• This repository has been archived on 09/Apr/2024
  • Stars
    star
    172
  • Rank 221,201 (Top 5 %)
  • Language
    C++
  • Created over 5 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a tool to make it easy and fast to test various forms of injection

Description

Single Visual Studio project that implements many injection techniques. This project was built to make it fast and easy to validate detection controls for injection techniques.

Compiling

  • Install Visual Studio Community 2015 and Windows 8.1 SDK Downloads and Old SDK Archives
  • If you are using Visual Studio 2017, you will need to install Windows Universal CRT SDK.
  • Open vulcan.sln using Visual Studio.
  • If prompted to upgrade, select "No upgrade".
  • If desired, add static shellcode for calc/msgbox using the steps in the Shellcode section of this file.
  • Compile by clicking the menu Build -> Batch Build. Click Select All. Click Build.

Usage

Use vulcan_x32.exe to inject into 32 bit processes and vulcan_x64.exe to inject into 64 bit processes.

Always use a new process for injection, otherwise the process may become unstable and crash. If you need to kill all instances of a process by name, use the following:

taskkill /F /IM <processname.exe> /T

Each technique includes an example of basic usage:

Usage: vulcan.exe -m <method> -i <input> [<process name for injection> || <full path of process to hollow>]

Method:
  100   DLL injection via CreateRemoteThread() - vulcan_x64.exe -m 100 -i dllmain_64.dll notepad.exe
  200   DLL injection via NtCreateThreadEx() - vulcan_x64.exe -m 200 -i dllmain_64.dll notepad.exe
  300   DLL injection via QueueUserAPC() (aka APC Injection) - vulcan_x64.exe -m 300 -i dllmain_64.dll notepad.exe
  400   DLL injection via SetWindowsHookEx() -  vulcan_x64.exe -m 400 -i dllpoc_64.dll notepad.exe
  500   DLL injection via RtlCreateUserThread() - vulcan_x64.exe -m 500 -i dllmain_64.dll notepad.exe
  600   DLL injection via Code Cave SetThreadContext() - vulcan_x64.exe -m 600 -i dllmain_64.dll notepad.exe
  700   Reflective DLL injection RWX - vulcan_x64.exe -m 700 -i rdll_64.dll notepad.exe
  701   Shellcode Reflective DLL injection - vulcan_x64.exe -m 701 -i srdi_dllmain_x64.dll
  800   Shellcode injection via CreateRemoteThread() - vulcan_x64.exe -m 800 -i 2 notepad.exe
  1000  Shellcode injection via QueueUserAPC() (aka APC Injection) - vulcan_x64.exe -m 1000 -i 2 notepad.exe
  1200  Shellcode injection via RtlCreateUserThread() - vulcan_x64.exe -m 1200 -i 2 notepad.exe
  1500  Shellcode injection via EarlyBird - vulcan_x64.exe -m 1500 -i 2 notepad.exe
  1600  PE Process Hollowing via NtUnmapViewOfSection() - vulcan_x64.exe -m 1600 -i C:\windows\system32\calc.exe C:\windows\system32\notepad.exe
  2000  DotNET CLR Injection - vulcan_x64.exe -m 2000 -i "hello from c++" notepad.exe

Input Options:
        File (dll or b64-shellcode) - dll and shellcode injection
        1 - calc x86 - shellcode injection
        2 - calc x64 - shellcode injection
        3 - msgbox x86 - shellcode injection
        4 - msgbox x64 - shellcode injection
        C:\\Path\\process.exe - process hollowing
        String - dotnet CLR injection

Shellcode

main.cpp includes sample shellcode for spawning calc and msgbox (x64 and x86). These can be replaced using the process below.

calc:

msfvenom -p windows/exec cmd=calc.exe -a x86 --platform windows > calc_x86.bin
msfvenom -p windows/x64/exec cmd=calc.exe -a x64 --platform windows > calc_x64.bin

msgbox:

msfvenom -p windows/messagebox text="hello world" -a x86 --platform windows > msgbox_x86.bin
msfvenom -p windows/x64/messagebox text="hello world" -a x64 --platform windows > msgbox_x64.bin

calc (exitfunc=thread):

msfvenom -p windows/exec cmd=calc.exe exitfunc=thread -a x86 --platform windows > calc_thread_x86.bin
msfvenom -p windows/x64/exec cmd=calc.exe exitfunc=thread -a x64 --platform windows > calc_thread_x64.bin

msgbox (exitfunc=thread):

msfvenom -p windows/messagebox text="hello world" exitfunc=thread -a x86 --platform windows > msgbox_thread_x86.bin
msfvenom -p windows/x64/messagebox text="hello world" exitfunc=thread  -a x64 --platform windows > msgbox_thread_x64.bin

Base64 encoded shellcode:

cat sc.bin |base64 -w 0 > b64_sc.bin

References

More Repositories

1

gokart

A static analysis tool for securing Go code
Go
2,176
star
2

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,657
star
3

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,441
star
4

pentestly

Python and Powershell internal penetration testing framework
Python
717
star
5

purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CKâ„¢ TTPs
Ruby
713
star
6

PortBender

TCP Port Redirection Utility
C
668
star
7

DVRF

The Damn Vulnerable Router Firmware Project
HTML
668
star
8

fingerprintx

Standalone utility for service discovery on open ports!
Go
561
star
9

gato

GitHub Actions Pipeline Enumeration and Attack Tool
Python
539
star
10

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
11

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
253
star
12

mitm-vm

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.
Shell
195
star
13

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
14

snowcat

a tool to audit the istio service mesh
Go
173
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
171
star
16

goffloader

A Go implementation of Cobalt Strike style BOF/COFF loaders.
Go
151
star
17

trident

automated password spraying tool
Go
145
star
18

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
79
star
19

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
75
star
20

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
73
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
47
star
22

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
45
star
23

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
24

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
25

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
26

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
37
star
27

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
28

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
29

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
30

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
31

bsidesaustin

Python
14
star
32

chariot-launch-nuclei-templates

12
star
33

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
34

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
35

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
36

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
7
star
37

sonicwall-nsv-decrypter

C
6
star
38

aws-labs

Shell
5
star
39

tpm_bound_sa_key

Go
5
star
40

rpi-setup

set up rpi for zbwardrive
Python
5
star
41

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
4
star
42

product-frontend-interview

JavaScript
3
star
43

product-backend-interview

Java
1
star
44

praetorian-cli

CLI and SDK for interacting with the Praetorian Chariot platform
Python
1
star