Another version of EVA using anti-debugging techs && using Syscalls
First thing: Dont Upload to virus total. this note is for you and not for me. if you wanna keep this code effective, and u want to use it to bypass windows defender, DONT UPLOAD IT TO VIRUS TOTAL OR ANY OTHER WEBSITE LIKE IT, else read the note at line 11 in EVA1
- visual studio 2019 [ it may work with visual studio 2017 ]
- cobalt strike [ take a look at my repo
cobalt-wipe] - python2 for the encoder
- load this profile : googledrive_getonly.profile in cobaltstrike :
./teamserver <lhost> <pass> <path to googledrive_getonly.profile> - create your shellcode [use https] (x64
x86 wont work) using cobalt-strike [check my cobalt-wipe repo] - place your shellcode inside encoder.py [preferably change the keys] and run it using
python2 - after encoder.py output your encrypted shellcode copy and paste it inside EVA.cpp
- if u want to inject to another process uncomment line 45
not recommended tho - build the code using visual studio 2019 - Release - x64
x86 wont work - enjoy
- New Profile for the connection of the C&C of cobalt strike, the profile is from here
- anti debugging tech
- encoded shellcode
- decryption & injection of the shellode happens in the memory [byte by byte] and thus, less chance to get detected
- using syscalls
EVA2.-.DEMO.mp4
- My friend @NoOne-hub for helping me in adding the syscalls
- @mhaskar for Shellcode-In-Memory-Decoder in which i implemented the whole code on it... in this repo and in the first one.
- @hasherezade for antianalysis_demos
- @jthuraisamy for SysWhispers2
LICENSE: GNU General Public License v3.0
