■ ■ ■ ■ ■ ■
ThreadStackSpoofer/main.cpp
| skipped 198 lines |
199 | 199 | | if (!VirtualProtect(alloc, shellcode.size() + 1, Shellcode_Memory_Protection, &old)) |
200 | 200 | | return false; |
201 | 201 | | |
202 | | - | /* |
203 | | - | * We're not setting these pointers to let the hooked sleep handler figure them out itself. |
204 | | - | * |
205 | | - | g_fluctuationData.shellcodeAddr = alloc; |
206 | | - | g_fluctuationData.shellcodeSize = shellcode.size(); |
207 | | - | g_fluctuationData.protect = Shellcode_Memory_Protection; |
208 | | - | */ |
209 | | - | |
210 | 202 | | shellcode.clear(); |
211 | 203 | | |
212 | 204 | | // |
| skipped 12 lines |
225 | 217 | | // running our shellcode from a legitimate user thread callback, we can simply run a thread pointing to our |
226 | 218 | | // method and we'll instead jump to the shellcode from that method. |
227 | 219 | | // |
228 | | - | // After discussion I had with @waldoirc we came to the conclusion that in order not to bring other IOCs it is better |
| 220 | + | // After discussion I had with @waldoirc we came to the conclusion that in order not to bring new IOCs it is better |
229 | 221 | | // to start shellcode from within EXE's own code space, thus avoiding detections based on `ntdll!RtlUserThreadStart+0x21` |
230 | 222 | | // being an outstanding anomaly in some environments. Shout out to @waldoirc for our really long discussion! |
231 | 223 | | // |
| skipped 57 lines |