Process Injection Tool Updates

Written by on

Hello All,

In the post I will highlight few updates that are made to improve the code base & add long pending features to the Process Injection Tool that I wrote for learning about various Process Injection techniques and to enhance my knowledge about C# and Windows API.

The tool for process injection can be found on my Github. https://github.com/3xpl01tc0d3r/ProcessInjection

New Features:

1) Encryption - Added XOR & AES encryption support with custom key that needs to be passed to decrypt the shellcode at runtime. To encrypt the shellcode I have wrote another tool Obfuscator. I have wrote another short blog post for Obfuscator tool that can be found here. The tool currently only supports XOR & AES encryption. Obfuscated shellcode might help operator's to evade static detection while trying to inject the shellcode into remote process. 

Required parameters to leverage Encryption:

/enc : This parameter is used to specify the encryption type(xor or aes).
/key : This parameter is used to specify the key that will be used to decrypt the shellcode.

2) RAW Shellcode - The tool now also accepts the shellcode in raw format. This might be helpful for user's who want's to directly pass the shellcode file generated from tools such as Donut without converting or encoding it to any specify readable format such as c,csharp or base64 encoding. 

Required parameters to leverage RAW Shellcode:

/f : This parameter is used to specify the format of the shellcode. To leverage RAW shellcode feature just pass raw as the value to format parameter

3) Fetch shellcode remotely - The operator can now host the shellcode on the remote server & the tool can fetch the shellcode from the specified URL at runtime and inject the same into the remote process. 

Required parameters to fetch shellcode remotely:

/url : This parameter is used to specify the URL of the shellcode that is hosted remotely.

General Updates:

Revised the code logic to reduce the duplicated code. 
Removed the additional technique id's that were needed for leveraging Parent Process ID Spoofing evasion technique with various process injection techniques. Now the tool will checked for /ppath & /parentproc parameters to leverage Parent Process ID Spoofing technique with various process injection techniques.

Demo

Help


1) XOR encrypted shellcode with vanilla process injection technique :-


2) AES encrypted shellcode with vanilla process injection technique :-


3) Fetch raw shellcode remotely :-
For this demo we will use Covenant C2 framework that has a shellcode launcher & we will leverage Covenant feature to host the shellcode file.
Note:- In this post I will not cover the steps of creating the shellcode launcher and hosting the same in Covenant.


Feel free to provide me the feedback on twitter @chiragsavla94

Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

Comments

Post a Comment

Popular posts from this blog

Process Injection - Part I

Written by on
Image
Hello All, After publishing the post about Dumping Process Memory with Custom C# Code my friend Himanshu suggested me to write a tool & a blog post about Process Injection for learning and he referenced his post about Code Injection which covers the concept about the vanilla process injection technique. It was quite interesting to learn and understand the core concepts about Process Injection techniques and as a learning path to code in c# leveraging Windows API I started writing the tool for Process Injection. What is Process Injection ? Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Why Process Injection ?
Read more

Introduction to Callidus

Written by on
Image
Hello All, Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges. While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments. This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or  Domain Fronting techniques etc. In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage
Read more

Exploring the Dark Side of Package Files and Storage Account Abuse

Written by on
Image
 Hello All, In this blog, we dive into the dark side of package files and Storage Account abuse within the Azure Function App service. We explore how package files can be leveraged to enhance the functionality of the Functions Apps, shedding light on the potential abuse of package files. By examining the connection between the Function App and Storage Account, we uncover how attackers can abuse the Storage Account's connection string to gain unauthorized access to the Function Apps. We will provide step-by-step insights into replacing binary files and deploying custom code, enabling attackers to take control of the Function App.  The research was jointly done by  Raunak and myself . What are Function Apps? Function Apps (Lambda in AWS) are serverless computing services provided by Azure Cloud. They allow developers to build and deploy small, functions that can be triggered by events such as simple HTTP request. Function Apps provide an environment for executing our code without th
Read more