Skip to content

Commit

Permalink
screenshot + readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@itaymigdal
itaymigdal committed Jan 19, 2024
1 parent e5a6ef8 commit 3d81401
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
Binary file added Example.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
28 changes: 28 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@

# LOLSpoof

LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process.
Just call your incriminate-looking command line LOLBin (e.g. `powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA....`) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.

![](/Example.png)

> Use only for 64-bit LOLBins
## Why
Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts or threat hunters.

## How
1. Prepares the spoofed command line out of the real one: `lolbin.exe " " * sizeof(real arguments)`
2. Spawns that suspended LOLBin with the spoofed command line
3. Gets the remote PEB address
4. Gets the address of RTL_USER_PROCESS_PARAMETERS struct
5. Gets the address of the command line unicode buffer
6. Overrides the fake command line with the real one
7. Resumes the main thread

## Opsec considerations
Although this simple technique helps with command line detection, it may introduce other suspicious telemetry:
1. Creation pf suspended process
2. The new process has trailing spaces (but it's really easy to make it a repeated character or even random data instead)
3. Write to the spawned process with WriteProcessMemory

0 comments on commit 3d81401

Please sign in to comment.