This is a brand-new technique for shellcode injection to evade AVs and EDRs

Overview

FunctionStomping

image image image

Description

This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities. As to this date (23-01-2022) also hollows-hunter doesn't find it.

The big advantage of this technique is that it isn't overwritting an entire module or pe, just one function and the target process can still use any other function from the target module.

The disadvantage is that it won't work for every function in the wild (but it will work for most of them), the exact explanation will be in my blog (COMING SOON).

Usage

You either include the header to your program like this:

#include "functionstomping.h"

int main() {
    // Just get the pid in any way and pass it to the function.
    DWORD pid = 3110;
    FunctionStomping(pid);
    return 0;
}

Or use the rust program (COMING SOON):

cd functionstomping
cargo b
functionstomping.exe <pid>

Setup

Currently, the shellcode to run is just to pop a calculator, but all you need to do is replace the unsigned char shellcode[] with your shellcode. I used C++ 17 and VS2019 to compile the program with the C++ header and rust version 2021 to compile the rust program (you can see the dependencies in the Cargo.toml).

POC

Disclaimer

I'm not responsible in any way for any kind of damage that is done to your computer / program as cause of this project. This project is currently at alpha and I'm working to make it more stable, please take that in mind!
If you found someone that published about this method before today (23-01-2022) please let me know so I can add an acknowledgment.

Acknowledgments

https://github.com/countercept/ModuleStomping https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners

Issues
  • [BUG]  Failed to change protection [0]

    [BUG] Failed to change protection [0]

    Hello, I'm currently studying some codes and I ended up here.

    I use windows x64, I had to compile the cpp using the "-DUNICODE" flag to be able to compile, but when I run the console it does not inject any pid and brings this error:

    [+] Got process handle! [+] Got function base! [-] Failed to change protection: 0

    I tried in notepad and others, in rust when I compile it says that this program is compatible with 32bits and not x64, so the normal "cargo b" instruction doesn't work.

    I tried various processes from notepad to others and it doesn't work Screenshot_128 .

    Edit: I was able to resolve the architecture error(Windows 10 x64) in rust by running the following commands: rustup target add x86_64-pc-windows-gnu cargo build --target x86_64-pc-windows-gnu

    After the test, the calc does not open but in the console everything seems normal, I will continue the tests The message shows the following Screenshot_130 :

    opened by ghost 2
  • Possible to have > 0x1000 size?

    Possible to have > 0x1000 size?

    Hello, neat idea you found there. Is it possible to have more then 4096 bytes available for the shellcode or is it max? If more is not possible, would it be possible to split it across more functions to achieve the goal?

    enhancement 
    opened by rohybnol 1
  • [QUESTIONS] Some victim processes crash without execution

    [QUESTIONS] Some victim processes crash without execution

    First of all, thanks for your work and publishing it along with the very interesting blog post.

    I've been playing a bit with your POC, especially the Rust version, and there is something I'm not fully getting. Depending on the victim process, I get the following results:

    • Majority of processes (e.g notepad): when the stomped function is called the shelllcode executes (calc pops open) and the victim process crashes with an access violation error.
    • Some processes (e.g explorer.exe): when the stomped function is called the process crashes with an access violation error, but the shellcode does not seem to execute (nothing happens, no calc).

    I've tried with a custom shellcode and by changing the targeted function in kernel32.dll but I always get the same results. So my questions are:

    • Do you know why for some process the shellcode will not execute, the process will just crash ? (function used ? bad shellcode ?)
    • Do you have an idea to get reliable shellcode execution on all processes ?
    bug help wanted good first issue 
    opened by Scaum 1
Owner
Idov
Pentester and reverse engineer that also likes to create some stuff
Idov
FUD shellcode Injector

EVA fully undetectable injector Update on Monday, July 12 : USE EVA2 INSTEAD . [+] antiscan.me YOUR MOM IS A -BITCH- IF YOU UPLOADED THIS TO ANY WEBSI

null 182 Jun 10, 2022
sc4cpp is a shellcode framework based on C++

sc4cpp is a shellcode framework based on C++

null 58 Jun 26, 2022
Encrypted shellcode injector with basic virtual machine evasion using C++

C++ PE Injector Overview Fully undetectable shellcode injector written in C++ with customizable XOR payload encryption/decryption and basic antivirus

Kampourakis Emmanouil 5 Apr 5, 2022
shellcode injector

What is Process Injection? It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of

anas 68 Jun 1, 2022
Custom shellcode runner builder w/ CobaltStrike integration

Custom_Builder Custom shellcode runner builder w/ CobaltStrike integration. Compile builder.c using gcc: gcc -o Builder Builder.c Edit the .cna scrip

null 3 Feb 1, 2022
The new Windows Terminal and the original Windows console host, all in the same place!

