Published On Premiered Sep 19, 2021
Title: PEzoNG: Advanced Packer For Automated Evasion On Windows
Speakers: Dimitri Di Cristofaro and Giorgio Bernardinetti
A fully undetectable (FUD) executable is a highly coveted goal in cybersecurity field, especially in the case of Red Teams. In this talk we present the design and implementation of PEzoNG, a framework for automatic creation of FUD binaries in a Windows environment.
PEzoNG features a custom loader for Windows binaries, polymorphic obfuscation, a payload decryption process and a number of anti-sandbox and anti-analysis evasion mechanisms - in particular we present a novel userland unhooking technique. In addition, the custom loader supports a large amount of Windows executable files, and features stealth and bleeding-edge memory allocation schemes. Finally we show the effectiveness of PEzoNG over a number of commercial anti-malware solutions. PEzoNG was born from the idea of PEzor (https://github.com/phra/PEzor), an open-source PE packer. At the time of writing PEzoNG is a completely different project from PEzor, though they still share a part of the name and the building environment, made up of LLVM and clang.
PEzoNG is a project written in C and C++ and uses the Mingw-w64 development environment together with the LLVM toolchain in order to compile and link.
PEzoNG source code is made up of three main components:
- the malicious payload, e.g. Cobalt Strike Raw Shellcode, Mimikatz, SharpHound, etc.
- the evasion code, which allows to evade from AV Sandboxes and EDRs
- the main loader, which loads the malicious payload into memory and executes it.
PEzoNG is built with modularity in mind and allows to add new features in a simple way by adding new modules that could implement different techniques with a low grained detail.
The project is organized in the following macro-categories - or modules:
- Encryption
- Windows APIs
- Syscalls
- Evasion
- PE loader
- Shellcode injection
Red Team Village Website: https://redteamvillage.io
Discord: https://redteamvillage.io/discord
Twitter: https://redteamvillage.io/twitter
