Stealth metasploit loader (Elite Loader)

 

the rootkit injects a dll into ring3 software then exec the shellcode in that process.

and then unload it self.

the shellcode using xor encoding .

demo --> https://www.youtube.com/watch?v=bAdRg7QI22s