Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection (still added direct syscalls, just so I don't have to deal with AV). The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.
NO_ACCESSmemory segments at the base address
PageSize(4kB) sized, writable segments
ntdllfunction in the remote process memory space with a
jmpto our base
I'll explain the thinking behind each step in a blog post coming end of the week.
Get-InjectedThread. Persisting within a process is another story, and this is up to the payload author.
sRDI-compatible, but if your payload creates another local thread you will lose the benefit of thread start address in
To test it out of the box
I attached an example
MessageBox blob for your pleasure, be aware though it's size is unrealistically small for a payload.
ASCII arts are essential for tools like this to work