WMI Virus: Diskless Execution Achieved
2025-01-29
A proof-of-concept project, Stuxnet, demonstrates a novel virus that hides its malicious code within the Windows Management Instrumentation (WMI), achieving diskless execution. The virus uses WMI as a filesystem, leveraging a PowerShell script at boot to extract and load the payload into memory. The project includes a novel privilege escalation technique and advanced anti-AV evasion techniques, such as on-demand system library loading and dynamic function offset finding, allowing it to evade detection by major antivirus software and sandboxes. The author also hints at potential kernel-space exploit possibilities within WMI.
Development
antivirus evasion