Skip to content

Latest commit

 

History

History
28 lines (13 loc) · 1.15 KB

README.md

File metadata and controls

28 lines (13 loc) · 1.15 KB
Raw

PhantomExecution

Self Cleanup in post-ex job, suit for CobaltStrike

When the target of process injection is the current process, and when the post-ex job is executed and the thread exits, the memory will look like this

Then, perform 5 screenshots:

So, we use the RDI itself to clean up itself and the memory area which the post-ex job is executed.

This is also a general memory execution plugin

The code is not beautiful, and many IOCs are not evasioned. Please modify it according to OPSEC principles. This code only shows the self clean technology.

writeup: https://mp.weixin.qq.com/s/V4EdhGzyzxln0LzU99hqpA

conference: https://github.com/knownsec/KCon/blob/master/2024/%E9%AB%98%E7%BA%A7%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E5%BC%80%E5%8F%91%E4%B9%8BRDI%E7%9A%84%E8%BF%9B%E5%8C%96.pdf