How To Modify a Tool to Make a PE Loader

I want to show how to repurpose BetterSafetyKatz to load any PE executable file and then obfuscate it to evade Defender.

I’m not a super good programmer yet, if you asked make any program that is beyond very basic from scratch I won’t be able to do it without looking for examples of how other people have done it. However I know enough to understand the source code and I often think how can I modify it to do something I want.

I decided to look into the code of BetterSafetyKatz cause I found it interesting, it basically downloads a zip file, extracts the mimikatz PE from the zip file, does some obfuscation then loads it in memory. What if I modify it a bit so that we can load any PE file?

I’m going to download BetterSafetyKatz and open the project in Visual Studio.

The first thing I want to remove is the High Integrity check, while this makes sense as mimikatz ideally should be run as administrator here we want to run a PE file as any user so I’m going to remove the code that checks if the user is running in High Integrity.

Note: Make sure to delete the closing bracket of the else statement that was removed.

Next, here is the part of the code that fetches mimikatz from github if not path or url is supplied.

Since I dont want to download mimikatz, i’m going to rewrite this part so that it just exits if no url or path was specified.

Next here is the part of the code that unzips the zip file to extract mimikatz.

The base64 string decodes to “x64/mimikatz.exe” i’m going to change this so that it just extracts a file named “pe.exe”

Now I run the code to make sure there is no errors.

Now lets do some obfuscation so that we can load our PE executable and evade Defender, I already showed how to do this in my previous Medium article.

To not repeat myself too much in summary:

• I ran InvisibilityCloak python script to rename the project and reverse all strings, in this case renamed the project “ChaosPE”.
• I replaced the following words that may trigger Defender detection: “SharpSploit”, “Token”, “Utilities”, “Helpers”, “MiniDump”, “NtRead” and “NtWrite”.
• Compiled the project to make sure it works

Now I’m going to disable Real Time Monitoring and use DefenderCheck to check if Defender detects it as malicious.

It doesn’t! Now lets test our loader.

I’m going to make a meterpreter reverse shell in msfvenom and saved it pe.exe then put it in a zip file and then start a python http server.

Now I’m going start msfconsole and start multi handler so that it catches our meterpreter reverse shell.

Now I’m going to enable Real Time Monitoring copy ChaosPE.exe to another folder that is not excluded in Defender and then run it with the url to the zip file containing our reverse shell.

And we get our meterpreter reverse shell without triggering Defender!

This shell works pretty well however if we tried to load the kiwi module or use getsystem it does trigger Defender so this may still get caught if we are not careful with behavioral detection.

I only used meterpreter as an example but we can load any PE file now! I already showed a method to get a Havoc C2 agent past Defender in another medium article using a powershell shellcode runner and amsi bypass but you can also use this to load havoc agents.