PE-Obfuscator: PE obfuscator with Evasion in mind

PE-Obfuscator

PE obfuscator with Evasion in mind needs Admin Privilege in order to load the RTCore64 driver.

The Obfuscator:

– Gets xored Fileless PE from a remote server
– Drop the Loader in the disk
– Add a random section to that Loader
– Add the xored Fileless PE to the newly created Loader section

The Loader:

– Unhook ntdll from knowndlls
– Drop RTCore64 to the disk
– Load/Install RTCore64
– Exploit RTCore64 to Remove Kernel Callbacks
– xor PE
– Map/Load PE from the added Section
– Stomped a big module that fit the PE.

Download