13 Apr, 2022

The epitome of evasion! A custom shellcode

Shellcode injection is one of the most used defence evasion technique because shellcode is injected into a volatile memory therefore there are no traces left of any exploitation. Apart from the injector itself, shellcode injection can be called fileless or partial fileless malware. Since there are no files being dropped on the system therefore the chances of detection are very few. However, shellcodes generated by tools like msfvenom are highly detectable due to updated signatures. But what if a custom shellcode has been created and injected in the memory. The signatures of custom shellcodes are unknown to AV/EDR, moreover shellcodes are machine instructions that are very hard to analyse in a victim process having thousands of lines of machine code. The only detection that could be possible is the use of injection APIs on which EDRs have added hooks but there is a separate discussion on how to bypass this API hooking.... more