Hello again everyone! Hope the start to the new year is treating you well. I am excited to share a new blog post with you! Furthermore, I’d consider the content shared in today’s post to be the most time I’ve spent in researching a particular offensive security topic/technique 😹 I’d say I spent well over a month looking into this exciting topic and I wanted to make sure I had all my research completed before I jumped in to making a post. Without further ado, I give you my take on what I’d like to call: Living off the Process! This is a technique that does as the name implies: We use what is already available to us in the remote process of our choosing to accomplish a given goal. In this case, the goal will be to write shellcode indirectly into the remote process with as low of a footprint as possible. When I say indirectly, I mean we won’t be using WriteProcessMemory to write the shellcode. That API does play a small role, but ultimately we will be indirectly writing our shellcode in 8 byte chunks using ROP gadgets and assembly stubs all made available in the remote process. We will also avoid the creation of RWX regions of memory. Here’s a quick overview on how it all works. We will be looking for: