eBook Bypassing Antiviruses by C# Programming v2.0

Persian Edition

Published by damon mohammadbagher

Chapter 1 	- 	Encryption & Decryption for Payloads
1.1 Simple Method for Execute Native Code in Memory via API Programming
 CreateThread/WriteProcessMemory/VirtualAlloc etc.
1.2 Encryption and Decryption for payloads via RC4
 RC4 Encryption by C# & metasploit payloads.
1.3 Encryption and Decryption for Payload of Suspended Thread via XOR
 Talking about Xor Encryption by C# & VirtualAllocExNuma , VirtualAlloc2 and decryption in-memory for threads + metasploit payloads.
Chapter 2 	- 	Executing Native Codes in Local Process
2.1 Local Thread Injection Classic Method and Indirect/Direct Technique D
 Talking about Marshal methods in C# like Marshal.GetDelegateForFunctionPointer and invoking C# codes in-memory via new method called "Technique D", bypassing kaspersky with last updates & windows defender
2.2 QueueUserAPC API Methods and Indirect/Direct Technique D
 Talking about some windows Apis like QueueUserAPC + Technique D
2.3 QueueUserAPC Classic Method
 Talking about classic QueueUserAPC in remote process & Windows API Monitor tool + NtQueueAPCThread
Chapter 3 	- 	Executing Native Codes in Local Process (Part2)
3.1 Simple Method for Execute Native Code in Memory + JMP Method 1
 Talking about Jump OpCode 0xE9 + jumping between payloads in-memory sections and bypassing windows defender
3.2 Simple Method for Execute Native Code in Memory + Delegate Method + JMP Method 1
 Talking about Jump OpCode 0xE9 + jumping between payloads in-memory sections + using C# Delegate Tricks instead using CreateThread Api + memory Protection modes and bypassing windows defender
3.3 Simple Method for Execute Native Code in Memory + Delegate Method + JMP Method 1 [Part2]
 Talking about Jump OpCode 0xE9 + jumping between payloads in-memory sections + using C# Delegate Tricks instead using CreateThread Api + marshal.writebyte and bypassing windows defender
3.4 Indirect Call C# Methods in Memory via Reflection.Emit Jump Method
 Talking about new method to indirect call C# codes via reflection.emit class + new jump method via Emit & opcode.jmp + bypassing windows defender
3.5 Running C# Managed Codes in Memory via CreateThread API
 Talking about call C# method via CreateThread API directly without calling c# methods in code + bypassing windows defender
Chapter 4 	- 	Executing Native Codes in Local Process (Part3)
4.1 New Approach with New APIs to Execute Payloads in Memory + Async Method and Bypassing Kaspersky
 Using New APIs instead old APIs with simple Async C# Method and Bypassing Kaspersky
4.2 Indirect Invoke C# Delegate + JMP Method 2
 New Jump Method + Indirect Invoke C# Delegate and bypassing Kaspersky
4.3 Chunking CobaltStrike Payloads + Jump Method and Bypassing Kaspersky
 Chunking Payload Method in-memory and bypassing Kaspersky
Chapter 5 	- 	Executing Native Code in Remote Process
5.1 Remote Thread Injection (Classic)
 Old Remote Injection Method (classic method)
5.2 Remote Thread Injection + Delegate Method and bypassing Defender
 Remote Injection + C# Delegate Method and Bypassing Windows Defender without Importing CreateRemoteThread or VirtualAllocEx APIs etc
5.3 Remote Thread Injection + Jump Method and Bypassing Kaspersky + Defender
 New Method for Remote Injection + Jump Method, Importing CreateRemoteThread API and bypass AVs like Kaspersky + windows Defender
Chapter 6 	- 	[X technique] via Extension Methods in C#
6.1 X Technique, Changing Codes via Extension Method
 New Method for changing source code without changing result of code by C# eXtensions
Chapter 7 	- 	Sliver C2 and your Csharp Codes
7.1 When Sliver C2 Payloads is Good to Use , When is not?
 Talking about New C2 Server Sliver-c2 and two examples for C#
7.2 Sliver-C2 Beacon with mTLS Payloads
 Using Beacons mode via Sliver-C2 payloads and mtls traffic + C#
7.3 Sliver-C2 Beacon with Https Payloads
 Using Beacons mode via Sliver-C2 payloads and https traffic + C#
7.4 Using Resource for Hardcoding Big Sliver-C2 Payloads
 Hardcoding Payloads in Csharp via Resources
7.5 C# Code for Encrypting Sliver-C2 Bin Files
 Talking about Xor method for encrypting C2 Payload files
7.6 Beacon Connections and Active Connections in Sliver-C2
 Talking about Beacon Mode Connections and Interactive Connections
7.7 Bypassing ETW and Execute .NET Assembly Codes
 Talking About Bypassing ETW/AMSI and Execute .NET Codes Inside Target Process
Chapter 8 	- 	Native CallBack Functions by C#
8.1 Native CallBack Functions by C#
 Windows Callback Function in C# and Async Call C# Methods via Callback Functions
Chapter 9 	- 	Compiling and Running Managed Codes In-Memory by C#
9.1 Running C# Managed Codes In-Memory by C#
 Running C# Assemblies/Exe Inside Another Managed Process by C#
9.2 Running C# Managed Codes In-Memory by C# , Part2
 Running C# Assemblies/Exe Inside Another Managed Process + Encrypting Exe Files over http Traffic
9.3 Compiling C# Source Codes In-Memory by C#
 Compiling/Running C# Source Codes Inside Another Managed Process
Chapter 10 	- 	Detecting Memory Allocation in-memory via ETW Events (Blue team)
10.1 ETW and VirtualMemAlloc Events
 Payload Detection via ETW VirtualMemAlloc Events, using ETWProcessMon.cs + VirtualMemAllocMon.cs codes
10.2 ETW and VirtualMemAlloc Events , Part2
 Payload Detection via ETW VirtualMemAlloc Events, using ETWProcessMon.cs + VirtualMemAllocMon.cs codes
10.3 ETW and VirtualMemAlloc Events , Part3
 Payload Detection via ETW VirtualMemAlloc Events, Step by step using VirtualMemAllocMon.cs codes
Chapter 11 	- 	Detecting Threats in-memory via other ETW Events (Blue team)
11.1 ETW ImageLoads and TCPIP Events for Detecting Threats In-Memory
 Using ETW DLL Loads Event or ImageLoads Events + TCPIP Send Events to Detect Threats
11.2 Detecting Remote Thread Injection and Monitoring Windows Events Log by C#
 Remote Thread Injection Detection in-memory + Creating Windows Event Logs and Monitoring them