Overview

WnfExec is a C# proof of concept library that injects shellcode into a process by hijacking a WNF subscription callback then triggering a state change. There's nothing novel here and was built based on the research of others. My intent was to solidfy the concept in my head, document the journey, and provide my code along the way.

Follow me on Twitter for some more tool releases soon! @ustayready

Requirements

• .NET Framework 4.5
• x64 Shellcode
• x64 Process to inject into

Usage

byte[] shellcode = new byte[] { .... };
var client = new WNF(shellcode);
client.InjectProcess("explorer");

Prior Work/Research

As I mentioned in Beau Bullock (@dafthack) and I's talk at WWHF 2018, most of my WNF research is because I stood on the shoulders of giants that had gone before me. While the list isn't exhaustive, the following prior research and work helped me grasp the fundamentals necessary to integrate these types of techniques into the red team services we offer at CrowdStrike.

Alex Ionescu and Gabrielle Viala

• Blackhat 2019: Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet
• Playing with the Windows Notification Facility

Redplait Research

• WNF Notifiers
• WNF State IDs

Odzhan

• Odzhan's Process Injection

Amit Klein and Itzik Kotler

• Blackhat 2019: Process Injection Techniques - Gotta Catch Them All

Code Examples

• My Persisting .NET Payloads in WNF
• Odzhan's WNF Injection
• FuzzySec's WindfarmDynamite (super helpful example!)
• Alex/Gabby's WNFun
• Tyranid's P0 WNF Tooling