AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
Code Injection
PreviousNtCreateSection + NtMapViewOfSection Code InjectionNextModule Stomping for Shellcode Injection
Last updated
Code Injection
Last updated
This is a shellcode injection technique that works as follows:
Start a target process into which the shellcode will be injected, in suspended state.
Get AddressOfEntryPoint of the target process
Write shellcode to AddressOfEntryPoint retrieved in step 2
Resume target process
Catch the incoming shell
What's nice about this technique is that we do not need to allocate RWX memory pages in the victim process which some EDRs may not like.
Attention
Per https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/issues/36.
At the page on AddressOfEntryPoint Code Injection without VirtualAllocEx RWX, this is not really done without using RWX. As shown in the first picture, the entrypoint memory page is already under RX permissions, and as shown here, the only reason this method works is because WriteProcessMemory is being nice and trying to change RX to RWX temporarily, which would end up creating an RWX page anyways, essentially making this technique still easily detectable by EDRs that look for RWX regions.
First, in order to get AddressOfEntryPoint, we need to get the image base address of the target process - notepad.exe:
We then need to parse out the NT and Optional Headers and find the AddressEntryPoint (Relative Virtual Address) of the notepad.exe which in my case was at 0001bf90:
Knowing notepad's image base address and an RVA of the AddressEntryPoint, we can get its Virtual Address (by adding the two up) and hijack the executable by overwriting the very first instructions found at that address with our shellcode:
Resuming the suspended process executes our shellcode which results in a meterpreter session:
