Antivirus-Evading DLL Shellcode Loader with AES Encryption

By /

Listen to this Post

Hankang Zhou recently shared a GitHub project demonstrating a script to generate an Antivirus-evading (static) DLL shellcode loader using AES encryption. This technique focuses on bypassing signature-based detection by encrypting shellcode and critical functions like VirtualAlloc.

Key Features:

  • AES-encrypted shellcode (key optionally passed as a parameter, not hardcoded).
  • Obfuscation of library names and cryptographic functions.
  • Reduced entropy of encrypted payload to evade static analysis.

GitHub: https://lnkd.in/dBt73fM4

You Should Know:

1. Shellcode Encryption & Execution Workflow

The loader encrypts the shellcode using AES, making it harder for AVs to detect malicious patterns.

Example AES Encryption (Python):

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import os

key = os.urandom(32)  AES-256 key
iv = os.urandom(16)  Initialization Vector

cipher = AES.new(key, AES.MODE_CBC, iv)
shellcode = b"\x90\x90\x90..."  Your shellcode
encrypted_shellcode = cipher.encrypt(pad(shellcode, AES.block_size))

2. Obfuscating Suspicious Functions

Instead of directly calling VirtualAlloc, the loader dynamically resolves APIs:

C++ Example (Windows API Obfuscation):

HMODULE hKernel32 = LoadLibraryA("kernel32.dll");
FARPROC pVirtualAlloc = GetProcAddress(hKernel32, "VirtualAlloc");

3. Reducing Entropy for Evasion

High entropy often triggers AV alerts. The loader minimizes this by:
– Using AES-CBC (instead of XOR).
– Embedding legitimate-looking data alongside encrypted payload.

4. Loading Shellcode in Memory

After decryption, the shellcode is executed in memory:

C++ Shellcode Execution:

LPVOID exec_mem = VirtualAlloc(0, shellcode_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(exec_mem, shellcode, shellcode_size);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);

5. Bypassing Dynamic Analysis (Future Work)

  • VEH (Vectored Exception Handling): To evade sandboxing.
  • Remote Process Injection: Loading into legitimate processes (e.g., explorer.exe).

What Undercode Say

This technique effectively bypasses static detection but may still be caught by behavioral analysis (e.g., EDR solutions). For better evasion:
– Use indirect syscalls instead of direct API calls.
– Implement sleep obfuscation (e.g., NtDelayExecution).
– Leverage process hollowing for stealthier execution.

Relevant Linux/Windows Commands for Analysis:

[sh]
Check process memory (Linux):
pmap -x

Detect suspicious DLLs (Windows):
tasklist /m

Monitor API calls (Windows – ProcMon):
Procmon.exe /AcceptEula /BackingFile log.pml
[/sh]

Expected Output: A stealthy, AV-evading payload that executes encrypted shellcode while minimizing detection risks.

GitHub: https://lnkd.in/dBt73fM4

References:

Reported By: Hankang Zhou – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: