research poc
ShellGhost: Memory-Based Evasion Technique Hides Shellcode from AV/EDRShellGhost
Security researcher lem0nSec published a proof-of-concept technique called ShellGhost that keeps shellcode encrypted in memory except for the currently executing instruction, evading memory scanners. The method uses vectored exception handling and software breakpoints to decrypt and execute one instruction at a time, then re-encrypt it, preventing the full shellcode from ever being exposed in plaintext. This allows malicious code to run undetected by tools like PE-Sieve and Moneta.