PEzor: powerful tool for bypassing AV solutions
PEzor
an Open-Source PE Packer
The phases of the development that will be described in detail are:
- set up the development environment with Mingw-w64 and LLVM
- shellcode injection with syscall inlining via NTDLL in-memory scraping (x86-64 only)
- user-land hooks removal from in-memory NTDLL to retrieve correct syscall numbers
- upgrade the shellcode injector to a full PE packer with Donut
- ensure the produced shellcode is always different at each build with sgn
- ensure the compiled loader is always different at each build with LLVM obfuscation
- implement some simple anti-debug tricks for the initial loader
For the details of the techniques, please read the blog.
Download & Use
Copyright (C) 2020 phra
