C# loader that copies a chunk at the time of the shellcode in memory of a suspended process, rather that all at once
Based on the Process Hollowing technique
Uses p/invoke to copy an encoded shellcode in memory in a suspended process and to decode it byte by byte afterwards
ProgramAmsiEtwPatch also patches AmsiScanBuffer and EtwEventWrite
Yes the code is shit, but meh so what - not like I have the whole day to write good pocs
Tested with Meterpreter staged rev HTTPS payload (encode_shellcode.cs or py version is the code I used to encode the raw one)
ProgramAmsiEtwPatch.cs against SentinelOne (used Babel .net obfuscator - free version - twice on the resulting exe)
Program.cs against Defender
