search

chvancooten / NimPlant

A light-weight first-stage C2 implant written in Nim.
MIT License
779 stars 109 forks source link

Fix Sleep Obfuscation for DLL and Shellcode payloads #25

Closed notb9 closed 8 months ago

notb9 commented 9 months ago

Fixes the Ekko implementation for sleep obfuscation for DLL and Shellcode payloads (close #1). Changes in this PR:

  1. Locate payload base address by matching MZ and PE magic bytes
  2. Bypass Control Flow Guard by adding NtContinue as a valid call target
  3. Disable the sRDI flag for clearing the DLL header of the payload
chvancooten commented 8 months ago

Thanks for this great addition! I merged it into the dev branch and successfully tested it to work. Will merge it into the main branch soon!