■ ■ ■ ■ ■ ■
ThreadStackSpoofer/main.cpp
| skipped 198 lines |
| 199 | 199 | | if (!VirtualProtect(alloc, shellcode.size() + 1, Shellcode_Memory_Protection, &old)) |
| 200 | 200 | | return false; |
| 201 | 201 | | |
| 202 | | - | /* |
| 203 | | - | * We're not setting these pointers to let the hooked sleep handler figure them out itself. |
| 204 | | - | * |
| 205 | | - | g_fluctuationData.shellcodeAddr = alloc; |
| 206 | | - | g_fluctuationData.shellcodeSize = shellcode.size(); |
| 207 | | - | g_fluctuationData.protect = Shellcode_Memory_Protection; |
| 208 | | - | */ |
| 209 | | - | |
| 210 | 202 | | shellcode.clear(); |
| 211 | 203 | | |
| 212 | 204 | | // |
| skipped 12 lines |
| 225 | 217 | | // running our shellcode from a legitimate user thread callback, we can simply run a thread pointing to our |
| 226 | 218 | | // method and we'll instead jump to the shellcode from that method. |
| 227 | 219 | | // |
| 228 | | - | // After discussion I had with @waldoirc we came to the conclusion that in order not to bring other IOCs it is better |
| | 220 | + | // After discussion I had with @waldoirc we came to the conclusion that in order not to bring new IOCs it is better |
| 229 | 221 | | // to start shellcode from within EXE's own code space, thus avoiding detections based on `ntdll!RtlUserThreadStart+0x21` |
| 230 | 222 | | // being an outstanding anomaly in some environments. Shout out to @waldoirc for our really long discussion! |
| 231 | 223 | | // |
| skipped 57 lines |
Mariusz B. / mgeeky
committed
3 years ago
1 parent c3613586