Rhydon1337/windows-kernel-dll-injector

Stars
175
Rank 218,059 (Top 5 %)
Language
C++
Created over 3 years ago
Updated over 3 years ago

Rhydon1337/windows-kernel-dll-injector

Rhydon1337

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Kernel mode to user mode dll injection

windows-kernel-dll-injector

TL;DR

Windows kernel mode to user mode dll injection

Tested on Windows x64 1909

Inject a dll to target process from kernel driver

How its works

The injection process is divided into several stages:

Attach current kernel thread to the virtual address space of the target process (KeStackAttachProcess)
Parse kernel32.dll PE header and locate LoadLibraryW function address
- Get current process PEB (PsGetProcessPeb)
- Iterate over all loaded modules and find kernel32.dll
- Parse kernel32.dll PE header in order to find the address of LoadLibraryW
Allocate and copy to target process the APC callback arguments RW (ZwAllocateVirtualMemory)
Allocate and copy to target process the APC callback RWX (ZwAllocateVirtualMemory)
Detach from target process address space (KeUnstackDetachProcess)
Find all target process threads
- ZwQuerySystemInformation(SystemProcessInformation...)
- Iterate over all processes and find the target process by its id
- Return all threads id of the target process
Inject APC to target process in order to execute our APC callback which loads the dll (KeInitializeApc & KeInsertQueueApc)

The whole process described above happens in the kernel driver. The only things that the kernel module needs are: target pid, dll file path.

Limitations

The current version supports only in x64 binaries
The current version doesn't release the APC callback or the APC callback arguments allocations

Usage

sc create DllInjector binPath= {driver_path} type= kernel

sc start DllInjector

DLLInjectorCom.exe {dll_path} {pid}

DONE!!!

linux-kernel-so-injector

Kernel mode to user mode so injection

windows-kernel-file-delete

Force a file delete using a windows kernel driver

linux-kernel-debugging

How to create a setup for linux kernel debugging using buildroot

windows-kernel-file-protector

Protect a file from being deleted using windows kernel file system minifilter driver

linux-kernel-development

Setup for linux kernel development (development, debugging automation and compiling)

windows-kernel-process-protector

Protect a process from code injection, termination and hooking

linux-kernel-patch-guard

Minimal patch guard for linux kernel

windows-kernel-process-killer

Force kill a process using windows kernel driver

linux-kernel-shadow-ssh

Hiding SSH public keys in SSH server using a kernel agent

linux-kernel-process-hider

Process hider for Linux systems using a kernel agent

linux-kernel-filesystem-filter

Linux kernel filesystem filter driver

linux-kernel-ata-sniffer

ATA command sniffer for Linux

linux-kernel-pci-enumerator

Enumrate all pci devices inside all pci buses

windows-kernel-development

Setup for windows kernel development (development, debugging automation and compiling)

windows-chrome-monitor

Monitor Chrome in order to know when a movie or TV show ends and turns off the computer automatically

windows-kernel-debugging

How to create a setup for windows kernel debugging using WinDbg and VMware Workstation

hypervisor-transparent-hook

Transparent hooks using hypervisor and kernel agent

find-executable-max-stack-size

Find binary maximum stack size usage

windows-kernel-process-initialization

Debug the early stage of process initialization using kernel mode debugging

simple-x86-bootloader

Simple x86 legacy boot bootloader

cpuid-utility

Simple exe for sending cpuid

shifts-assigner

Assign shifts to employee pool

book-list

All the books that I recently read

windows-terminal-customization

Windows Terminal Customization