FunctionStomping is a stealthy shellcode injection technique that replaces a single function in a target process to evade AV and EDR detection.
Shellcode injection technique. Given as C++ header, standalone Rust program or library.
This tool is primarily used by penetration testers and red teamers to inject shellcode into remote processes without overwriting entire modules, thereby evading common detection mechanisms. It allows targeted function replacement to execute arbitrary code while preserving other module functionalities, making it ideal for stealthy exploitation and security automation.
After running the injection, the replaced function must be called from the remote process to execute the shellcode. The default shellcode pops a calculator but can be replaced with custom payloads. Some antivirus solutions may flag the tool if using common metasploit/msfvenom signatures, so shellcode encryption or modification is recommended. The technique works on most but not all functions; refer to the author's blog for detailed limitations.
Clone the repository or download the source code
For C++ usage, include the functionstomping.hpp header in your project
Compile the C++ code with C++17 standard using Visual Studio 2019
For Rust usage, navigate to the functionstomping directory
Build the Rust program using `cargo b`
Run the compiled Rust executable with the target process ID as an argument#include "functionstomping.hpp" int main() { DWORD pid = 3110; FunctionStomping(pid); return 0; }
Example of including the C++ header and invoking the FunctionStomping function on a target process ID.
cd functionstomping cargo b functionstomping.exe <pid>
Build and run the Rust standalone program to perform function stomping on the specified process ID.