This exploit is utilising AddressOfEntryPoint of process which is RX and using WriteProcessMemory internal magic to change the permission and write the shellcode. Exploit also using direct syscalls to bypass user-mode hooking of AV/EDRs. This technique is avoiding the usage of VirtualAlloc, VirtualProtect APIs directly inside the code. The working of VirtualProtect will be covered by WPM magic.
The Main Purpose of this program is to highlight the internal working of WriteProcessMemory() not to Bypass EDRs hook. That's why I used WPM() directly into code instead of direct calls, same I used for other APIs in code.
- Get PEB address and pointer to image base address
- Get process image base address
- Read target process image headers
- Get AddressOfEntryPoint (RX region)
- Write shellcode to image entry point and execute it (WPM MAGIC HERE)
- Compile the code in Visual Studio and execute Simple :)
- If you guys face any error while compilation, please make sure MASM should be enabled in your solution file build customization.