Login
Double Venom (DVenom) is a tool that helps red teamers bypass AVs by providing an encryption wrapper and loader for your shellcode.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.
To clone and run this application, you'll need Git installed on your computer. From your command line:
FreshRSS # Clone this repository
$ git clone https://github.com/zerx0r/dvenom
# Go into the repository
$ cd dvenom
# Build the application
$ go build /cmd/dvenom/After installation, you can run the tool using the following command:
./dvenom -hTo generate c# source code that contains encrypted shellcode.
Note that if AES256 has been selected as an encryption method, the Initialization Vector (IV) will be auto-generated.
./dvenom -e aes256 -key secretKey -l cs -m ntinject -procname explorer -scfile /home/zerx0r/shellcode.bin > ntinject.cs| Language | Supported Methods | Supported Encryption |
|---|---|---|
| C# | valloc, pinject, hollow, ntinject | xor, rot, aes256, rc4 |
| Rust | pinject, hollow, ntinject | xor, rot, rc4 |
| PowerShell | valloc, pinject | xor, rot |
| ASPX | valloc | xor, rot |
| VBA | valloc | xor, rot |
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
This project is licensed under the MIT License - see the LICENSE file for details.
Double Venom (DVenom) is intended for educational and ethical testing purposes only. Using DVenom for attacking targets without prior mutual consent is illegal. The tool developer and contributor(s) are not responsible for any misuse of this tool.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฆโโโ
โโโฆโโ โโโ โโโ โโโ โโโฆโโ โโโ โโโโโโ โ โโ
โโฉ โฉ โฉโโโโโโฉ โฉโโโโโโฉ โฉ โฉโโโโโโฉ โ โโโโฉ โฉโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉโโโโโโโ
By Retr0id
โโโ MD5-Monomorphic Shellcode Packer โ โโ
USAGE: python3 monomorph.py input_file output_file [payload_file]
It packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401
Currently, only Linux x86-64 is supported. It would be trivial to port this technique to other platforms, although each version would end up with a different MD5. It would also be possible to use a multi-platform polyglot file like APE.
Example usage:
$ python3 monomorph.py bin/monomorph.linux.x86-64.benign bin/monomorph.linux.x86-64.meterpreter sample_payloads/bin/linux.x64.meterpreter.bind_tcp.bin
People have previously used single collisions to toggle a binary between "good" and "evil" modes. Monomorph takes this concept to the next level.
Some people still insist on using MD5 to reference file samples, for various reasons that don't make sense to me. If any of these people end up investigating code packed using Monomorph, they're going to get very confused.
For every bit we want to encode, a colliding MD5 block has been pre-calculated using FastColl. As summarised here, each collision gives us a pair of blocks that we can swap out without changing the overall MD5 hash. The loader checks which block was chosen at runtime, to decode the bit.
To encode 4KB of data, we need to generate 4*1024*8 collisions (which takes a few hours), taking up 4MB of space in the final file.
To speed this up, I made some small tweaks to FastColl to make it even faster in practice, enabling it to be run in parallel. I'm sure there are smarter ways to parallelise it, but my naive approach is to start N instances simultaneously and wait for the first one to complete, then kill all the others.
Since I've already done the pre-computation, reconfiguring the payload can be done near-instantly. Swapping the state of the pre-computed blocks is done using a technique implemented by Ange Albertini.
Yes. It's not very stealthy at all, nor does it try to be. You can detect the collision blocks using detectcoll.
