Skip to content

ewby/Mockingjay_POC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
mockingjay_remote_ssh
mockingjay_remote_ssh
 
 
mockingjay_self_inject
mockingjay_self_inject
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Mockingjay_POC

Preface: I'm learning ok?

Very rough and incomplete draft I wrote a while back of the "Mockingjay" technique based on Namazso's original discovery on the Unknown Cheats forum and the recent Security Joes article.

The idea is to have your malware exist in a naturally RWX allocated memory region located in a trusted module and process of which the module is loaded, leaving out the need for common process injection WIN/NT API calls. The technique is supposed to be threadless, but I was unable to replicate without self debugging or creating a thread which is a major IOC on it's own, especially when facing ETW powered EDR products.

With that being said, I plan to continue development of this POC once other Red Team projects complete and this specific Purple Team project resumes. For now it can exist here for my own use and be used as inspiration for other POCs.

TO-DO

  • Make the POC threadless inject as mentioned in the above article
  • Convert self_inject from memcpy to NtWriteVirtualMemory
  • Implement various evasion techniques for Purple Team testing
    • Most likely will be sub-POCs. NTAPI, Direct Syscall, Indirect Syscall, etc.
  • Can it be BOF'd?

About

Proof-of-Concept for the Mockingjay Process Injection Technique

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages