PhantomExecution

Self Cleanup in post-ex job, suit for CobaltStrike

When the target of process injection is the current process, and when the post-ex job is executed and the thread exits, the memory will look like this

Then, perform 5 screenshots:

So, we use the RDI itself to clean up itself and the memory area which the post-ex job is executed.

This is also a general memory execution plugin

The code is not beautiful, and many IOCs are not evasioned. Please modify it according to OPSEC principles. This code only shows the self clean technology.

writeup: https://mp.weixin.qq.com/s/V4EdhGzyzxln0LzU99hqpA

conference: https://github.com/knownsec/KCon/blob/master/2024/%E9%AB%98%E7%BA%A7%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E5%BC%80%E5%8F%91%E4%B9%8BRDI%E7%9A%84%E8%BF%9B%E5%8C%96.pdf

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
bin/postex-loader		bin/postex-loader
examples/postex-loader		examples/postex-loader
intermmediate		intermmediate
library		library
PhantomExecution.sln		PhantomExecution.sln
README.md		README.md
default.props		default.props
loader.props		loader.props
requirements.txt		requirements.txt
udrl.py		udrl.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

PhantomExecution

About

Releases

Packages

Languages

CBLabresearch/PhantomExecution

Folders and files

Latest commit

History

Repository files navigation

PhantomExecution

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages