Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops)

DripLoader (PoC)

msbuild

Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.

image

DripLoader evades common EDRs by:

  • using the most risky APIs possible like NtAllocateVirtualMemory and NtCreateThreadEx
  • blending in with call arguments to create events that vendors are forced to drop or log&ignore due to volume
  • avoiding multi-event correlation by introducing delays

What does DripLoader do

  • Identifies a base address suitable for our payload
  • Reserves enough AllocationGranularity (64kB) sized, NO_ACCESS memory segments at the base address
  • Loops over those
    • Allocating PageSize (4kB) sized, writable segments
    • Writing shellcode
    • Reprotecting as RX
  • Overwrites prologue of one ntdll function in the remote process memory space with a jmp to our base
  • Drops a thread on that trampoline

I'll explain some of the thinking here: https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection

And so

  • It's able to fully bypass many EDR injection detections, including Defender ATP.
  • Bypasses simple thread-centric scanners like Get-InjectedThread. Persisting within a process is another story, and this is up to the payload author.
  • It is sRDI-compatible, but if your payload creates another local thread you will lose the benefit of thread start address in ntdll.

To test it out of the box

  • compile/download
  • XOR your binary shellcode blob file with default key 0x08, name it blob.bin
  • place both files in the same directory
  • run it and follow the prompts or ./DripLoader.exe <target_pid> <delay_per_step_ms>

I attached an example MessageBox blob for your pleasure, be aware though it's size is unrealistically small for a payload.

ASCII arts are essential for tools like this to work loader

Similar Resources

PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

Dec 4, 2022

A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

Jul 30, 2022

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Nov 26, 2022

POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

Nov 29, 2022

TartarusGate, Bypassing EDRs

Tartarus' Gate - Bypassing EDRs Description Hell's Gate evolved to Halo's Gate to bypass EDRs by unhooking some of them and now it turned to Tartarus'

Nov 24, 2022

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Nov 27, 2022

EasyAntiCheat bypassing driver

EasyEACBypass EasyAntiCheat bypassing driver (23/01/2022) KernelMode driver with some parts not included so no pasta! Includes This driver includes a

Nov 24, 2022

ROS1 and ROS2 messages for event based image sensors

ROS package with array messages for event based cameras This package has definitions for messages created by event based sensors. The events are kept

Feb 22, 2022

C++ graph based event system

Breadboard {#breadboard_readme} Overview The Breadboard scripting library is a graph based scripting system designed with games in mind. Complex behva

Dec 5, 2022
Comments
  • question

    question

    hello. its me again :p

    so this time i ain't wasting time, and jumping directly to development, and adding modifications. but i noticed it is getting detected as Driploz ... whatever. even tho i just compiled it. (i was not testing it with a pid or so). my question is, and since it is being detected statically and not during run time, what do u think the cause ? (ill be changing the xor key. both AllocationGranularity & PageSize sizes as a first attempt )

    im asking this to gain some time, so if u could help, and directly jump to the cause. ill be thankful.

    thanks for this code !

  • can u add more documentation about the first steps

    can u add more documentation about the first steps

    so i have a problem, i download it , compiled it, i fired notepad as a process to get its pid, and here is what happened:

    1111

    22222

    so it needed around 1800 min ?! what did i do wrong, and where to put my shellcode, i dont know a lot of cpp :( seeking ur help !

  • Usage help

    Usage help

    I will be using shellcode.bin generated with Donut, I can rename this to blob.bin but I am unsure about how to perform the XOR with default key 0x08

    Thanks in advance for your help.

TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Dec 5, 2022
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
This is a PoC for bypassing UAC using DLL hijacking and abusing the

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

Nov 22, 2022
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

Nov 27, 2022
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Nov 29, 2022
Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

Oct 28, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

Nov 5, 2021
Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Oct 16, 2022
SysWhispers Shellcode Loader (Work in Progress)
SysWhispers Shellcode Loader (Work in Progress)

Shhhloader Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub

Nov 24, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Nov 12, 2022
Car Whispering: the AI Mechanic TinyML Audio Event Detection

CarWhispering Car Whispering: the AI Mechanic TinyML Audio Event Detection Welcome to the AI Mechanic, an ambitious project that aims to build a globa

Feb 9, 2022