PrintSpoofer obfuscation with Themida

Today I will show how to obfuscation program with Themida.

In this case, I use PrintSpoofer.exe to obfuscation with Themida and in some way it’s might bypass anti virus in Windows Server.

PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.

PrintSpoofer Original Files with VirusTotal can be detect 53/70.

Setup

so I obfuscation PrintSpoofer using Themida.

Protection Options with Compress and Encrypt.

then we wait until it done.

VirusTotal

Ultimately, we upload to VirusTotal once more, and it can detect 24/71. (53 to 24 not that bad)

As can be seen, Microsoft is able to recognize the original SpoofPrnt, however due to obfuscation, it is unable to identify PrintSpoofer but can recognize Sabsik.

POC

First, we download and run the original PrintSpoofer, but Microsoft detects it and deletes. Next, we download and execute the PrintSpoofer obfuscation, which Microsoft cannot detect.

we test with Microsoft Windows Server 2022 Standard Evaluation [10.0.20348 N/A Build 20348]

Antimalware Client Version: 4.18.2207.7, Engine Version: 1.1.19600.3, Antivirus Version: 1.375.781.0, Antispyware Version: 1.375.781.0