APC Queue Injection Rust EDR Evasion Bypass
Vložit
- čas přidán 21. 07. 2024
- APC Queue Injection (EDR Evasion) implemented in Rust is a remote process code injection technique for malware development, red teaming, pentesting, and ethical hacking.
Link to my blog post: fluxsec.red/apc-queue-injecti...
Link to my GitHub project: github.com/0xflux/Rust-APC-Qu...
LEGAL DISCLAIMER
Any content posted here is for ethical purposes only, I do not condone the use of offensive cyber security for any purpose which breaks the law or harms others, and I do not condone or permit any user to take learning, or code samples from this blog, and use them for illegal or ethically questionable activity. This blog is strictly for educational purposes, and for the furthering of my own knowledge.
You may NOT under any circumstance use any code, theory, or information from my video and use it in a manner which is illegal, unethical or that harms any living being. You may not use any code or information from this blog to do anything on a system that you do not have the full explicit permission of the system owner to do. I cannot be held responsible for the actions of others whom consume this information. I post these blogs specifically to help encourage and motivate people to learn offensive cyber security for the greater good of society and our cyber defences. I am also blogging to document my growth and to consolidate learning. - Věda a technologie
Bro when you do syscall from higher ring to kernal how do you hook iat table using your own dll or inject it or just use naive approach like nt zw functions
Do you mean how I have done it for this video? If so, you don't need to hook IAT's / use syscalls for this; the shellcode looks at the PEB for the addresses of the Kernel32 API functions (not ZW / NT).
Is APC is similar to interupt
If an APC is issued by the kernel, it will interrupt the thread, otherwise if calling from usermode (like we are here) the APC queue waits for a thread to naturally become alertable, which happens when it calls the SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx