Skip to content

deepinstinct/Dirty-Vanity

BranchesTags

Repository files navigation

Dirty Vanity

A POC for the new injection technique, abusing windows fork API to evade EDRs.

Usage

DirtyVanity.exe [TARGET_PID_TO_REFLECT]

Runtime steps

  • Allocate and write shellcode to [TARGET_PID_TO_REFLECT]
  • Fork [TARGET_PID_TO_REFLECT] to a new process
  • Set the forked process's start address to the cloned shellcode

Shellcode

The reflected shellcode works with ntdll API. It is generated from the included generation project shellcode_template, curtesy of https://github.com/rainerzufalldererste/windows_x64_shellcode_template

Shellcode customization

To customize the shellcode with ease:

  • Edit the shellcode_template function inside the shellcode_template project, according to the instructions in https://github.com/rainerzufalldererste/windows_x64_shellcode_template
  • Compile it
  • Crop the shellcode_template function bytes using your faivorite PE parsing tool (eg IDA)
  • Those bytes are position independet shellcode. place them in DirtyVanity.cpp
  • Execute DirtyVanity to watch them get Reflected

About

A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass-28417

Resources

Readme
Activity
Custom properties

Stars

620 stars

Watchers

5 watching

Forks

83 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages