Skip to content
/ vast Public

Freeze written in rust with APC shellcode injection. Shellcode is executed in signed Windows PE and its process gets unhooked using frozen regression

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mariolima/vast

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.vscode
.vscode
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

vast

Shellcode loader using Freeze for NTDLL unhooking and EarlyBird APC Queue for shellcode execution. The new process gets then unhooked by remotely overwritting its old NTDLL .text section (Frozen regression).

sequenceDiagram
autonumber
participant V as Vast
participant T as Windows Signed PE
V->>T: Create suspended process with <br>BLOCK_NON_MICROSOFT_BINARIES
opt Freeze NTDLL unhooking
V-->>+V: PEB walk and get NTDLL .text address
T->>V: Get remote NTDLL .text section
V-->>-V: Overwrite local NTDLL .text section<br>Patch ETW (NtTraceControl)
end
V-->>T: Allocate & Protect remote memory
V->>T: QueueApc Thread + NtResumeThread + <br> DebugActiveProcess
note over T: Shellcode gets executed<br>with Vast as a debugger
T-->>V: Int3 in first shellcode byte creates exception
V->>T: Overwrite remote  NTDLL .text section<br>with unhooked one & continue execution
note right of T: New process hooks<br>get unhooked now
Loading

About

Freeze written in rust with APC shellcode injection. Shellcode is executed in signed Windows PE and its process gets unhooked using frozen regression

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages