Function Stomping and Zig-Strike Evasion Techniques
Function stomping, referred to as "Trick 55," marks a strategic shift from external memory injection toward internal memory repurposing. By utilizing VirtualProtect to transition existing Read-Execute (RX) code segments to Read-Write-Execute (RWX), attackers can overwrite legitimate function prologues with malicious shellcode using memcpy. This methodology effectively bypasses EDR and AV heuristics that focus on the allocation of new, suspicious executable memory regions. By embedding the payload within the process's original memory footprint, attackers evade detection via Windows VAD or Linux /proc/self/maps, significantly increasing the forensic difficulty and analyst workload required to identify modified code segments during an investigation.