ZigStrike: New Zig-Based Shellcode Loader Revolutionizes EDR Evasion with Advanced Injection Techniques

ZigStrike is a robust shellcode loader developed in Zig, offering a variety of injection techniques and anti-sandbox features. It leverages compile-time capabilities for efficient shellcode allocation, demonstrating proven success in bypassing advanced security solutions. ZigStrike includes a custom payload builder, allowing users to easily select and construct payloads via a web application built with Python.

Zig Strike offers four injection techniques in this release, each of which is designed for specific scenarios.

Local thread injection
This technique involves hijacking a created thread, redirecting the payload execution into a dummy function and executing the payload once the thread is resumed. This option also performs function stomping through the dummy function callback which stands for loading specific windows API and stomp it’s function address.

Remote thread hijacking
This technique elevates the approach by targeting existing threads in remote processes, manipulating their execution flow through direct thread context modification. This technique uses GetThreadContext and SetThreadContext APIs to redirect the instruction pointer (RIP) to a shellcode.

Local mapping
This technique introduces a more reliable procedure by leveraging Windows’ file mapping APIs (CreateFileMappingW and MapViewOfFile) to allocate executable memory, significantly reducing suspicious memory patterns that EDR solutions typically flag. This method creates a file mapping object in memory and maps a view of this file into the process’s address space, providing a cleaner and less detectable alternative to traditional VirtualAlloc calls.

Remote mapping
This technique extends the concept of mapping to cross-process injection, utilizing MapViewOfFileNuma2 API in Zig (MapViewOfFile2) to map shellcode into the address space of remote processes.

Features

• Multiple Injection Techniques:

  • Local Thread
  • Local Mapping
  • Remote Mapping
  • Remote Thread hijacking
  • EarlyCascade injection

• Anti-Sandbox Protection:

  • TPM Presence Check.
  • Domain Join Check.
  • Run-Time protection.

• Output Formats:

  • XLL (Excel Add-in)
  • DLL
  • CPL

• Advanced Features:

  • Shellcode advanced allocation.
  • Payload Runtime protection; preventing emulation and sandbox dynamic anaylsis.
  • Bypass common detection rules.

• Front-end enhancement:
  • Added new page to view generated payloads.
  • Detailed information for each created payload.
  • Fix flask issue to support uploading large shellcode.

Install & Use