Injection techniques

I created this repo during my journey in learning more about the various process injection techniques. I did reuse other’s code, but tried to improve on them or modify them to our need and better reading. The source should be indicated in the code. All of them were created with Visual Studio 2017.

Simple Thread Injection

Probably the simplest injection, it simply allocates memory in the new process, writes to it, and creates a remote thread. You can do that via 3 different APIs. Use Run: SimpleThreadInection.exe [process name] [option number] option 1 - CreateRemoteThread option 2 - NtCreateThreadEx option 3 - RtlCreateUserThread

Inject DLL - DLL injection

This is a POC for the DLL injection described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Use Run: injectdll.exe [process name] [dll path] [option number] option 1 - CreateRemoteThread option 2 - NtCreateThreadEx option 3 - RtlCreateUserThread

APC Injection

This injection uses QueueUserAPC API to start a thread in the remote process after writing a shell code to its memory. Use: APCInjection [process name]

EarlyBird injection

This is a POC for the EarlyBird injection technique as named by Cyberbit, it’s a corner case of QueueUserAPC. More details here: Hackers Found Using A New Code Injection Technique to Evade Detection

Use:

Put the shellcode of your choice to the source file (the included one will pop cmd.exe)
Recompile
Run: EarlyBird.exe [any x64 binary]

SetWindowsHook injection

Also described here: Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Use: SetWindowsHookInjection.exe [window name] [dll path] [function name]

CtrlInject injection

This is a POC for the CtrlInjection found by enSilo: Ctrl-Inject

Use:

Put the shellcode of your choice to the source file (the included one will pop calc)
Recompile
Run: EarlyBird.exe [PID of x64 Console Application which has a non default HandlerList (e.g.: cmd.exe)]

Inject PE - PE injection

This is a POC for the PE injection described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Use:

Update the entryThread function as you want - that will be executed in the target
Run: injectpe.exe [target process]

Process Hollowing

This is a POC for the Process Hollowing injection described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Works quite reliably in x86 and x64 as well, there are plenty of error checks to avoid failures. Use:

Run: processhollowing.exe [target binary] [to be run binary]

Thread Execution Hijacking

This is a POC for the Thread Execution Hijacking described here (and many other places): Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques | Endgame Opposite to other POCs available, this version will inject a shell code to the target process (and not a DLL name) and will get the target to Create a thread in itself. Use:

Put your shell code into scx86 and scx64 accordingly.
Run: threadexecutionhijack.exe [process name]

PROPagate

This one is described here: Hexacorn | Blog I decided to release this as malware uses this technique, and we need defense people to understand how this work: RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique « RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique | FireEye Inc The x64 shell code will crash explorer.exe, but that will restart. I need to rewrite this code to work more generically and without a crash, but so far this is how it is. This POC is very dirty, there was a nicer one on GitHub but it’s no longer available.