• Stars
    star
    174
  • Rank 219,104 (Top 5 %)
  • Language
    C
  • Created about 3 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A demo of the relevant blog post: https://www.arashparsa.com/hook-heaps-and-live-free/

LockdExeDemo

A demo of the relevant blog post: Hook Heaps and Live Free

DEMO

DEMO

Explanation

There are 2 compile types.

The first is an EXE. The EXE requires some sort of shellcode (I used staged cobalt strike shellcode from the payload generator). You can validate this works by running your shellcode and using BeaconEye.

The second compile type is a DLL that you can inject into anything, will hook sleep, and same deal as the exe, any sleep over 1 will encrypt the heap on sleep. Cobalt Strike's EXE by default makes 2 threads for some reason that both need to function that interferes with this whereas injecting a Cobalt Strike thread into another process does not (as now it only needs 1 thread to operate again). To get this to work in a standalone generated CS exe that's already running may take a bit more work or a profile change.

Remember, this will work in processes like explorer.exe but it'll freeze the whole process as CS is sleeping and encrypting. Really this version is meant for standalone processes you control.