MapView Sections & Views Code Injection

New to Maldev? Start with our Maldev 101 foundational series before diving in: https://www.rbtsec.com/blog/category/maldev/ ⚠️ CORRECTION: At timestamp 18:52, the Process ID shown is 1688; this is incorrect. The correct PID is 4568. Using 1688 will spawn a new unintended process rather than attaching to the target. Please use PID 4568 when following along at that section. All other steps remain accurate. In this video demonstration, we break down MapView (Sections & Views) Code Injection, a stealthy technique used to evade Microsoft Defender and establish a Sliver C2 session. By leveraging shared memory sections and mapping views between processes, we demonstrate how to "slide" shellcode into a target like notepad.exe without using WriteProcessMemory. This bypasses the primary API hooks modern EDRs rely on for detection. Once the Sliver payload established a session, we transitioned into the post-exploitation phase. We used the info command to confirm the user context and utilized the Armory to load Seatbelt for system enumeration. We also highlight Sliver's execute-assembly feature, demonstrating how fork and run methods with PPID spoofing and self-process injection allow for built-in AMSI and ETW bypasses. This demo is focused on behavior and technique, helping defenders understand how offensive research is used to build a better security posture. At RBT, we transform "how to hack" into "how to defend." Like & Subscribe for more real-world offensive security research from RBT Security. Follow Us: Discord: https://discord.gg/UnHBp9FuGK LinkedIn: https://www.linkedin.com/company/rbtsecurity/ Twitter: https://twitter.com/RBTSecurity Facebook: https://www.facebook.com/RBTSecur1ty/ GitHub: https://github.com/rbtsecurity/ Contact Us: For business inquiries and collaborations, please email us at [email protected] Educational Disclaimer: All content is intended for educational purposes only, to promote ethical hacking and security research. #RedTeam #Maldev #ProcessInjection #WindowsInternals #OffensiveSecurity #RBTSecurity #CodeInjection #MapViewCodeInjection