This is a quick blurb about idea I shared on Twitter today.

When you create a child process system calls a combo of these two functions:

• NtAllocateVirtualMemory
• NtWriteVirtualMemory

One could intercept these calls (using a hardware breakpoint, patching, or even tracing), and when memory buffer is allocated, extend the allocation size literally creating a code/data cave. Then when the writing is done, build a buffer that will contain the original data meant to be written & appended buffer e.g. shellcode that will fill-in the cave.

Now it’s only a matter of executing the code, which could be done using GUI-based tricks (e.g. Propagate, or common windows callback procedures).

Note: the APIs may need to be changed on 64-bit system if the parent and child process are mixed architecture (NtWow64AllocateVirtualMemory64 & NtWow64WriteVirtualMemory64).