VectoredOverloading

VectoredOverloading PoC in Rust

Author: Whitecat18

VectoredOverloading/Cargo.toml

@@ -0,0 +1,44 @@
+[package]
+name = "VectoredOverloading"
+version = "0.1.0"
+edition = "2024"
+authors = ["5mukx"]
+
+[dependencies]
+
+[dependencies.windows-sys]
+version = "0.61"
+features = [
+    "Win32_Foundation",
+    "Win32_Security",
+    "Win32_Globalization",
+    "Win32_System_Threading",
+    "Win32_System_Services",
+    "Win32_UI_WindowsAndMessaging",
+    "Win32_System_Memory",
+    "Win32_System_Registry",
+    "Win32_System_Time",
+    "Win32_System_Diagnostics_Debug",
+    "Win32_System_SystemServices",
+    "Win32_System_Environment",
+    "Win32_UI_Shell",
+    "Win32_System_LibraryLoader",
+    "Win32_System_SystemInformation",
+    "Win32_System_WindowsProgramming",
+    "Win32_System_Diagnostics_ToolHelp",
+    "Win32_UI_Input_KeyboardAndMouse",
+    "Win32_Storage_FileSystem",
+    "Win32_System_ProcessStatus",
+    "Win32_System_Kernel",
+    "Win32_System_IO",
+    "Win32_System_Diagnostics_ProcessSnapshotting",
+    "Win32_Security_Authentication_Identity",
+    "Win32_Security_Cryptography",
+    
+    "Wdk_Foundation",
+    "Wdk_System_Registry",
+    "Wdk_Storage_FileSystem",
+    "Wdk_System_SystemServices",
+    "Wdk_System_SystemInformation",
+    
+]

VectoredOverloading/README.md

@@ -0,0 +1,32 @@
+## VectoredOverloading in Rust
+
+### TLDR: 
+This poc was arrivied from the YouTube Ghost Network. which is an malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers.
+
+
+This campaign was documented and reversed by [Checkpoint Research](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/) in that one variant of GachiLoader deploys a second stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection. This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.
+
+This is an PoC of implementing that Kidkadi aka VectoredOverloading in Rust.
+
+It works by manipulating the load of a legitimate DLL using Hardware Breakpoints (HWBP) and Vectored Exception Handling (VEH) to change the DLL section object on-the-fly.
+
+Essentially, the technique does the following
+
+![POC](./image.png)
+
+* Creates a `SEC_IMAGE` mapping from a legitimate DLL (e.g. `wmp.dll`)
+* Maps a payload PE over this image memory
+* Sets its entrypoint to `0` and forces the `DLL` flag in the `FileHeader->Characteristics` field
+* Sets a HWBP on `NtOpenSection` & loads any legitimate DLL
+* When the Windows loader calls `NtOpenSection`, the VEH emulates the syscall by skipping it and replacing the `OUT` parameters, so that section object is now that of the payload. The VEH also sets a new HWBP on `NtMapViewOfSection`
+* The loader tries to map the section into memory and then triggers the VEH on `NtMapViewOfSection`
+* The VEH replaces the `OUT` parameters of the syscall and skips its execution, emulating a mapping of the malicious PE's view
+* The loading proceeds and the Windows loader now takes care of handling imports and further processing of the malicious PE image
+* The entrypoint is invoked, executing the payload
+
+
+### Credits & Reference: 
+
+* https://github.com/CheckPointSW/VectoredOverloading/tree/main
+* https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/
+