Skip to main content

Tradecraft Improvement 2 - Module Stomping

Introduction In the second installment of the tradecraft improvement series we will be discussing about a very common technique used when running/injecting shellcode in-memory. Most of the time when we directly inject shellcode in-memory of the current process or a remote process, it shows up as an unbacked memory region. That means there is no originating file for that particular memory. This will raise suspicion if the thread memory are being inspected.