Skip to content

Process Injection

Jump to bottom
TheWover edited this page Sep 28, 2019 · 11 revisions

The idea is to build a modular, object-oriented library where the user effectively calls Inject(AllocationType alloc, InjectionType technique, PayloadType payload). Each of those Type classes are base classes. Then we implement subclasses for each that provide the functionality. So the Inject function uses the allocation technique to make the payload available to the target process, than calls the injection class's ExecutePayload(Process proc, PayloadType payload1) function to run the payload. Each InjectionType subclass implements functionality for different each type of PayloadType. If the injection technique doesn't support the payload type, it returns a PayloadTypeNotSupported exception. If it does, then it will run the payload, using whatever options were specified when the object was instantiated. Each InjectionType is essentially a technique relying on a different set of API calls and would implement at least three variants. Each variant is rated for Reliability and OpSec. One that is High Reliability, Low Opsec, one that is Medium on both, and one that is Low Reliability, High Opsec.

The three techniques I was going to implement are 1) Remote Thread Creation, 2) APC Injection, and 3) Thread Hijacking (Suspend, Inject, Resume)

Remote Thread Creation:

  1. Create a thread in the target process using NtCreateThreadEx and a start address of your payload.
  2. Create a suspended thread in the target process using NtCreateThreadEx with a start address of RtlExitUserThread. Queue APC on the thread. Resume the thread. The shellcode should execute. Less covert than normal APC injection because a remote thread is created, but less suspicious than normal remote thread creation because the created thread has a legitimate start address.
  3. Create a suspended thread in the target process using NtCreateThreadEx and a valid start address, such as RtlUserThreadStart. Hijack it using NtSetThreadContext to execute your payload in memory of the remote process.

APC Injection:

  1. Attempt to find alertable threads using AtomBombing. Inject into a random alertable thread in the target process if there are multiple. Default Option.
  2. Attempt to find alertable threads using context analysis. Inject into a random alertable thread.
  3. Queue APC on all threads in the target process. Highly reliable, but not OpSec friendly.

May replace option 2 with: Queue APC on a random thread without performing an detection for an alertable state. Not reliable, but very quiet.

Thread Hijacking: Have options for what event to resume the hijacked thread on. Either use a timer, add some PIC to the payload to run it in a new thread using CreateThread, or add some PIC to the payload to use some sort of evens/mutex.

  1. Hijack a random thread in the target process using NtSetThreadContext. After the event is triggered, restore the original context and resume it. Moderately safe and reliable.
  2. Only hijack suspended threads in the target process. If there are multiple suspended threads, choose a random one. If there are no suspended threads, do nothing. After the event is triggered, restore the original context and resume it. OpSec safe, but not reliable.
  3. Suspend all threads. Pick a random one, and hijack it. After the event is triggered, restore the original context and resume it. This is not as OpSec safe, but is reliable for execution.

Clone this wiki locally