AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
Code Injection
This is a shellcode injection technique that works as follows:
Start a target process into which the shellcode will be injected, in suspended state.
Get
AddressOfEntryPoint
of the target processWrite shellcode to
AddressOfEntryPoint
retrieved in step 2Resume target process
Catch the incoming shell
What's nice about this technique is that we do not need to allocate RWX memory pages in the victim process which some EDRs may not like.
Attention
Per https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/issues/36.
At the page on AddressOfEntryPoint Code Injection without VirtualAllocEx RWX, this is not really done without using RWX. As shown in the first picture, the entrypoint memory page is already under RX permissions, and as shown here, the only reason this method works is because WriteProcessMemory is being nice and trying to change RX to RWX temporarily, which would end up creating an RWX page anyways, essentially making this technique still easily detectable by EDRs that look for RWX regions.
Execution
First, in order to get AddressOfEntryPoint
, we need to get the image base address of the target process - notepad.exe:
We then need to parse out the NT and Optional Headers and find the AddressEntryPoint (Relative Virtual Address) of the notepad.exe which in my case was at 0001bf90:
Knowing notepad's image base address and an RVA of the AddressEntryPoint, we can get its Virtual Address (by adding the two up) and hijack the executable by overwriting the very first instructions found at that address with our shellcode:
Resuming the suspended process executes our shellcode which results in a meterpreter session:
Code
Last updated