{"id":17383433,"url":"https://github.com/xuanxuan0/driploader","last_synced_at":"2025-04-04T16:12:54.993Z","repository":{"id":43138286,"uuid":"362595794","full_name":"xuanxuan0/DripLoader","owner":"xuanxuan0","description":"Evasive shellcode loader for bypassing event-based injection detection (PoC)","archived":false,"fork":false,"pushed_at":"2021-08-23T00:21:08.000Z","size":384,"stargazers_count":756,"open_issues_count":1,"forks_count":125,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-04-04T16:12:51.152Z","etag":null,"topics":["edr","evasion-attacks","shellcode","shellcode-injector","shellcode-loader"],"latest_commit_sha":null,"homepage":"https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xuanxuan0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-28T20:17:40.000Z","updated_at":"2025-04-04T08:32:31.000Z","dependencies_parsed_at":"2022-09-14T12:40:18.065Z","dependency_job_id":null,"html_url":"https://github.com/xuanxuan0/DripLoader","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xuanxuan0%2FDripLoader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xuanxuan0%2FDripLoader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xuanxuan0%2FDripLoader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xuanxuan0%2FDripLoader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xuanxuan0","download_url":"https://codeload.github.com/xuanxuan0/DripLoader/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247208139,"owners_count":20901570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edr","evasion-attacks","shellcode","shellcode-injector","shellcode-loader"],"created_at":"2024-10-16T07:41:36.662Z","updated_at":"2025-04-04T16:12:54.963Z","avatar_url":"https://github.com/xuanxuan0.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DripLoader (PoC)\n![msbuild](https://github.com/xinbailu/DripLoader/actions/workflows/msbuild.yml/badge.svg)\n\nEvasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent software inventories in EDR.\n\n![image](https://user-images.githubusercontent.com/32537788/119597324-13a7fe00-bde1-11eb-987a-38180ad6574b.png)\n\n## DripLoader evades common EDRs by:\n- using the most risky APIs possible like `NtAllocateVirtualMemory` and `NtCreateThreadEx`\n- blending in with call arguments to create events that vendors are forced to drop or log\u0026ignore due to volume\n- avoiding multi-event correlation by introducing delays \n\n## What does DripLoader do\n- Identifies a base address suitable for our payload\n- Reserves enough `AllocationGranularity` (64kB) sized, `NO_ACCESS` memory segments at the base address\n- Loops over those\n    - Allocating `PageSize` (4kB) sized, writable segments\n    - Writing shellcode\n    - Reprotecting as `RX`\n- Overwrites prologue of one `ntdll` function in the remote process memory space with a `jmp` to our base\n- Drops a thread on that trampoline \n\nI'll explain some of the thinking here: https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection\n\n## And so\n- It's able to fully bypass many EDR injection detections, including Defender ATP. \n- Bypasses simple thread-centric scanners like `Get-InjectedThread`. Persisting within a process is another story, and this is up to the payload author. \n- It is `sRDI`-compatible, but if your payload creates another local thread you will lose the benefit of thread start address in `ntdll`.\n\nTo test it out of the box\n- compile/download\n- XOR your binary shellcode blob file with default key 0x08, name it `blob.bin`\n- place both files in the same directory \n- run it and follow the prompts or ./DripLoader.exe \u003ctarget_pid\u003e \u003cdelay_per_step_ms\u003e\n\nI attached an example `MessageBox` blob for your pleasure, be aware though it's size is unrealistically small for a payload.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxuanxuan0%2Fdriploader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxuanxuan0%2Fdriploader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxuanxuan0%2Fdriploader/lists"}