Skip to content

florylsk/NtRemoteLoad

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

NtRemoteLoad

Remote shellcode injector, based on HWSyscalls by ShorSec, leveraging undetectable (currently) indirect native syscalls to inject shellcode into another process, creating a thread and executing it.

Disclaimer: The information/files provided in this repository are strictly intended for educational and ethical purposes only. The techniques and tools are intended to be used in a lawful and responsible manner, with the explicit consent of the target system's owner. Any unauthorized or malicious use of these techniques and tools is strictly prohibited and may result in legal consequences. I am not responsible for any damages or legal issues that may arise from the misuse of the information provided.

Usage

.\NtRemoteLoad.exe <path_to_shellcode_file> <remote_process_pid>

Detection

Testing it against API monitor by Rohitab shows the following detection for Native syscalls:

NtRemoteLoad4

Which is fairly good, though NtCreateFile could also be hidden but I have not seen a reason to change it yet.

On the other hand, testing it against Defender for Endpoint EDR trial with a Havoc C2 beacon payload yields the following detection:

Executing the payload

NtRemoteLoad2

Getting the callback

NtRemoteLoad1

Visibility

NtRemoteLoad3

Which is also fairly good as these are just events, meaning the blue team would need Threat Hunting or SIEM to actually detect it.