Evasive shellcode loader for bypassing event-based injection detection (PoC)

Overview

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops)

DripLoader (PoC)

msbuild

Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.

image

DripLoader evades common EDRs by:

  • using the most risky APIs possible like NtAllocateVirtualMemory and NtCreateThreadEx
  • blending in with call arguments to create events that vendors are forced to drop or log&ignore due to volume
  • avoiding multi-event correlation by introducing delays

What does DripLoader do

  • Identifies a base address suitable for our payload
  • Reserves enough AllocationGranularity (64kB) sized, NO_ACCESS memory segments at the base address
  • Loops over those
    • Allocating PageSize (4kB) sized, writable segments
    • Writing shellcode
    • Reprotecting as RX
  • Overwrites prologue of one ntdll function in the remote process memory space with a jmp to our base
  • Drops a thread on that trampoline

I'll explain some of the thinking here: https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection

And so

  • It's able to fully bypass many EDR injection detections, including Defender ATP.
  • Bypasses simple thread-centric scanners like Get-InjectedThread. Persisting within a process is another story, and this is up to the payload author.
  • It is sRDI-compatible, but if your payload creates another local thread you will lose the benefit of thread start address in ntdll.

To test it out of the box

  • compile/download
  • XOR your binary shellcode blob file with default key 0x08, name it blob.bin
  • place both files in the same directory
  • run it and follow the prompts or ./DripLoader.exe <target_pid> <delay_per_step_ms>

I attached an example MessageBox blob for your pleasure, be aware though it's size is unrealistically small for a payload.

ASCII arts are essential for tools like this to work loader

Issues
  • question

    question

    hello. its me again :p

    so this time i ain't wasting time, and jumping directly to development, and adding modifications. but i noticed it is getting detected as Driploz ... whatever. even tho i just compiled it. (i was not testing it with a pid or so). my question is, and since it is being detected statically and not during run time, what do u think the cause ? (ill be changing the xor key. both AllocationGranularity & PageSize sizes as a first attempt )

    im asking this to gain some time, so if u could help, and directly jump to the cause. ill be thankful.

    thanks for this code !

    opened by ORCA666 10
  • can u add more documentation about the first steps

    can u add more documentation about the first steps

    so i have a problem, i download it , compiled it, i fired notepad as a process to get its pid, and here is what happened:

    1111

    22222

    so it needed around 1800 min ?! what did i do wrong, and where to put my shellcode, i dont know a lot of cpp :( seeking ur help !

    documentation question 
    opened by ORCA666 4
  • Usage help

    Usage help

    I will be using shellcode.bin generated with Donut, I can rename this to blob.bin but I am unsure about how to perform the XOR with default key 0x08

    Thanks in advance for your help.

    opened by Simon-Davies 1
TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 153 Jul 29, 2022
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

null 194 Aug 8, 2022
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

null 1.3k Aug 7, 2022
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Scarred Monk 637 Aug 8, 2022
Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

Praetorian 24 Jun 26, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Daniil Nababkin 23 Aug 4, 2022
SysWhispers Shellcode Loader (Work in Progress)

Shhhloader Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub

icyguider 489 Aug 12, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
Car Whispering: the AI Mechanic TinyML Audio Event Detection

CarWhispering Car Whispering: the AI Mechanic TinyML Audio Event Detection Welcome to the AI Mechanic, an ambitious project that aims to build a globa

Eoin Jordan 5 Feb 9, 2022
PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

null 124 Aug 8, 2022
A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

ripmeep 11 Jul 30, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 673 Aug 10, 2022
POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

FalconForce 55 Aug 5, 2022
TartarusGate, Bypassing EDRs

Tartarus' Gate - Bypassing EDRs Description Hell's Gate evolved to Halo's Gate to bypass EDRs by unhooking some of them and now it turned to Tartarus'

Thanasis Tserpelis 216 Aug 7, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 372 Aug 8, 2022
EasyAntiCheat bypassing driver

EasyEACBypass EasyAntiCheat bypassing driver (23/01/2022) KernelMode driver with some parts not included so no pasta! Includes This driver includes a

0xfaer 34 Jul 30, 2022
ROS1 and ROS2 messages for event based image sensors

ROS package with array messages for event based cameras This package has definitions for messages created by event based sensors. The events are kept

Bernd Pfrommer 1 Feb 22, 2022
C++ graph based event system

Breadboard {#breadboard_readme} Overview The Breadboard scripting library is a graph based scripting system designed with games in mind. Complex behva

Google 117 May 19, 2022