Fix Ekko sleep mask for .dll/.bin payloads

chvancooten / NimPlant

A light-weight first-stage C2 implant written in Nim.

MIT License

779 stars 109 forks source link

Fix Ekko sleep mask for .dll/.bin payloads #1

Closed chvancooten closed 8 months ago

chvancooten commented 1 year ago

Currently, the Ekko sleep mask feature only works with the normal executable payloads and not with DLL/shellcode since it targets the parent process' base image for encryption. This is a known issue with Ekko described in this blog.

With some research, the Ekko module could be enhanced to target only the correct section of the present payload for encryption.

Cracked5pider commented 1 year ago

hit me up on discord if you need help.