Skip to content

ShadowMccc/MemoryEvasion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
SleepObfLoader
SleepObfLoader
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
demo.gif
demo.gif
 
 
epconsole.exe
epconsole.exe
 
 
tmp4AE0.dll
tmp4AE0.dll
 
 

Repository files navigation

MemoryEvasion

A Cobalt Strike memory evasion loader for redteamers,Support x86/x64 stager/stagerless payload with profile(tested on windows7/10,winserver 2012)

How Evasion?

  • Hook Sleep,CreateProcessA,CreateHeap,GetProcessHeap functions before the shellcode is loaded into memory.
  • Create a new heap for beacon's profile. when beacon calls GetProcessHeap or CreateHeap function,return the new heap's handle.
  • When beacon calls sleep function we encrypt memories where beacon and profile are located,and when the sleep has finished we decrypt them.

Why Hook GetProcessheap and CreateHeap

  • 64-bit beacon calls GetProcessHeap to get the memory for beacon's profile.
  • 32-bit beacon dose not call GetProcessHeap to get the memory for beacon's profile.It uses CreateHeap to create new heap and get the memory to store beacon's profile from that heap.

Demo

DEMO

References

This project would not have been possible without the following:

About

A Cobalt Strike memory evasion loader for redteamers

Resources

Readme

License

GPL-3.0 license
Activity

Stars

93 stars

Watchers

4 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages