Using Thread Description To Hide Shellcode
Thread Description Poisoning
; is a tech i came up with after publishing 0x41, the project didnt got much attention beacuse i was dead back then, anyways ... This poc uses SetThreadDescription
&& GetThreadDescription
functions to hide the payload from memory scanners, of course i added some extra spice to it, this is however, not a loader made as is to evade avs, but a poc to represent the idea ...CreateTimerQueueTimer
to do so, and using cobalt strike shellcodeSleep
function using detoursGetTargetThreadToStore
NOACCESS
, then we read the shellcode in memory, convert it to UTF-16 string, set the original shellcode location to 0's, and call SetThreadDescription
passing the UTF-16 encoded shellcode.GetThreadDescription
, and paste back to the base address, decrypt (run whatever the shellcode want to run), and do all the stuff again