File tree Expand file tree Collapse file tree 1 file changed +7
-10
lines changed Expand file tree Collapse file tree 1 file changed +7
-10
lines changed Original file line number Diff line number Diff line change 11# Shellcode Injector
22
3- A proof -of-concept ** shellcode injector** that uses * clean syscalls* to bypass user-mode hooks in ntdll
3+ Proof -of-concept ** shellcode injector** that uses clean syscalls to bypass user-mode hooks in ntdll
44
55## Goals
66
77- ** Activity obfuscation**
88- Inject shellcode into a target process via raw syscalls
9- - ** Bypass** common user-mode hooks on Win32 APIs LoadLibrary, VirtualAlloc, WriteProcessMemory
9+ - Bypass common user-mode hooks on Win32 APIs LoadLibrary, VirtualAlloc, WriteProcessMemory
1010- ** Auto-generate** & embed a shellcode payload that downloads and executes a PE file
1111
1212---
1313
1414## How It Works
1515
16- 1 . Leverages the ** Windows Thread Pool API** to * hide the call-stack* :
17- - The syscall appears to originate from a * trusted* region inside ** ntdll!TpWorker** rather than from our code.
18- 2 . No direct native API calls are made; instead, the injector ** jumps to syscall stubs** discovered in ` ntdll.dll ` .
16+ 1 . Leverages the Windows Thread Pool API to hide the call-stack:
17+ - The syscall appears to originate from a trusted region inside ntdll!TpWorker rather than from our code.
18+ 2 . No direct native API calls are made; instead, the injector jumps to syscall stubs discovered in ntdll.
1919
2020---
2121
@@ -36,11 +36,8 @@ A proof-of-concept **shellcode injector** that uses *clean syscalls* to bypass u
3636## Technologies & Dependencies
3737
3838- ** Windows x64** – MSVC / Visual Studio Build Tools
39- - ** NASM** ` -f win64 `
40- - ** Python 3.x** + ** Keystone-engine**
41- ``` bash
42- pip install keystone-engine
43-
39+ - ** NASM** -f win64
40+ - ** Python 3.x** + ** Keystone-engine** pip install keystone-engine
4441
4542---
4643
You can’t perform that action at this time.
0 commit comments