Logo
latest

Process injection

  • Introduction
    • What?
    • Why?
    • How?
  • Shellcode injection
    • Overview
    • C++ Code
    • Injection
    • Resources
  • Process hollowing
    • Overview
    • C++ code
    • Injection
    • Resources
  • Thread execution hijacking
    • Overview
    • C++ code
    • Resources
  • Dynamic-link library injection
    • Resources
  • Portable executable injection
    • Resources
  • TrickBot
    • Resources
      • Trickbot
      • Dyre(za)

AV evasion

  • Introduction
    • What?
    • Why?
    • How?
  • Basic assembly shellcode
    • Resources
  • Generate shellcode
    • Generate shellcode using public tools
    • Shellcode injection
    • Generate shellcode from exe files
  • Staged vs stageless payloads
  • Encoding and encrypting shellcode
    • Metasploit encoding
    • Metasploit encryption
    • Creating a Custom Payload
  • Packers
    • Packing
    • Now what?
  • Binders
    • Binders and AV

Obfuscation basics

  • Introduction
    • What?
    • Why?
    • How?
  • Principles
    • Resources
  • Protecting and stripping identifiable information
    • Object names
      • Example in C++
      • Example with powershell
    • Code structure
    • File & Compilation Properties
    • Lab it up

Signature evasion

  • Introduction
    • What?
    • Why?
    • How?
  • Signature identification
    • ThreatCheck
    • AMSITrigger
    • Lab
  • Static code-based signatures
    • Splitting and merging objects
    • Removing and obscuring identifiable information
    • Lab
    • Obfuscated code
  • Static property-based signatures
    • File Hashes
    • Entropy
    • Resources
  • Behavioural signatures
    • Lab
    • Obfuscated code
    • Resources
  • Real world challenge
    • Lab
    • Obfuscation order
    • Obfuscated code

Bypassing UAC

  • Introduction
    • What?
    • Why?
    • How?
  • GUI based bypasses
    • msconfig
    • azman.msc
  • AutoElevating processes
    • Fodhelper
    • Lab
  • Fodhelper-curver exploit
    • Lab
  • Bypassing Always Notify
    • Lab
  • Automated exploitation

Runtime detection evasion

  • Introduction
    • What?
    • Why?
    • How?
  • Study AMSI
    • Resources
  • PowerShell downgrade
  • PowerShell reflection
  • Patching AMSI
    • Code
    • Resources
  • Automating, but …
    • AMSI.fail
    • AMSITrigger

Evading logging and monitoring

  • Introduction
    • What?
    • Why?
    • How?
  • Study ETW
    • Approaches
    • ETW Instrumentation
    • Resources
  • Powershell reflection
    • Code
  • Patching tracing functions
    • Code
  • Group policy takeover
    • Code
  • Abusing log pipeline
    • Code
  • Challenge

Living off the land

  • Introduction
    • What?
    • Why?
    • How?
  • Windows sysinternals
    • Resources
  • LOLBAS project
    • Resources
  • File operations
    • Certutil
    • BITSAdmin
    • Findstr
    • Resources
  • File execution
    • File Explorer
    • WMIC
    • Rundll32
  • Application whitelisting bypasses
    • Regsvr32
    • Bourne Again Shell (Bash)
    • Lab
    • Resources
  • Shortcuts
  • No PowerShell
    • Lab
    • Resources
  • Challenge: Astaroth
    • Resources

Network security solutions

  • Introduction
    • What?
    • Why?
    • How?
  • IDS/IPS systems
    • Intrusion detection
    • Intrusion prevention
    • IDS Engine types
    • Rule triggering examples (snort)
    • Resources
  • Evasion via protocol manipulation
    • Rely on a different protocol
      • Ncat
    • Manipulate (Source) TCP/UDP port
      • Nmap
      • Ncat
    • Use session splicing (IP packet fragmentation)
      • Nmap
    • Sending invalid packets
    • Resources
  • Evasion via payload manipulation
    • Obfuscating and encoding the payload
    • Escaped Unicode
    • Encrypting the communication channel
    • Modifying the shellcode
    • Resources
  • Evasion via route manipulation
    • Relying on source routing
    • Using proxy servers
    • Resources
  • Evasion via tactical DoS
  • C2 and IDS/IPS evasion
  • Next-Generation security
    • IDPS
    • NGNIPS
    • Challenges
    • Resources

Firewalls

  • Introduction
    • What?
    • Why?
    • How?
  • Firewall systems
    • Classification of firewalls
    • Firewall inspection abilities
      • Packet-Filtering Firewall
      • Circuit-Level Gateway
      • Stateful Inspection Firewall
      • Proxy Firewall
      • Next-Generation Firewall (NGFW)
      • Cloud Firewall or Firewall as a Service (FWaaS)
  • Evasion via controlling the source MAC/IP/Port
    • Decoy(s)
    • Proxy
    • Spoofed MAC address
    • Spoofed IP address
    • Fixed Source Port Number
    • Resources
  • Evasion via forcing fragmentation, MTU, and data length
  • Evasion via modifying header fields
    • Set IP time-to-live
    • Send packets with specified IP options
    • Send packets with a wrong TCP/UDP checksum
  • Evasion using port hopping
  • Evasion using port tunnelling
    • Lab
  • Evasion using non-standard ports
    • Lab
  • Next-Generation firewalls

Sandbox evasion

  • Introduction
    • What?
    • Why?
    • How?
  • An adversary walks into a sandbox
  • Common sandbox evasion techniques
    • Sleeping through sandboxes
    • Geolocation and geoblocking
    • Checking system information.
    • Querying network information
    • Setting the stage
    • Resources
  • Implementing evasion techniques
    • Taking a Nap
    • Geolocation Filtering
    • Checking system information
    • Querying Network Information
    • Adding External Dependencies in Visual Studio
  • The Great Escape
    • Code
Evasion techniques
  • Evasion techniques
  • Red Team
  • Improbability Blog
  • About
  • Register

Dynamic-link library injection

The most common method of process injection is DLL Injection, which is popular due to how easy it is. A program can simply drop a DLL to the disk and then use “CreateRemoteThread” to call “LoadLibrary” in the target process, the loader will then take care of the rest.

  1. Locate a target process to inject (CreateToolhelp32Snapshot(), Process32First(), and Process32Next()).

  2. Open the target process (GetModuleHandle, GetProcAddress, or OpenProcess).

  3. Allocate memory region for malicious DLL (VirtualAllocEx).

  4. Write the malicious DLL to allocated memory (WriteProcessMemory).

  5. Load and execute the malicious DLL (LoadLibraryA imported from kernel32. Once loaded, CreateRemoteThread can be used to execute memory using LoadLibrary as the starting function).

Resources

  • MITRE: Dynamic-link library injection

Previous Next
Unseen University, 2023, with a forest garden fostered by /ut7.
Read the Docs v: latest
Versions
latest
Downloads
On Read the Docs
Project Home
Builds