)
Undergrowth is a malware POC templating tool. Useful if you want to try to invoke shellcode from disk or reflection it in more evasive ways.
Undergrowth uses 128-bit AES encryption and a randomly generated IV to encrypt shellcode then decrypt it in memory. Templates may be private or public.
- CreateRemoteThread
- MapViewofSection
- UUID
- APCQueueInject
- SRDI
- Loaded DLL Hollowing
- Phantom DLL Hollowing
- Fiber Shellcode Execution
- ACG Functionality
- Dynamically resolved syscalls
- Non Emulated API execution support
For a better understanding of the 'why' review: https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners