Open fornotes opened 3 months ago
Based on this SigmaHQ rule
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
https://github.com/boku7/injectAmsiBypass/blob/main/inject-amsiBypass.c
On requesting handle with "PROCESS_VM_OPERATION | PROCESS_VM_WRITE" (i.e. 0x28) windows gives back (PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE) i.e. 0x1028
Based on this SigmaHQ rule
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
https://github.com/boku7/injectAmsiBypass/blob/main/inject-amsiBypass.c
On requesting handle with "PROCESS_VM_OPERATION | PROCESS_VM_WRITE" (i.e. 0x28) windows gives back (PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE) i.e. 0x1028