NtRemoteLoad: inject shellcode into another process
NtRemoteLoad
Remote shellcode injector, based on HWSyscalls by ShorSec, leveraging undetectable (currently) indirect native syscalls to inject shellcode into another process, creating a thread and executing it.
Usage
.\NtRemoteLoad.exe <path_to_shellcode_file> <remote_process_pid>
Detection
Testing it against the API monitor by Rohitab shows the following detection for Native syscalls:
This is fairly good, though NtCreateFile could also be hidden but I have not seen a reason to change it yet.
On the other hand, testing it against Defender for Endpoint EDR trial with a Havoc C2 beacon payload yields the following detection:
Executing the payload
Getting the callback
Visibility
This is also fairly good as these are just events, meaning the blue team would need Threat Hunting or SIEM to actually detect it.
Disclaimer: The information/files provided in this repository are strictly intended for educational and ethical purposes only. The techniques and tools are intended to be used in a lawful and responsible manner, with the explicit consent of the target system’s owner. Any unauthorized or malicious use of these techniques and tools is strictly prohibited and may result in legal consequences. I am not responsible for any damages or legal issues that may arise from the misuse of the information provided.
