Observation
This technique solves the issue of EDRs flagging RWX regions in a process as suspicious, as seen in Classic Code Injection Local Process and RWX Hunting&Injection. A memory region with RW permissions is first created, then its permissions are changed to RX using VirtualProtect.
Working
- Find a process with necessary rights (such as
PROCESS_ALL_ACCESS) usingCreateToolhelp32Snapshot. - Use
OpenProcessfunction to get a handle to it. - Allocate memory to its address space using
VirtualAllocEx. - Use
WriteProcessMemoryto write the shellcode into the allocated memory. - Use
VirtualProtectExto change the RW permission to RX. - Create a remote thread to execute the shellcode using
CreateRemoteThread.