Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.
NtAllocateVirtualMemory
and NtCreateThreadEx
AllocationGranularity
(64kB) sized, NO_ACCESS
memory segments at the base addressPageSize
(4kB) sized, writable segmentsRX
ntdll
function in the remote process memory space with a jmp
to our baseI'll explain some of the thinking here: https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
Get-InjectedThread
. Persisting within a process is another story, and this is up to the payload author.sRDI
-compatible, but if your payload creates another local thread you will lose the benefit of thread start address in ntdll
.To test it out of the box
blob.bin
I attached an example MessageBox
blob for your pleasure, be aware though it's size is unrealistically small for a payload.