Giters

abutbul / Dirty-Vanity

A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass-28417

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Dirty Vanity

A POC for the new injection technique, abusing windows fork API to evade EDRs.

Usage

DirtyVanity.exe [TARGET_PID_TO_REFLECT]

Runtime steps

  • Allocate and write shellcode to [TARGET_PID_TO_REFLECT]
  • Fork [TARGET_PID_TO_REFLECT] to a new process
  • Set the forked process's start address to the cloned shellcode

Shellcode

The reflected shellcode works with ntdll API. It is generated from the included generation project shellcode_template, curtesy of https://github.com/rainerzufalldererste/windows_x64_shellcode_template

Shellcode customization

To customize the shellcode with ease:

  • Edit the shellcode_template function inside the shellcode_template project, according to the instructions in https://github.com/rainerzufalldererste/windows_x64_shellcode_template
  • Compile it
  • Crop the shellcode_template function bytes using your faivorite PE parsing tool (eg IDA)
  • Those bytes are position independet shellcode. place them in DirtyVanity.cpp
  • Execute DirtyVanity to watch them get Reflected

About

A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass-28417

Languages

Language:C 91.0%Language:C++ 9.0%