T.D.P.

WHAT IS THIS:

T.D.P. ; Thread Description Poisoning ; is a tech i came up with after publishing 0x41, the project didnt got much attention beacuse i was dead back then, anyways … This poc uses SetThreadDescription && GetThreadDescription functions to hide the payload from memory scanners, of course i added some extra spice to it, this is however, not a loader made as is to evade avs, but a poc to represent the idea …

WHAT IS THIS, REALLY ?

  • first thing is to run the shellcode, im using CreateTimerQueueTimer to do so, and using cobalt strike shellcode
  • hooking Sleep function using detours
  • then we get a handle to a random thread to get and set our payload in and out of it, using GetTargetThreadToStore
  • once the shellcode is executed, and sleep is hooked, we encrypt it with a random xor key, set as NOACCESS, then we read the shellcode in memory, convert it to UTF-16 string, set the original shellcode location to 0’s, and call SetThreadDescription passing the UTF-16 encoded shellcode.
  • Now we have a thread with our shellcode in its description, and a clean base address
  • i added some extra spice, ThreadStackSpoofer , and i unhooked sleep, and re-hook it later (trying to ‘not’ look so sus by hooking api’s)
  • using VEHHandler to figure out when to re-patch
  • once the sleep is done, the next step is to GetThreadDescription, and paste back to the base address, decrypt (run whatever the shellcode want to run), and do all the stuff again

THANKS FOR:

AT THE END:

In case anyone have any problems / ideas / whatever … ill be more than happy to help ?

120064592-a5c83480-c075-11eb-89c1-78732ecaf8d3

STAY TUNED FOR MORE

GitHub

View Github