Skip to content

hartl3y94/Dirty-Vanity

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
DirtyVanity
DirtyVanity
 
 
shellcode_template
shellcode_template
 
 
.gitignore
.gitignore
 
 
DirtyVanity.sln
DirtyVanity.sln
 
 
NtCreateUserProcessShellcode.txt
NtCreateUserProcessShellcode.txt
 
 
README.md
README.md
 
 

Repository files navigation

Dirty Vanity

A POC for the new injection technique, abusing windows fork API to evade EDRs.

Usage

DirtyVanity.exe [TARGET_PID_TO_REFLECT]

Runtime steps

  • Allocate and write shellcode to [TARGET_PID_TO_REFLECT]
  • Fork [TARGET_PID_TO_REFLECT] to a new process
  • Set the forked process's start address to the cloned shellcode

Shellcode

The reflected shellcode works with ntdll API. It is generated from the included generation project shellcode_template, curtesy of https://github.com/rainerzufalldererste/windows_x64_shellcode_template

Shellcode customization

To customize the shellcode with ease:

  • Edit the shellcode_template function inside the shellcode_template project, according to the instructions in https://github.com/rainerzufalldererste/windows_x64_shellcode_template
  • Compile it
  • Crop the shellcode_template function bytes using your faivorite PE parsing tool (eg IDA)
  • Those bytes are position independet shellcode. place them in DirtyVanity.cpp
  • Execute DirtyVanity to watch them get Reflected

About

A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass-28417

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 91.0%
  • C++ 9.0%