DarkWidow: A Customizable Dropper Tool targeting Windows

DarkWidow

This is a Dropper/Post Exploitation Tool (or can be used in both situations) targeting Windows.

1. Indirect Dynamic Syscall. (MITRE ATT&CK TTP: T1106)
2. SSN + Syscall address sorting via Modified TartarusGate approach
3. Remote Process Injection via APC Early Bird to CUT OFF telemetry Catching by EDR. (MITRE ATT&CK TTP: T1055.004)
4. Spawns a sacrificial Process as the target process, not disrupting already open processes in the environment.
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned sacrificial process.
6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
7. Api and Dll resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
8. Cursed Nt API hashing (MITRE ATT&CK ID: S0574)

Install & Use

Copyright (c) 2023 Soumyani1