https://github.com/winterrdog/zombiethread_pp

Another Meterpreter code injection technique using C++ that attempts to bypass Win-Def. This repo is a C++ adaptation of @Bl4ckM1rror 's C# version.
https://github.com/winterrdog/zombiethread_pp

Last synced: 7 months ago
JSON representation

Another Meterpreter code injection technique using C++ that attempts to bypass Win-Def. This repo is a C++ adaptation of @Bl4ckM1rror 's C# version.

• Host: GitHub
• URL: https://github.com/winterrdog/zombiethread_pp
• Owner: winterrdog
• License: mit
• Created: 2022-07-22T03:51:34.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2022-10-17T14:08:19.000Z (about 3 years ago)
• Last Synced: 2025-03-27T21:11:46.470Z (10 months ago)
• Language: C++
• Size: 7.81 KB
• Stars: 10
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# ZombieThread_pp🧟

Another Meterpreter code injection technique using C++ that attempts to bypass Win-Def. This repo is a C++ adaptation of @Bl4ckM1rror 's C# version.

# Introduction 📚

The idea behind this project was to try to figure out how inject shellcode into a remote process and go under the Windows Defender's radar.

The program's algorithm is quite simple( and maybe clear :) ):

- Open a remote process using `OpenProcess`.

- Decrypt the meterpreter payload in memory.

- Allocate some memory in the remote process using `VirtualAllocEx`, ensuring we assign the correct permissions to write to the memory of course.

- Write the payload into the allocated memory using `WriteProcessMemory`.

- Protect the memory using `VirtualProtectEx`, setting the protection to `PAGE_NOACCESS`.

- Create a new suspended thread using `CreateRemoteThread`.

- Sleep for 30 seconds while Defender scans the remote process memory for malicious code.

- Change the protection on the memory using `VirtualProtectEx`, setting the protection to `PAGE_EXECUTE_READ_WRITE`.

- Resuming the remote thread using `ResumeThread`

It would appear that protecting the page with `PAGE_NOACCESS` containing our meterpreter shellcode is not scanned by Defender and is not detected. By suspending the thread upon creation we are able to 'hold' the shellcode in memory until Windows Defender has done it's scan then execute the shellcode when Defender has finished( Remember Windows Defender is good at runtime analysis but this trick is also good at runtime evasion ).

# VERY-VERY Important 📝✍️

- Remember, the code looks for an instance of explorer.exe( not Internet Explorer for Christ's sake ) to inject into, if you want to inject into another process, you MUST change it in the `danger.cpp` code.

- Also remember to provide the `sh_code` variable with your meterpreter shellcode. That line( `line 54` ) looks something like this:

```cpp

  unsigned char sh_code[]{/* paste your shellcode here */};

```

- You can use `mingw` or `Visual Studio` to compile this program's code( Can't illustrate on how to do that )

# AV Scan Results 🚨🚨

The binary was scanned using [antiscan.me](https://antiscan.me/scan/new/result?id=JkbJGQBeJIw6) on 20/06/2022.

![AV Scan](https://github.com/Bl4ckM1rror/ZombieThread/blob/main/antiscan.png?raw=true)

# Credits 🫡

A huge thanks to @Bl4ckM1rror.