Code Injection everyone forgets about

In 2013 Nick posted an article about Windows x64 system service hooks and advanced debugging. 2 years later Alex Ionescu published his classic Esoteric Hooks (PDF), and eventually Lasha Khasaia (@_qaz_qaz) published a POC that seemed to work as well.

All these references are pretty rare, and I must admit, I have not tested the code available, but it would be a waste it this trick was not covered one way or another, as both EDR and sandboxes could be potentially fooled by it…

How does it work?


So… if you are one of the vendors that operate in this space I hope you cover this particular call, at least.

My contribution to the topic: 0. But… Better safe than sorry.

For a comprehensive list of code injection techniques, check this post.