RCO: Process Migration

Target OS	Demo
Linux
Windows

How it works

Windows process migration works by obtaining a handle to the target process and writing shellcode to it. A remote thread is then created; the starting point of this thread is the newly written shellcode.

Linux process migration works slightly differently. After temporarily pausing the target process, RCO writes shellcode over the process’s instruction pointer. This can cause issues (the most likely of which is crashing) for the victim machine.

Using it

[Not shown in demo] Generate shellcode for the desired end result (for example, use msfvenom to generate a reverse TCP shell shellcode for the target operating system)
[Not shown in demo] Open the config file and change the shellcode to the shellcode generated in step 1
[Optional - shown in the xor_params demo] Encrypt the shellcode and target process using xor_params and update the encrypted shellcode value in the config file

[Not shown in demo] Compile the executable, only including --features xor if you did step 3

Build for Linux target

cargo build -p process_migration [antisand][,][antistring][,][xor]] --release

Build for Windows target

cargo build --target x86_64-pc-windows-gnu -p process_migration [antisand][,][antistring][,][xor]] --release

Start a netcat listener on the attacking machine on the same port you configured the shellcode to connect to in step 1
```
nc -nlvp 4444
```
Execute the payload on the victim machine
Return to the listener and enter desired commands for the victim machine to run

Detection rates

Target OS	Features	Detections
Linux	None	6 / 40
Linux	`xor`	0 / 40
Windows	None	11 / 40
Windows	`antisand`	11 / 40
Windows	`antisand,antistring`	11 / 40
Windows	`antistring`	11 / 40
Windows	`antistring,xor`	1 / 40
Windows	`xor`	1 / 40
Windows	`antisand,xor`	0 / 40
Windows	`antisand,antistring,xor`	0 / 40