Junkshell: A naive approach to bypass AV/EDR
Sometimes, you need a fast way to encode your shellcode and execute it easily without being blocked by AV/EDR. Junkshell is a tool designed to encode your shellcode and execute it directly in memory by generating a Powershell script. The best part is the powershell script is different on each generation, so it’s hard to detect.
Evading AV/EDR mechanisms often involves using junk codes within shellcodes or payloads. These junk codes typically consist of NOPs or garbage instructions, serving as an effective method to bypass such security controls. In this article, I have developed a technique that enables the same evasion strategy within PowerShell. Before delving into the technique, let’s first understand the execution process:
1. To begin, I determine the amount of JunkCode space to be used. Let’s consider a high number, say 15000 (above 10000), to effectively “tire” the AV/EDR mechanisms.
2. Next, I generate the junkcode using instructions like:
xor eax, eax
sub eax, 0
xor edx, edx
...
It is essential to maintain the same amount of instructions for each junk code. In this case, I use 4 bytes per instruction, ensuring better control of the memory-filling process.
3. Now, I allocate memory space using malloc equal to the total junkcode size + shellcode size.
4. Subsequently, I fill the allocated memory with the junkcode using memset.
5. Lastly, I inject the shellcode into the memory, making use of memset, and dynamically changing the memory protection (VirtualProtect) at each insertion of the shellcode.
This technique allows for the effective evasion of AV/EDR controls by inundating them with meaningless junkcode while executing the intended shellcode to achieve the desired objectives. This next animation explain better the previous steps:
You can check the tool I wrote in python: https://github.com/amauricio/junkshell