A newly developed offensive security tool, **Indirect-Shellcode-Executor**, exploits a previously overlooked vulnerability in the **Windows API**—specifically within the `ReadProcessMemory` function—to bypass modern **Endpoint Detection and Response (EDR)** and **Antivirus (AV)** systems. The tool manipulates the `[out]` pointer parameter (`*lpNumberOfBytesRead`), originally intended to report read data size, to instead **write malicious shellcode into process memory** without triggering traditional detection mechanisms that monitor functions like `WriteProcessMemory` or `memcpy`.The **Rust-based Proof of Concept (PoC)**, created by researcher **Mimorep**, enables **remote payload execution** (fetching shellcode from a C2 server disguised in files like PNGs), **terminal injection** (direct shellcode input via CLI), and **file-based execution** (extracting payloads from local documents). This technique creates a **blind spot** for security vendors, as it evades heuristic analysis by constructing payloads byte-by-byte under the guise of a legitimate API call.The vulnerability, initially discovered by **Jean-Pierre LESUEUR (DarkCoderSc)**, underscores a systemic risk: **legitimate Windows API functions can be weaponized** for stealthy attacks. Security teams are urged to **reassess API monitoring rules**, particularly for `ReadProcessMemory` calls targeting executable memory sections. The open-source release of the tool amplifies the threat, as adversaries may adopt it for **real-world exploits**, compromising defensive postures across enterprises relying on Windows systems.
Source: https://cybersecuritynews.com/indirect-shellcode-executor-evade-av-and-edr/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "MIC5132151112625",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'type': ['Security Vendors',
'Organizations using EDR/AV Solutions',
'Windows-based Systems']}],
'attack_vector': ['Exploitation of Windows API (ReadProcessMemory)',
'Pointer Manipulation (*lpNumberOfBytesRead)',
"Memory Injection via 'Read' Function",
'Remote Payload Fetching (C2)',
'File-Based Payload Concealment'],
'description': 'A new offensive security tool developed in Rust, named '
'Indirect-Shellcode-Executor, demonstrates a novel method for '
'bypassing modern Endpoint Detection and Response (EDR) '
'systems by exploiting an overlooked behavior in the Windows '
'API. The tool leverages the ReadProcessMemory function to '
'inject shellcode, avoiding standard API calls monitored by '
'security vendors. The technique manipulates the '
'*lpNumberOfBytesRead pointer in ReadProcessMemory to force '
"the API to write data into process memory, creating a 'write "
"primitive' using a 'read' function. This bypasses AV/EDR "
'hooks on functions like WriteProcessMemory or memcpy. The '
'tool is a fully operational Proof of Concept (PoC) for Red '
'Team operations, supporting remote payload execution (e.g., '
'fetching shellcode from a C2 server hidden in a PNG file), '
'terminal injection (direct shellcode/binaries via CLI), and '
'file-based execution (payloads concealed in local files). The '
'vulnerability was originally discovered by security '
'researcher Jean-Pierre LESUEUR (DarkCoderSc) and documented '
'on the Unprotect Project.',
'impact': {'operational_impact': 'Potential evasion of EDR/AV detection '
'mechanisms, enabling undetected shellcode '
'execution in memory. Security teams must '
'update API monitoring rules to detect '
'unusual ReadProcessMemory calls targeting '
'executable memory sections.'},
'investigation_status': 'Ongoing research; PoC tool released for defensive '
'testing.',
'lessons_learned': "The Windows API's vastness and flexibility allow "
'legitimate functions (e.g., ReadProcessMemory) to be '
'repurposed for evasion. Security vendors must expand '
"monitoring beyond traditional 'write' functions (e.g., "
"WriteProcessMemory) to include 'read' functions with "
'pointer manipulation capabilities. Open-source PoCs like '
'this highlight the need for proactive defensive updates '
'and red teaming to identify blind spots in detection '
'mechanisms.',
'motivation': ['Red Team Operations',
'Security Research',
'Proof of Concept (PoC)',
'Defensive Posture Testing'],
'post_incident_analysis': {'corrective_actions': ['Expand API monitoring to '
'include ReadProcessMemory '
'calls with unusual pointer '
'behavior.',
'Implement behavioral '
'detection for indirect '
'memory writing patterns.',
'Update defensive postures '
'based on red team testing '
'with PoC tools like '
'Indirect-Shellcode-Executor.'],
'root_causes': ['Overlooked pointer manipulation '
"vulnerability in Windows API's "
'ReadProcessMemory function '
'(*lpNumberOfBytesRead).',
'EDR/AV reliance on hooking '
'traditional memory-writing APIs '
'(e.g., WriteProcessMemory) '
"without monitoring 'read' "
'functions for write primitives.',
'Lack of behavioral detection for '
'slow, indirect memory injection '
'techniques.']},
'recommendations': ['Review and update EDR/AV rules to detect unusual '
'ReadProcessMemory calls, particularly those writing to '
'executable memory sections via pointer manipulation.',
'Monitor for indirect memory injection techniques that '
'bypass traditional hooks (e.g., WriteProcessMemory, '
'memcpy).',
'Conduct red team exercises using tools like '
'Indirect-Shellcode-Executor to test defensive postures.',
'Enhance behavioral analysis to detect slow, byte-by-byte '
'memory writing patterns that evade heuristic detection.',
'Stay informed about open-source offensive security tools '
'and research (e.g., Unprotect Project) to anticipate '
'emerging evasion techniques.'],
'references': [{'source': 'Unprotect Project (Jean-Pierre LESUEUR / '
'DarkCoderSc)'},
{'source': 'Indirect-Shellcode-Executor (Mimorep)'}],
'response': {'containment_measures': ['Review and update API monitoring rules '
'for ReadProcessMemory calls, '
'especially those targeting executable '
'memory sections.'],
'enhanced_monitoring': ['Monitor for unusual ReadProcessMemory '
'calls with *lpNumberOfBytesRead pointer '
'manipulation.']},
'title': 'Indirect-Shellcode-Executor: Novel EDR Bypass Technique via Windows '
'API Exploitation',
'type': ['EDR/AV Evasion',
'Memory Injection',
'Shellcode Execution',
'Proof of Concept (PoC)'],
'vulnerability_exploited': "Overlooked behavior in Windows API's "
'ReadProcessMemory function, specifically the '
'*lpNumberOfBytesRead [out] pointer, which can be '
'manipulated to write data into process memory '
'(write primitive via read function).'}