You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/binary-exploitation/windows-vectored-overloading.md
+25Lines changed: 25 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,6 +53,30 @@ At this point the process owns a RWX-capable view whose backing object is still
53
53
54
54
Because the syscalls are never executed, kernel callbacks (ETWti, minifilter, etc.) do not observe the suspicious `NtOpenSection`/`NtMapViewOfSection` events, drastically lowering telemetry. From the loader’s point of view everything succeeded and `amsi.dll` is in memory, so it proceeds with import/TLS resolution against the attacker’s bytes.
55
55
56
+
### PoC implementation notes (2025)
57
+
58
+
The public PoC shows a few practical details that are easy to miss when re-implementing the technique:
59
+
60
+
- **HWBPs are per-thread**. The PoC sets `CONTEXT_DEBUG_REGISTERS` on the **current thread** before calling `LoadLibrary`, so the VEH must run on the same thread that triggers the loader.
61
+
- **Syscall emulation**: the VEH sets `RAX = 0` and advances `RIP` to the `ret` inside the `ntdll` stub (it scans for `0xC3`) so the kernel transition never happens, then resumes with `NtContinue`.
62
+
- **Output parameters**: for `NtMapViewOfSection`, the VEH overwrites the returned `BaseAddress`, `ViewSize`, and `Win32Protect` outputs so the loader believes the mapping succeeded and continues with imports/TLS using the attacker’s view.
63
+
64
+
Minimal HWBP setup used by the PoC (x64):
65
+
66
+
```c
67
+
CONTEXT ctx = {0};
68
+
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
69
+
GetThreadContext(GetCurrentThread(), &ctx);
70
+
ctx.Dr0 = (DWORD64)NtOpenSection;
71
+
ctx.Dr7 = 1;
72
+
SetThreadContext(GetCurrentThread(), &ctx);
73
+
AddVectoredExceptionHandler(1, VehHandler);
74
+
```
75
+
76
+
### Stealth variation
77
+
78
+
Recent VEH research highlights that handlers can be registered by **manually manipulating the VEH list** instead of calling `AddVectoredExceptionHandler`, which reduces reliance on user-mode APIs that may be monitored or hooked. This is not required for Vectored Overloading but can be combined with it to reduce observable API activity.
79
+
56
80
## Stage 3 – Execute the payload
57
81
58
82
-**EXE payload**: The injector simply jumps to the original entry point once relocations are done. When the loader thinks it would call `DllMain`, the custom code instead executes the EXE-style entry.
@@ -64,5 +88,6 @@ When combined with a Node.js native addon (`.node` file), all of the Windows-int
64
88
65
89
-[Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/)
-[IBM X-Force – You just got vectored: Using VEH for defense evasion and process injection](https://www.ibm.com/think/x-force/using-veh-for-defense-evasion-process-injection)
0 commit comments