non_ms_binaries

Code snippet to create a process using the "PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON" flag, which blocks 3rd party DLLs to be injected in it (such as EDR DLLs), allowing only Microsoft DLLs to be injected.

Then it injects shellcode in the spawned process using (VirtualAllocEx + WriteProcessMemory + VirtualProtectEx + CreateRemoteThread + QueueUserAPC):

calc: It creates Notepad process and the hardcoded payload spawns the calculator.
dropper: It creates Notepad process and downloads the payload from a remote server.

Sources:

https://github.com/leoloobeek/csharp/
Rastamouse's RTO2 course

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
calc		calc
dropper		dropper
README.md		README.md
image.png		image.png

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

calc

calc

dropper

dropper

README.md

README.md

image.png

image.png

Repository files navigation

non_ms_binaries

Sources:

About

Releases

Sponsor this project

Packages

Languages

ricardojoserf/non-ms-binaries

Folders and files

Latest commit

History

Repository files navigation

non_ms_binaries

Sources:

About

Topics

Resources

Stars

Watchers

Forks

Sponsor this project

Languages