Home

Awesome

DInvoke_shellcodeload_CSharp

Blog link: May not gonna update.

Usage

  1. Just replace the shellcode.
  2. Launch it through some white list applications

Comparing via API monitor

There are mainly 3 APIs we are gonna monitor:

  1. You could see the picture below, the SimpleLoader' s API call caught by API monitor. avatar

  2. And the DInvoke ShellcodeLoader's API call was not caught by API monitor. avatar

Reference link:

  1. https://github.com/CCob/SharpBlock
  2. https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/
  3. https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/
  4. https://thewover.github.io/Dynamic-Invoke/
  5. https://offensivedefence.co.uk/posts/dinvoke-syscalls/
  6. https://github.com/TheWover/DInvoke
  7. http://www.rohitab.com/discuss/topic/38807-api-monitor-v2-r10-release-instant-monitoring-without-definitions-support-for-dllmain-and-early-apis-windows-8/
  8. https://vimeo.com/566964438
  9. https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread
  10. https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualstudio.shell.interop.vsdebugstartupinfo.dwcreationflags?view=visualstudiosdk-2019