A collection of PoCs for different injection techniques on Windows!
Injection is one of the most common techniques malware authors use to run malicious code on a victim system in the context of another program. This is very useful because it can often help to avoid a defender's prying eyes.
For example, Explorer making web requests to an external server is considered normal behavior, whereas a rogue executable or C2 payload doing the same raises alerts all around.
In this repository, we discuss some of the most popular injection techniques and look into some code for each. The different kinds of injection techniques we talk of in this blog are as follows:
Name | Description |
---|---|
Shellcode Injection | Inject shellcode directly into a process's memory |
Dll Path Injection | Force remote process to load a malicious Dll |
Thread Context | Hijack remote process's thread to execute malicious shellcode |
APC | Use APC calls to run Remote payload Asynchronously |
Earlybird | A modification of the APC technique |
Section Views | Use shared memory sections to deliver payloads |
Though I have tried to be verbose with the techniques here, it is highly recommended that the reader is familiar with the basics of C programming on Windows and is familiar with the commonly used functions like VirtualAlloc()
, VirtualProctect()
, GetProcAddress()
, GetModuleHandle()
, etc.
I have also tried to be as descriptive as possible with the different parameters I pass to functions but I would still suggest looking up MSDN for each new function you come across.
Windows Message Box
payload which says "Hello World!"
, unless mentioned otherwise.README
files are not "clean codes", and lack error checking mechanisms for the sake of simplicity. Refer to the source files for more robust code.find_pid()
and find_threadid()
have been reused over and over again.TARGET
macro expands to notepad.exe
, unless specifies, and denotes the target process to inject into.IS_HANDLE_INVALID
macro checks if a HANDLE
value is invalid , i.e, if it is equal to NULL
or INVALID_HANDLE_VALUE