← Back to Daily Briefing

Function stomping, referred to as "Trick 55," marks a strategic shift from external memory injection toward internal memory repurposing. By utilizing VirtualProtect to transition existing Read-Execute (RX) code segments to Read-Write-Execute (RWX), attackers can overwrite legitimate function prologues with malicious shellcode using memcpy. This methodology effectively bypasses EDR and AV heuristics that focus on the allocation of new, suspicious executable memory regions. By embedding the payload within the process's original memory footprint, attackers evade detection via Windows VAD or Linux /proc/self/maps, significantly increasing the forensic difficulty and analyst workload required to identify modified code segments during an investigation.

  • Research/Tooling Overview: Evolution of Memory Evasion

    • Transition from high-signal VirtualAllocEx calls to low-signal modification of existing, legitimate code segments.
    • Integration into modern offensive toolsets such as Zig-Strike and 2pack for automated payload delivery.
    • Strategic objective of maintaining a "clean" memory map to bypass heuristic-based scanning engines.
  • Technical Mechanics: The Stomping Workflow

    • Identification of target legitimate functions within the process image to serve as shellcode hosts.
    • Use of VirtualProtect() to temporarily escalate segment permissions from RX to RWX.
    • Implementation of memcpy() to overwrite the function prologue with malicious machine code.
    • Reversion of page permissions back to RX to mask the modification from basic memory scanners.
  • Impact Analysis: Evasion and Forensic Complexity

    • Significant increase in evasion success rates compared to traditional "New Memory Allocation" techniques.
    • Minimal detection footprint in memory maps, such as Windows VAD or Linux /proc/self/maps.
    • Substantial increase in forensic workload, necessitating granular integrity checks of existing code segments.
  • Defensive Strategies: Detection and Mitigation

    • Monitoring for integrity violations and permission changes within established Read-Execute (RX) pages.
    • Correlation of thread hijacking and context injection patterns following suspected memory modifications.
    • Implementation of advanced memory scanning capable of identifying deviations in legitimate function prologues.

Related posts

  1. Malware News — Malware development trick 55: Function stomping (current process). Simple C example
  2. Medium
  3. Siembiot
  4. 7h3w4lk3r
  5. Kpmg
  6. Github
  7. Av-comparatives
  8. Tenumbra
  9. Gbhackers
  10. Scribd

LINK COPIED TO CLIPBOARD