Introduction In this post, I demonstrate how to write a simple in-memory shellcode loader using the Windows API. The loader reads an XOR-encrypted reverse shell payload from disk, decrypts it in memory, and executes it — avoiding detection from basic signature-based AV. Tools Used Code Sections XOR Encryption Script (Python) C Loader Code Explanation Break … Read more
Proof of Concept Explanation Now lets discuss the code before i forget how it works, winternl.h is used to include the Windows Native API functions and types like NTSTATUS. typedef is used to define a data type so that we don’t have to explain it to the compiler again and again. For NtAllocateVirtualMemory, you need … Read more
What is a Suspended Process? A suspended process is a process that starts without immediately executing its main thread. Now, what is the main thread? That’s a great question! You can think of the main thread like the main() function in C/C++. When a process is created in a suspended state, it means the process … Read more