A shellcode obfuscation technique using existing files on the target machine
This is a shellcode obfuscation technique using a file which already exists on the target computer. You will need an EXACT byte for byte copy of the file you are targeting. As such this is not meant as a general "out of the box" obfuscation technique, but rather one that is specifically tailored to that specific target system. It is also possible to upload your own file to the target system and use that to generate your payload.
There are two parts to this - the constructor and the executor:
This is meant to be run on the attacker's own machine. It contains the actual plaintext shellcode. This repo comes with two examples both generated by msfvenom - the calc and a reverse shell. Generate whatever payload you want from msfvenom using the -f csharp option and paste the output in the constructor.c file. It must be in a const unsigned char Payload[] {} array as per the examples.
Then pick a file on the attacker's machine (this is why you need an exact byte for byte copy of a file on the victim's machine) that you want to use. The program will iterate through the chosen file and look for the bytes in the array from above, noting down the position of each one. For example if the first byte is FC, it will search the target file for the byte FC and print out the position in the target file at which it is found (on my system using the target file notepad.exe the byte FC is the 266th byte in notepad). If the program cannot find the byte it will say so.
The constructor will print out an array that you need to copy into the executor.
Take the array that was generated by the constructor and paste it (including the array name) into executor.c. There is an example in there to follow.
Change the PBYTE bFilePath variable to the same target file as you used for the constructor.
This will iterate through the target file and extract the bytes in the positions specified by the Positions[] writing them to a buffer. It will then do a classic shellcode injection using VirtualAlloc/Protect to execute it.
Windows Defender will obviously pick up the contructor as it contains the payload in plain text but this is designed to run only on the attacker's machine so it is irrelevant.
For the executor, Windows Defender currently pops up the "Defender wants to submit this to Microsoft for analysis" but lets it run. This has been tested with the msfvenom calc payload and an msfvenom reverse shell payload.