DripLoader: Evasive shellcode loader for bypassing event-based injection detection
Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection (still added direct syscalls, just so I don’t have to deal with AV). The project is aiming to highlight the limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.
DripLoader evades common EDRs by:
- using the riskiest APIs possible like NtAllocateVirtualMemory and NtCreateThreadEx
- blending in with call arguments to create events that vendors are forced to drop or log&ignore due to volume
- avoiding multi-event correlation by introducing delays
What does DripLoader do
- Identifies a base address suitable for our payload
- Reserves enough AllocationGranularity (64kB) sized, NO_ACCESS memory segments at the base address
- Loops over those
- Allocating PageSize (4kB) sized, writable segments
- Writing shellcode
- Reprotecting as RX
- Overwrites prologue of one ntdll function in the remote process memory space with a jmp to our base
- Drops a thread on that trampoline
- It’s able to fully bypass many EDR injection detections, including Defender ATP.
- Bypasses simple thread-centric scanners like Get-InjectedThread. Persisting within a process is another story, and this is up to the payload author.
- It is sRDI-compatible, but if your payload creates another local thread you will lose the benefit of the thread start address in ntdll.
To test it out of the box
- XOR your binary shellcode blob file with default key 0x08, name it blob.bin
- place both files in the same directory
- run it and follow the prompts or ./DripLoader.exe <target_pid> <delay_per_step_ms>