory scans triggered by the execute primitive of Thread creation)
- Decrypt the first <ins>known malicious</ins> shellcode
- Protect the section from `RW` to `RX`
- Make a direct `JMP` to the known malicious shellcode
<p align="center">
<img src="https://github.com/S3cur3Th1sSh1t/Caro-Kann/blob/main/images/Shellcode.png?raw=true" alt="Shellcode">
</p>
## Setup
On linux, the PIC-Code was found to be compiled correctly with `mingw-w64` version `version 10-win32 20220324 (GCC)`. With that version installed, the shellcode can be compiled with a simple `make` and extracted from the `.text` section via `bash extract.sh`.
If you'd like to compile from Windows, you can use the following commands:
```
as -o adjuststack.o adjuststack_as.asm
gcc ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,--no-seh
gcc DecryptProtect.c -Wall -m64 -masm=intel -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o decryptprotect.o -Wl,--no-seh
ld -s adjuststack.o ApiResolve.o decryptprotect.o -o decryptprotect.exe
gcc extract.c -o extract.exe
extract.exe
```
You also need to have [Nim](https://nim-lang.org/) installed for this PoC.
<ins>After installation, the dependencies can be installed via the following oneliner:</ins>
```nim
nimble install winim ptr_math
```
<ins>The PoC can than be compiled with:</ins>
```nim
nim c -d:release -d=mingw -d:noRes CaroKann.nim # Cross compile
nim c -d:release CaroKann.nim # Windows
```
Any payload can be XOR encrypted with the given `encrypt.cpp` code:
```
Usage: encrypter.exe input_file output_file
```
The encrypted payload can than be embedded in the PoC via the following line:
```
const shellcode = slurp"<encrypted.bin>"
```
## OPSec improvement ideas
- Bypass Userland-Hooks for Injection (although not really needed, but for fun)
- Back Payload(s) by legitimate DLL (Module Stomping)
- Load C2-Dlls via the first Shellcode - which can avoid memory scans triggered by module loads
- Use ThreadlessInject or DLLNotificationInjection instead of Remote Thread Creation
## OPSec considerations for C2-Payloads
- Should use Sleep encryption, otherwise the payload will get flagged later
- Should use Unhooking first or (in)direct Syscalls
- Should use Proxy module loading
", Assign "at most 3 tags" to the expected json: {"id":"1634","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"