Injection techniques
I created this repo during my journey in learning more about the various process injection techniques. I did reuse otherβs code, but tried to improve on them or modify them to our need and better reading. The source should be indicated in the code. All of them were created with Visual Studio 2017.
Simple Thread Injection
Probably the simplest injection, it simply allocates memory in the new process, writes to it, and creates a remote thread. You can do that via 3 different APIs. Use Run: SimpleThreadInection.exe [process name] [option number] option 1 - CreateRemoteThread option 2 - NtCreateThreadEx option 3 - RtlCreateUserThread
Inject DLL - DLL injection
This is a POC for the DLL injection described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Use Run: injectdll.exe [process name] [dll path] [option number] option 1 - CreateRemoteThread option 2 - NtCreateThreadEx option 3 - RtlCreateUserThread
APC Injection
This injection uses QueueUserAPC API to start a thread in the remote process after writing a shell code to its memory. Use: APCInjection [process name]
EarlyBird injection
This is a POC for the EarlyBird injection technique as named by Cyberbit, itβs a corner case of QueueUserAPC. More details here: Hackers Found Using A New Code Injection Technique to Evade Detection
Use:
- Put the shellcode of your choice to the source file (the included one will pop cmd.exe)
- Recompile
- Run: EarlyBird.exe [any x64 binary]
SetWindowsHook injection
Also described here: Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Use: SetWindowsHookInjection.exe [window name] [dll path] [function name]
CtrlInject injection
This is a POC for the CtrlInjection found by enSilo: Ctrl-Inject
Use:
- Put the shellcode of your choice to the source file (the included one will pop calc)
- Recompile
- Run: EarlyBird.exe [PID of x64 Console Application which has a non default HandlerList (e.g.: cmd.exe)]
Inject PE - PE injection
This is a POC for the PE injection described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Use:
- Update the entryThread function as you want - that will be executed in the target
- Run: injectpe.exe [target process]
Process Hollowing
This is a POC for the Process Hollowing injection described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Works quite reliably in x86 and x64 as well, there are plenty of error checks to avoid failures. Use:
- Run: processhollowing.exe [target binary] [to be run binary]
Thread Execution Hijacking
This is a POC for the Thread Execution Hijacking described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Opposite to other POCs available, this version will inject a shell code to the target process (and not a DLL name) and will get the target to Create a thread in itself. Use:
- Put your shell code into scx86 and scx64 accordingly.
- Run: threadexecutionhijack.exe [process name]
PROPagate
This one is described here: Hexacorn | Blog I decided to release this as malware uses this technique, and we need defense people to understand how this work: RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique Β« RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique | FireEye Inc The x64 shell code will crash explorer.exe, but that will restart. I need to rewrite this code to work more generically and without a crash, but so far this is how it is. This POC is very dirty, there was a nicer one on GitHub but itβs no longer available.
7 Window message based Injection
The following 7 POCs are based on the following posts. In the light of some recent research and to bring awareness I decided to release them.
Listplanting β yet another code injection trick
Treepoline β new code injection technique
3 (4) new code injection tricks
WordWarper β (not a ) new code injection trick
- AutoCorrectProc_Injection
- EditStreamCallback_injection
- EditWordBreakProc_Injection
- HyphenateProc_Injection
- IRichEditOleCallback_Injection
- ListViewCompare_Injection
- TreeViewCompare_Injection