Another version of EVA using anti-debugging techs && using Syscalls
License: GNU General Public License v3.0
C++ 43.24%Python 2.66%C 36.52%Assembly 17.58%
eva2's Introduction
EVA2
Another version of EVA using anti-debugging techs && using Syscalls
First thing: Dont Upload to virus total. this note is for you and not for me. if you wanna keep this code effective, and u want to use it to bypass windows defender, DONT UPLOAD IT TO VIRUS TOTAL OR ANY OTHER WEBSITE LIKE IT, else read the note at line 11 in EVA1
REQUIREMENTS:
visual studio 2019 [ it may work with visual studio 2017 ]
cobalt strike [ take a look at my repo cobalt-wipe ]
python2 for the encoder
USAGE:
load this profile : googledrive_getonly.profile in cobaltstrike : ./teamserver <lhost> <pass> <path to googledrive_getonly.profile>
create your shellcode [use https] (x64 x86 wont work) using cobalt-strike [check my cobalt-wipe repo]
place your shellcode inside encoder.py [preferably change the keys] and run it using python2
after encoder.py output your encrypted shellcode copy and paste it inside EVA.cpp
if u want to inject to another process uncomment line 45not recommended tho
build the code using visual studio 2019 - Release - x64 x86 wont work
enjoy
Features:
New Profile for the connection of the C&C of cobalt strike, the profile is from here
anti debugging tech
encoded shellcode
decryption & injection of the shellode happens in the memory [byte by byte] and thus, less chance to get detected
using syscalls
DEMO:
[+] You can do your self a favour and disable Automatic Sample Submission in windows defender:
EVA2.-.DEMO.mp4
special thanks for:
My friend @NoOne-hub for helping me in adding the syscalls