____ ________ __ _
/ __ \____ ____________ ______ _________/ / ____/ _____ _______ __/ /_(_)___ ____
/ /_/ / __ `/ ___/ ___/ | /| / / __ \/ ___/ __ / __/ | |/_/ _ \/ ___/ / / / __/ / __ \/ __ \
/ ____/ /_/ (__ |__ )| |/ |/ / /_/ / / / /_/ / /____> </ __/ /__/ /_/ / /_/ / /_/ / / / /
/_/ \__,_/____/____/ |__/|__/\____/_/ \__,_/_____/_/|_|\___/\___/\__,_/\__/_/\____/_/ /_/
by pxcs ( Sulaiman )I created this repo during my journey in learning more about the various process injection techniques. I did reuse other’s code, but tried to improve on them or modify them to our need and better reading. The source should be indicated in the code. All of them were created with Visual Studio 2017.
Probably the simplest injection, it simply allocates memory in the new process, writes to it, and creates a remote thread. You can do that via 3 different APIs. Use Run: SimpleThreadInection.exe [process name] [option number] option 1 - CreateRemoteThread option 2 - NtCreateThreadEx option 3 - RtlCreateUserThread
This is a POC for the DLL injection described here (and many other places): Notes Use Run: injectdll.exe [process name] [dll path] [option number] option 1 - CreateRemoteThread option 2 - NtCreateThreadEx option 3 - RtlCreateUserThread
This injection uses QueueUserAPC API to start a thread in the remote process after writing a shell code to its memory. Use: APCInjection [process name]
This is a POC for the EarlyBird injection technique as named by Cyberbit, it’s a corner case of QueueUserAPC. More details here: Notes
Use:
- Put the shellcode of your choice to the source file (the included one will pop cmd.exe)
- Recompile
- Run: EarlyBird.exe [any x64 binary]
Also described here: Notes Use: SetWindowsHookInjection.exe [window name] [dll path] [function name]
This is a POC for the CtrlInjection found by enSilo: Notes
Use:
- Put the shellcode of your choice to the source file (the included one will pop calc)
- Recompile
- Run: EarlyBird.exe [PID of x64 Console Application which has a non default HandlerList (e.g.: cmd.exe)]
This is a POC for the PE injection described here (and many other places): Notes Use:
- Update the entryThread function as you want - that will be executed in the target
- Run: injectpe.exe [target process]
This is a POC for the Process Hollowing injection described here (and many other places): Notes Works quite reliably in x86 and x64 as well, there are plenty of error checks to avoid failures. Use:
- Run: processhollowing.exe [target binary] [to be run binary]
This is a POC for the Thread Execution Hijacking described here (and many other places): Notes Opposite to other POCs available, this version will inject a shell code to the target process (and not a DLL name) and will get the target to Create a thread in itself. Use:
- Put your shell code into scx86 and scx64 accordingly.
- Run: threadexecutionhijack.exe [process name]
This one is described here: Hexacorn I decided to release this as malware uses this technique, and we need defense people to understand how this work: Notes The x64 shell code will crash explorer.exe, but that will restart. I need to rewrite this code to work more generically and without a crash, but so far this is how it is. This POC is very dirty, there was a nicer one on GitHub but it’s no longer available.
The following 7 POCs are based on the following posts. In the light of some recent research and to bring awareness I decided to release them.
- AutoCorrectProc_Injection
- EditStreamCallback_injection
- EditWordBreakProc_Injection
- HyphenateProc_Injection
- IRichEditOleCallback_Injection
- ListViewCompare_Injection
- TreeViewCompare_Injection