Prerequisites
Summary
ReadDirectoryChanges accepts an lpCompletionRoutine which triggers the specified routine when the targeted directory content has been modified in some way (i.e., a file has been created, renamed, deleted, etc.). This can be abused to trigger a shellcode execution similar to other existing callback-based shellcode execution methods.
Either a new rule needs to be written, or a rule can be added in place of load-code/shellcode/execute-shellcode-via-windows-callback-function.yml if it is still considered within the same scope of the rule.
Examples
Features
api
Additional context
https://osandamalith.com/2025/09/25/executing-shellcode-with-readdirectorychangess-hidden-callback/
https://github.com/OsandaMalith/CallbackShellcode/blob/main/ReadDirectoryChanges.c
Rule details
Namespace
References
Other rule meta information
Prerequisites
Summary
ReadDirectoryChangesaccepts anlpCompletionRoutinewhich triggers the specified routine when the targeted directory content has been modified in some way (i.e., a file has been created, renamed, deleted, etc.). This can be abused to trigger a shellcode execution similar to other existing callback-based shellcode execution methods.Either a new rule needs to be written, or a rule can be added in place of
load-code/shellcode/execute-shellcode-via-windows-callback-function.ymlif it is still considered within the same scope of the rule.Examples
Features
apiAdditional context
https://osandamalith.com/2025/09/25/executing-shellcode-with-readdirectorychangess-hidden-callback/
https://github.com/OsandaMalith/CallbackShellcode/blob/main/ReadDirectoryChanges.c
Rule details
Namespace
References
Other rule meta information