/EVA2

Another version of EVA using anti-debugging techs && using Syscalls

Primary LanguageC++GNU General Public License v3.0GPL-3.0

EVA2

Another version of EVA using anti-debugging techs && using Syscalls

First thing: Dont Upload to virus total. this note is for you and not for me. if you wanna keep this code effective, and u want to use it to bypass windows defender, DONT UPLOAD IT TO VIRUS TOTAL OR ANY OTHER WEBSITE LIKE IT, else read the note at line 11 in EVA1


REQUIREMENTS:

  • visual studio 2019 [ it may work with visual studio 2017 ]
  • cobalt strike [ take a look at my repo cobalt-wipe ]
  • python2 for the encoder

USAGE:

  • load this profile : googledrive_getonly.profile in cobaltstrike : ./teamserver <lhost> <pass> <path to googledrive_getonly.profile>
  • create your shellcode [use https] (x64 x86 wont work) using cobalt-strike [check my cobalt-wipe repo]
  • place your shellcode inside encoder.py [preferably change the keys] and run it using python2
  • after encoder.py output your encrypted shellcode copy and paste it inside EVA.cpp
  • if u want to inject to another process uncomment line 45 not recommended tho
  • build the code using visual studio 2019 - Release - x64 x86 wont work
  • enjoy

Features:

  • New Profile for the connection of the C&C of cobalt strike, the profile is from here
  • anti debugging tech
  • encoded shellcode
  • decryption & injection of the shellode happens in the memory [byte by byte] and thus, less chance to get detected
  • using syscalls

DEMO:

[+] You can do your self a favour and disable Automatic Sample Submission in windows defender:

Screenshot 2021-06-25 123639

EVA2.-.DEMO.mp4

special thanks for:



My Empty Ethereum Wallet (No jokes) : 0x1B4944030818392D76672f583884F4A125A4415e

120064592-a5c83480-c075-11eb-89c1-78732ecaf8d3