POCs for Shellcode Injection via Callbacks

Overview

Callback_Shellcode_Injection

POCs for Shellcode Injection via Callbacks.

Working APIs

1,  EnumTimeFormatsA 			Works
2,  EnumWindows				Works
3,  EnumDesktopWindows			Works
4,  EnumDateFormatsA			Works
5,  EnumChildWindows			Works
6,  EnumThreadWindows			Works
7,  EnumSystemLocales			Works
8,  EnumSystemGeoID			Works
9,  EnumSystemLanguageGroupsA		Works
10, EnumUILanguagesA			Works
11, EnumSystemCodePagesA		Works
12, EnumDesktopsW			Works
13, EnumSystemCodePagesW		Works

Detection:

Detection: System Event Logs

Credits:

@bofheaded & @0xhex21

You might also like...
Windows kernel information leakage POCs on Windows 10 RS1+
Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

Kernel mode WinDbg extension and PoCs for token privilege investigation.

PrivFu Kernel mode WinDbg extension and PoCs for testing how token privileges work. There are notable repository and articles about token privilege ab

Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

This is a brand-new technique for shellcode injection to evade AVs and EDRs
This is a brand-new technique for shellcode injection to evade AVs and EDRs

This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities. As to this date (23-01-2022) also hollows-hunter doesn't find it.

x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Bypasses for Windows kernel callbacks PatchGuard protection

kernel_callbacks Bypasses for Windows kernel callbacks PatchGuard protection https://www.godeye.club/2021/08/14/001-windows-notification-callbacks.htm

A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Code Injection, Inject malicious payload via pagetables pml4.
Code Injection, Inject malicious payload via pagetables pml4.

PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table inject

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Code Injection via Memory Mapped Files

MMFCodeInjection This technique leverages File Mapping and APC(s) to execute shellcode into another process. By leveraging file mapping we would not h

🦘 A dependency injection container for C++11, C++14 and later

kangaru 🦘 Kangaru is an inversion of control container for C++11, C++14 and later. It provides many features to automate dependency injection and red

Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

a undetectable tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our qqgroup is 703156427

a undetectable ios root access tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our

PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

Transacted Hollowing Transacted Hollowing - a PE injection technique. A hybrid between Process Hollowing and Process Doppelgänging. More info here Cha

Comments
  • CallWindowProc.cpp

    CallWindowProc.cpp

        // CallWindowProc
    
        char shellcode[] =
            "\x31\xC0\x48\x0F\x88\x00\x00\x00\x00\xC3";
    
        PVOID fnPtr = VirtualAlloc(
            NULL, 
            sizeof(shellcode), 
            MEM_COMMIT | MEM_RESERVE, 
            PAGE_EXECUTE_READWRITE);
    
        memcpy(fnPtr, shellcode, sizeof(shellcode));
    
        bool is32bit = CallWindowProcA((WNDPROC)fnPtr, 0, 0, 0, 0);
    
        printf_s(
            "in 32bit env: %hs", is32bit ? "yep" : "nope"
        );
    

    regarded as one, maybe.

    opened by nblog 1
Owner
Chaitanya Haritash
I'll be always found learning something new all the time.
Chaitanya Haritash
A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

Deputation 50 Sep 19, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 148 Sep 13, 2022
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 158 Sep 19, 2022
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 73 Sep 5, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 42 Aug 19, 2022
C-shellcode to hex converter, handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor

shellex WARNING: the ugliest code in the world C-shellcode to hex converter. Handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydb

David Reguera Garcia aka Dreg 87 Aug 14, 2022
Hijack Printconfig.dll to execute shellcode

printjacker Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The

Red Section 85 Sep 8, 2022
runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

null 25 Sep 12, 2022
Block unauthorized users from logging in via RDP.

RDPBlocker is a tool to prevent brute force password cracking against RDP (Remote Desktop Protocol) services. This tool is developed by cpp

null 42 Aug 1, 2022
Alternative Shellcode Execution Via Callbacks

Alternative Code Execution This is gaining more popularity than expected, so I just wanted to give a shoutout to alfarom256 for informing me about cal

null 856 Sep 21, 2022