Document shellcode execution via ReadDirectoryChanges

[Still34]

Prerequisites

• Put an X between the brackets on this line if you have done all of the following:
  • Checked that your rule idea isn't already filed: search

Summary

ReadDirectoryChanges accepts an lpCompletionRoutine which triggers the specified routine when the targeted directory content has been modified in some way (i.e., a file has been created, renamed, deleted, etc.). This can be abused to trigger a shellcode execution similar to other existing callback-based shellcode execution methods.

Either a new rule needs to be written, or a rule can be added in place of load-code/shellcode/execute-shellcode-via-windows-callback-function.yml if it is still considered within the same scope of the rule.

Examples

Features

api

Additional context

https://osandamalith.com/2025/09/25/executing-shellcode-with-readdirectorychangess-hidden-callback/
https://github.com/OsandaMalith/CallbackShellcode/blob/main/ReadDirectoryChanges.c

Rule details

Namespace

References

Other rule meta information