A new offensive security tool developed in Rust is demonstrating a novel method for bypassing modern Endpoint Detection and Response (EDR) systems by exploiting an overlooked behavior in the Windows API.
Dubbed Indirect-Shellcode-Executor, the tool leverages the ReadProcessMemory function to inject shellcode, effectively avoiding standard API calls that security vendors monitor for malicious activity.
The core of this technique relies on research originally discovered by security researcher Jean-Pierre LESUEUR (DarkCoderSc). While ReadProcessMemory is designed to read data from a specific process, it contains an [out] pointer parameter named *lpNumberOfBytesRead.
This parameter is intended to report how much data was successfully read. However, by manipulating this pointer, an attacker can force the API to write data into the process memory.
This behavior creates a “write primitive” using a “read” function. Because the tool avoids standard memory manipulation APIs such as WriteProcessMemory or memcpy it creates a blind spot for Antivirus (AV) and EDR solutions that rely on hooking those specific functions to detect code injection.
Rust-Based Implementation for Red Teams
The Indirect-Shellcode-Executor, developed by researcher Mimorep, is a fully operational Proof of Concept (PoC) written in Rust. Unlike theoretical exploits, this tool is designed for immediate use in Red Team operations to test defensive postures.
The tool compiles specifically for x32 architectures (via i686-pc-windows-msvc) and offers three distinct attack surface scenarios for operators:
- Remote Payload Execution: The tool can fetch shellcode directly from a remote Command and Control (C2) server (e.g., hiding a payload inside a PNG file) and execute it in memory.
- Terminal Injection: Operators can pass shellcode strings or binaries directly through the command line interface for immediate execution.
- File-Based Execution: The tool can read payloads concealed within local files, such as documents or temporary files, and inject them into the process.
This tool highlights the persistent challenge facing security vendors: the Windows API is vast, and legitimate functions can often be repurposed for evasion.
By utilizing *lpNumberOfBytesRead to construct a payload byte-by-byte, the Indirect-Shellcode-Executor operates underneath the radar of heuristic analysis that looks for rapid memory writing sequences.
The developer has made the tool open-source to demonstrate the vulnerability, crediting DarkCoderSc for the initial discovery of the pointer vulnerability, which was documented on the Unprotect Project.
Security teams are advised to review their API monitoring rules to account for unusual calls to ReadProcessMemory, particularly those where the output pointer targets executable memory sections.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
