EVA2

Another version of EVA using anti-debugging techs && using Syscalls

First thing: Dont Upload to virus total. this note is for you and not for me. if you wanna keep this code effective, and u want to use it to bypass windows defender, DONT UPLOAD IT TO VIRUS TOTAL OR ANY OTHER WEBSITE LIKE IT, else read the note at line 11 in EVA1

REQUIREMENTS:

• visual studio 2019 [ it may work with visual studio 2017 ]
• cobalt strike [ take a look at my repo cobalt-wipe ]
• python2 for the encoder

USAGE:

• load this profile : googledrive_getonly.profile in cobaltstrike : ./teamserver <lhost> <pass> <path to googledrive_getonly.profile>
• create your shellcode [use https] (x64 x86 wont work) using cobalt-strike [check my cobalt-wipe repo]
• place your shellcode inside encoder.py [preferably change the keys] and run it using python2
• after encoder.py output your encrypted shellcode copy and paste it inside EVA.cpp
• if u want to inject to another process uncomment line 45 not recommended tho
• build the code using visual studio 2019 - Release - x64 x86 wont work
• enjoy

Features:

• New Profile for the connection of the C&C of cobalt strike, the profile is from here
• anti debugging tech
• encoded shellcode
• decryption & injection of the shellode happens in the memory [byte by byte] and thus, less chance to get detected
• using syscalls

DEMO:

[+] You can do your self a favour and disable Automatic Sample Submission in windows defender:

special thanks for:

• My friend @NoOne-hub for helping me in adding the syscalls
• @mhaskar for Shellcode-In-Memory-Decoder in which i implemented the whole code on it... in this repo and in the first one.
• @hasherezade for antianalysis_demos
• @jthuraisamy for SysWhispers2

LICENSE: GNU General Public License v3.0

My Empty Ethereum Wallet (No jokes) : 0x1B4944030818392D76672f583884F4A125A4415e