Awagat Dhungana

Built a Windows x64 PIC shellcode template using PEB walking, ROR13 API hashing, and manual export parsing. No imports or IAT, just dynamic resolution and stack strings in .text github.com/4w4647/Shellco…

@smgoreli @NinjaParanoid @morphisec ROR13 hashing isn’t the real issue. The problem is shellcode relying on PEB InMemoryOrderModuleList walks without properly validating kernel32.dll, and assuming a fixed loader order (ntdll -> kernel32) which isn’t reliable across environments.

@NinjaParanoid You making it a bit too complicated, S1 uses those decoys to stop only shellcodes that are based on PEB order, name based msf shellcodes work great, a simple change of the ror13 strings to a different formula breaks all the solutions you mentioned, @morphisec will stop those

I think I was being a bit too polite when I posted the bypass on SentinelOne yesterday. As I said, the technique was not specific to S1, but every EDR as can be seen in the screenshot below. It's applicable for Defender ATP, Elastic, Crowdstrike, S1, Sophos and more #BruteRatel

Just dropped GhostOps, a community driven C2 framework. Built to be simple, extensible, and hackable. Not focused on stealth out of the box.
If you want something you can actually modify and grow, check it out: github.com/4w4647/GhostOps #infosec #redteam #opensource