Anything we do will be printed, sort of unavoidable. That said, we _should_ have configurable alternatives to add entropy and variance to our execution and wire footprints.
Far as debugging the rdi stuff, I'd defer to @zeroSteiner and @OJ.
We definitely need the api resolver and the injection code to get more dynamic given how many sandboxes now fingerprint the resulting stacks, so all I'm favor of these efforts - thanks.

I need some help...I am working on NextGen AV evasion and I am trying to fingerprint where/why the AV is killing my meterpreter. I am using a combination of dprintf() and sleep() to try and figure out what is triggering the AV.

@pussinboots1992 I once did the exact same research and you can find my writeup here. However, even if you can pinpoint what gets flagged, modify and bypass AV, it won't last too long because machine learning based AVs can pick up on that pretty quickly.

@wchen-r7 , thanks awesome write-up ! I will give it a shot.

PS: You mention in the writeup that it was to evade static signatures, but in the case of defender it was using the same static signature in memory that it was using on disk ? Was Defender catching the meterpreter in memory during your tests ? I tend to get past Defender using anti-emulation/sandboxing techniques...

@pussinboots1992: any headway on your end? There's a lot of moving parts there, so a scaffold poll request will let the rest of us review and collaborate with you on implementation.

@pussinboots1992

How can I view debug output and add a pseudo sleep() function in here ? Can someone point me in the right direction ?

Use the _OutputDebugString_ API and fire up _DebugView_ to actually see the results. However I advise to debug properly by injecting a __debugbreak()instruction the reflective loader, then attach a debugger to your payload and it will break where you told it to. Compile with Debug Symbols to save time.

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it.
Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.