DarkArmour: Windows AV Evasion tool

Windows AV Evasion Tool

Store and execute an encrypted windows binary from inside memory, without a single bit touching disk.

Installation

It uses the python stdlib so no need to worry about any python dependencies, so the only issue you could come across are binary dependencies. The required binaries are i686-w64-mingw32-g++, i686-w64-mingw32-gcc, and upx (probably osslsigncode soon as well). These can all be installed via apt.

sudo apt install mingw-w64-tools mingw-w64-common g++-mingw-w64 gcc-mingw-w64 upx-ucl osslsigncode

Download

git clone https://git.dylan.codes/batman/darkarmour.git

Use

Example

Generate an undetectable version of a pe executable

./darkarmour.py -f bins/meter.exe –encrypt xor –jmp -o bins/legit.exe –loop 5

Execute shellcode (x86/64) inside memory without detection, just provide the raw shellcode

./darkarmour.py -S -f bins/meter.bin –encrypt xor –jmp -o bins/legit.exe –loop 5

Source: https://git.dylan.codes/batman/