itsMe Posted January 2 Share Posted January 2 This is the hidden content, please Sign In or Sign Up How it's work ? I use HWBP to hook VirtualAlloc, Sleep and LoadLibraryA. Why i hook this function ? VirtualAlloc : CobaltStrike & Meterprter is reflective dll as shellcode, with the VirtualAlloc hook we can obtain the real addresse of shellcode in memory Sleep : I hook sleep to use KrakenMask and encrypt all the content of shellcode in memory during sleep LoadLibraryA : I redirect to LdrLoadDll with ret addr spoofing. Some edr can detect malicious LoadLibraryA if the origin of call is not backed on RX present on disk All NT API call was made with indirect syscall and i spoof the ret addr. When the first sleep was called, i free the virtual memory alloced to read the shellcode from file. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
.webp.8407a83ac96563f75e1c428a1f0d4c3e.webp)
.webp.9a04cec050a656fab081ac190f971c3f.webp)
Hack Tools Resurrection
itsMe
Recommended Posts