Shellcode Injection Techniques: collection of C# shellcode injection techniques
Shellcode Injection Techniques
A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload.
I will be building this project up as I learn, discover or develop more techniques.
Note: The project is not intended to be used as-is. If you are going to use any of the techniques there is a better chance of bypassing AV if you create a smaller, customised project with your chosen technique.
If you do use any of the code in these repositories keep it legal!
You can use a PowerShell assembly injection technique if you want to avoid writing .Net binaries to disk.
ShellcodeRunner.cs: This technique isn’t strictly an injection technique (because we execute the shellcode in the same process) but is the simplest of all techniques. We ensure the shellcode uses a fixed memory location in an
unsafe context. We change the protection on the page where the shellcode is located so we can execute it. We then use a C# delegate function to execute the shellcode.
ClassicInjection.cs: This technique allocates memory in the target process, injects the shellcode, and starts a new thread.
ThreadHijack.cs: This technique hijacks a thread by injection code into the target process, suspends the hijacked thread, sets the instruction pointer (RIP) to our injected code, and then resumes the thread.
Local Thread Hijacking
LocalThreadHijack.cs: This technique creates a new local thread in a suspended state, we then hijack the thread, set the instruction pointer (RIP) to our injected code, and then resume the thread.
Asychronous Procedure Call Injection
ACPInjection.cs: This technique is similar to the Thread Hijacking technique. We inject the shellcode into a remote thread, then queue an APC object in the thread. When the thread enters an alertable state (when it calls SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx) it runs our shellcode pointed to by our queued APC object.
ProcessHollow.cs: This technique starts another process in the suspended state (svchost.exe), finds the main thread entry point, injects our shellcode into it then resumes the thread.
Inter-Process Mapped View
InterProcessMappedView.cs: This technique creates a new section in memory, creates a local mapped view of the section, copies our shellcode into the local mapped view, and creates a remote mapped view of the local mapped view in the target process. Finally, we create a new thread in the target process with the mapped view as the entry point.
AtomBomb.cs: This technique is interesting in how we write shellcode to the target process. We use the Global Atom Table which allows us to write null-terminated strings with a maximum size of 255 bytes. We find a code cave to write our shellcode to, then use APC calls to trigger the target process to read the Atom Names into memory. Finally, we use a couple of APC calls to change the memory protection of the target and execute the shellcode.
My code differs from the original Atom Bombing technique, written in C/C++. First, I chain Atom Names together, using multiple APCs, to form a shellcode of larger than 255 bytes. I don’t use ROP chains to force the target process to call VirtualProtect and then execute the code, I use the APC queue.
This code requires the main thread to enter an alertable state in order to execute the APC queue and I do not clean up after the shellcode execution, the target process becomes unstable. I plan to improve on this technique (by searching for alertable threads and cleaning up afterward), but as a PoC it works well.
The Atom Bombing technique places null-terminated strings in the Global Atom Table, this means you must use a shellcode that doesn’t have 0x00 characters in it.
Remember you will need to start a process to inject to, except when using the shellcode runner, local thread hijack technique, or the process hollowing technique (this technique starts a new process in the suspended state).
When using the shellcode runner, local thread hijack technique, or the process hollowing technique you will need to comment out the code in Program.cs that looks for the process to inject into: