Skip to content

Nero22k/Process-Injections-Techniques

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
AsyncCalls.cpp
AsyncCalls.cpp
 
 
Classic.cpp
Classic.cpp
 
 
NtMapView.cpp
NtMapView.cpp
 
 
README.md
README.md
 
 
ThreadHijack.cpp
ThreadHijack.cpp
 
 
py3_AES.py
py3_AES.py
 
 

Repository files navigation

Different Process Injections Implemented In C++

[Basic process injection, detected by most EDP and anti-virus software]

  • Classic (CreateRemoteThread):
    • OpenProcess/CreateProcess: Get a handle to a running or newly created process.
    • VirtualAllocEx: Allocate memory in the remote process.
    • WriteProcessMemory: Write shellcode to the remote process.
    • NtCreateThreadEx/RtlCreateUserThread/CreateRemoteThread: starts a thread in the remote process with the start address of the shellcode.

[ThreadHijacking injection, targets an existing thread of a process and avoids any noisy process or thread creations operations. Bypasses some anti-virus solutions]

This technique often results in crashing the target process

  • ThreadHijacking (SuspendThread):
    • SuspendThread: Suspend the thread we want to hijack.
    • OpenProcess: Get a handle to a running process.
    • CreateToolhelp32Snapshot: create a snapshot of target process threads.
    • VirtualAllocEx: Allocate memory in the remote process.
    • WriteProcessMemory: Write shellcode to the remote process.
    • GetThreadContext: Retrieve the current thread context.
    • SetThreadContext: Update instruction point for thread to shellcode.
    • ResumeThread: Resume the hijacked thread.

[MapView process injection, shares a section view with a target process then spawns new thread and executes the payload inside the process. Can be used for AV evasion]

  • MapView (NtMapViewOfSection):
    • NtCreateSection: Creates new section that is shared between the process.
    • NtMapViewOfSection: Create a local section view.
    • memcpy: Copy the paylod in the section.
    • NtMapViewOfSection: Create remote section view.
    • RtlCreateUserThread: Create a remote thread in the target process and point it to the mapped view in the target process to trigger the shellcode

[APC (Asynchronous Procedure Calls) queue code injection - Payload is executed when process enters into alertable state]

  • APC Queue (QueueUserAPC):
    • VirtualAllocEx: Allocate memory in the remote process.
    • WriteProcessMemory: Write shellcode to the remote process.
    • OpenProcess: Get a handle to a running process.
    • QueueUserAPC: Adds async procedure call (APC) object to thread's APC queue
    • CreateToolhelp32Snapshot: create a snapshot of target process threads.

About

Variety of different process injections implemented in C++

Topics

cpp malware python3 shellcode evasion process-injection

Resources

Readme
Activity

Stars

22 stars

Watchers

3 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages