PhantomCtx: A New Approach to Activation Context Hijacking for EDR Evasion
Introduction In this post, we’ll take an in-depth look at the new tool I’ve developed to facilitate DLL hijacking in Red Team operations: PhantomCtx. What is PhantomCtx? PhantomCtx is a tool that automates Activation Context hijacking with the objective of loading an arbitrary DLL into the vast majority of signed executables (e.g. Microsoft, Adobe, Mozilla). The loader is presented as a modern alternative to traditional DLL Hijacking and Sideloading techniques: unlike conventional approaches where you need to find a signed vulnerable binary on the target system or rely on known vulnerable Microsoft binaries listed on pages such as HijackLibs (that are usually monitored), the tool does not require a specific binary vulnerable to DLL hijacking. ...