A POC for the new injection technique, abusing windows fork API to evade EDRs.
DirtyVanity.exe [TARGET_PID_TO_REFLECT]
- Allocate and write shellcode to [TARGET_PID_TO_REFLECT]
- Fork [TARGET_PID_TO_REFLECT] to a new process
- Set the forked process's start address to the cloned shellcode
The reflected shellcode works with ntdll API. It is generated from the included generation project shellcode_template
,
curtesy of https://github.com/rainerzufalldererste/windows_x64_shellcode_template
To customize the shellcode with ease:
- Edit the
shellcode_template
function inside theshellcode_template
project, according to the instructions in https://github.com/rainerzufalldererste/windows_x64_shellcode_template - Compile it
- Crop the
shellcode_template
function bytes using your faivorite PE parsing tool (eg IDA) - Those bytes are position independet shellcode. place them in
DirtyVanity.cpp
- Execute DirtyVanity to watch them get Reflected