1. ShellCode memory injection
It mainly revolves around three aspects:
-
Apply for memory space: VirtualAlloc (reserve, submit or change the state of the page area in the virtual address space of the calling process, initialize the allocated memory to zero), VirtualAlloc2 (process injection: reserve, submit or change memory in the virtual address space of the specified process state of the region. This function initializes its allocated memory to zero), VirtualAllocEx (process injection: reserves, commits, or changes the state of a memory region within the virtual address space of the specified process. This function initializes its allocated memory to zero)
-
Import memory: RtlCopyMemory (copy the contents of the source memory block to the target memory block (new version), RtlCopyByte and RtlMoveMemory copy the contents of the source memory block to the target memory block (old version).
-
Call execution: execution by creating threads, call execution with syscall (golang), embedded C code execution
Loading methods: basic loading, fiber loading, remote loading.
2. ShellCode encryption and decryption
Common encryption and decryption methods: AES encryption, hex encryption, XOR+base64 encryption, Base85+XOR+RC4.