DripLoader
Evasive shellcode loader for bypassing injection detection.
Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.
DripLoader evades common EDRs by:
- using the most risky APIs possible like NtAllocateVirtualMemory and NtCreateThreadEx
- blending in with call arguments to create events that vendors are forced to drop or log&ignore due to volume
- avoiding multi-event correlation by introducing delays
What does DripLoader do:
- Identifies a base address suitable for our payload
- Reserves enough AllocationGranularity (64kB) sized, NO_ACCESS memory segments at the base address
- Allocating PageSize (4kB) sized, writable segments
- Writing shellcode
- Reprotecting as RX
- Overwrites prologue of one ntdll function in the remote process memory space with a jmp to our base
- Drops a thread on that trampoline