Recently I was experimenting with Office Macro shellcode. And it kept getting flagged/caught by EMET!
Increasingly I find myself needing Post-Exploit Shellcode fragments...
I realized, if I am executing shellcode Post-Exploit, there really is no reason to scan memory for kernel32.dll , loadlibary, and getprocadress etc...
I already HAVE access to the API in Office Macros and PowerShell.
I know, I'm slow... Should have dawned on me earlier...
Realize I am trying to exec stub shellcode to preserve existing infrastructure... Metasploit or CobaltStrike for example
There is a lot that could be done Post-Exploit
So, Post-Exploit shellcode execution has a different set of requirements/capabilities.
So early this morning I wrote a quick proof of concept found here:
We can let the Macro or PowerShell provide the handle to the necessary calls, in a way more natural, that is more difficult to pick up by EMET.
Again, this is a really rough draft, an area I continue to experiment with. But I suspect, there is a lot more to this.
Probably has application to the way we call Invoke-Shellcode.ps1, etc...
These are all Post-Exploit calls.
Time to crank out some more asm.