fengjixuchui / NoRunPI

Run Your Payload Without Running Your Payload

NoRunPI: Run Your Payload Without Running Your Payload

Since "SettingSyncHost.exe -Embedding" Runs a Thread On "SHCore.dll!Ordinal172+0x100", We can hijack the flow before this thread start, to do that :

Load shcore.dll to calculate the thread's entry
Create "SettingSyncHost.exe -Embedding" Process
BruteForce the address calculated (stop when its valid)
suspend the process
inject the payload to the calculated address
resume the process
$$

DEMO:

Note That This is An idea more than a stable poc on a process injection technique, you can find a lot of such processes (creating such threads) and implement your own code using the same way for the same results ... (for example on my machine, the same process have a thread on combase.dll!InternalTlsAllocData+0x70)

About

Run Your Payload Without Running Your Payload

MIT License

Languages

Language:C 100.0%