The new Windows Terminal and the original Windows console host, all in the same place!

Microsoft 83.8k Jun 27, 2022
A simple command line application in order to create new Code workspaces.

mkcws Summary A simple command line application in order to create new Code workspaces. License This project's license is GPL 2. The whole license tex

Kevin Matthes 0 Apr 1, 2022
A new way to program in c++ for "Veneti"

VeneCode A new way to program in c++ for "Veneti" Come se usa VeneCode Scàricate Venecode.hpp Ficca el fojo nea cartea Inportar su c++ (#include "Vene

Zanella Matteo 2 Dec 18, 2021
A small self-contained alternative to readline and libedit that supports UTF-8 and Windows and is BSD licensed.

Linenoise Next Generation A small, portable GNU readline replacement for Linux, Windows and MacOS which is capable of handling UTF-8 characters. Unlik

ArangoDB 334 Jun 5, 2022
A readline and libedit replacement that supports UTF-8, syntax highlighting, hints and Windows and is BSD licensed.

Read Evaluate Print Loop ++ A small, portable GNU readline replacement for Linux, Windows and MacOS which is capable of handling UTF-8 characters. Unl

Marcin Konarski 572 Jun 27, 2022
A simple header-only C++ argument parser library. Supposed to be flexible and powerful, and attempts to be compatible with the functionality of the Python standard argparse library (though not necessarily the API).

args Note that this library is essentially in maintenance mode. I haven't had the time to work on it or give it the love that it deserves. I'm not add

Taylor C. Richberger 981 Jun 23, 2022
CLI11 is a command line parser for C++11 and beyond that provides a rich feature set with a simple and intuitive interface.

CLI11: Command line parser for C++11 What's new • Documentation • API Reference CLI11 is a command line parser for C++11 and beyond that provides a ri

null 2.1k Jun 24, 2022
A (relatively) small node library to clone and pull git repositories in a standalone manner thanks to libgit2, powered by WebAssembly and Emscripten

simple-git-wasm A (relatively) small node library to clone and pull git repositories in a standalone manner thanks to libgit2, powered by WebAssembly

Powercord 20 May 20, 2022
A simple header-only C++ argument parser library. Supposed to be flexible and powerful, and attempts to be compatible with the functionality of the Python standard argparse library (though not necessarily the API).

args Note that this library is essentially in maintenance mode. I haven't had the time to work on it or give it the love that it deserves. I'm not add

Taylor C. Richberger 896 Aug 31, 2021
Yori is a CMD replacement shell that supports backquotes, job control, and improves tab completion, file matching, aliases, command history, and more.

Yori is a CMD replacement shell that supports backquotes, job control, and improves tab completion, file matching, aliases, command history, and more.

Malcolm Smith 1.1k Jun 21, 2022
Free open-source modern C++17 / C++20 framework to create console, forms (GUI like WinForms) and unit test applications on Microsoft Windows, Apple macOS and Linux.

xtd Modern C++17/20 framework to create console (CLI), forms (GUI like WinForms) and tunit (unit tests like Microsoft Unit Testing Framework) applicat

Gammasoft 320 Jun 25, 2022
Flexible and fast Z-shell plugin manager that will allow installing everything from GitHub and other sites.

ZINIT News Zinit Wiki Quick Start Install Automatic Installation (Recommended) Manual Installation Usage Introduction Plugins and snippets Upgrade Zin

z-shell 25 Jun 9, 2022
2021 Fall Comp2012h Final Project. A Plant-Vs-Zombie style desktop game with beautiful graphics and sound effects. Developer: thomas914, mitester and tiliuau.

Underperforming Students vs Teachers Table of Contents Underperforming Students vs Teachers Table of Contents Authors Code Conventions Workflow Class

null 3 Apr 14, 2022
Google's common Java, C++ and JavaScript library for parsing, formatting, and validating international phone numbers.

What is it? Google's common Java, C++ and JavaScript library for parsing, formatting, and validating international phone numbers. The Java version is

Google 13.9k Jun 24, 2022