POCs for Shellcode Injection via Callbacks

Related tags

Utilities Callback_Shellcode_Injection
Overview

Callback_Shellcode_Injection

POCs for Shellcode Injection via Callbacks.

Working APIs

1,  EnumTimeFormatsA 			Works
2,  EnumWindows				Works
3,  EnumDesktopWindows			Works
4,  EnumDateFormatsA			Works
5,  EnumChildWindows			Works
6,  EnumThreadWindows			Works
7,  EnumSystemLocales			Works
8,  EnumSystemGeoID			Works
9,  EnumSystemLanguageGroupsA		Works
10, EnumUILanguagesA			Works
11, EnumSystemCodePagesA		Works
12, EnumDesktopsW			Works
13, EnumSystemCodePagesW		Works

Detection:

Detection: System Event Logs

Credits:

@bofheaded & @0xhex21

You might also like...
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

null 1.4k Dec 28, 2022
Windows kernel information leakage POCs on Windows 10 RS1+
Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

null 2 Dec 18, 2022
Kernel mode WinDbg extension and PoCs for token privilege investigation.

PrivFu Kernel mode WinDbg extension and PoCs for testing how token privileges work. There are notable repository and articles about token privilege ab

null 376 Dec 21, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Filip Olszak 547 Dec 28, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Filip Olszak 547 Dec 28, 2022
This is a brand-new technique for shellcode injection to evade AVs and EDRs
This is a brand-new technique for shellcode injection to evade AVs and EDRs

This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities. As to this date (23-01-2022) also hollows-hunter doesn't find it.

Idov 606 Dec 20, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 203 Dec 20, 2022
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 139 Dec 26, 2022
Bypasses for Windows kernel callbacks PatchGuard protection

kernel_callbacks Bypasses for Windows kernel callbacks PatchGuard protection https://www.godeye.club/2021/08/14/001-windows-notification-callbacks.htm

Kento Oki 36 Nov 26, 2022
A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

Deputation 60 Dec 26, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 158 Dec 28, 2022
Code Injection, Inject malicious payload via pagetables pml4.
Code Injection, Inject malicious payload via pagetables pml4.

PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table inject

Kento Oki 179 Nov 28, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
Code Injection via Memory Mapped Files

MMFCodeInjection This technique leverages File Mapping and APC(s) to execute shellcode into another process. By leveraging file mapping we would not h

null 52 Dec 28, 2022
🦘 A dependency injection container for C++11, C++14 and later

kangaru 🦘 Kangaru is an inversion of control container for C++11, C++14 and later. It provides many features to automate dependency injection and red

Guillaume Racicot 368 Jan 3, 2023
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Josh Schiavone 57 Sep 5, 2022
a undetectable tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our qqgroup is 703156427

a undetectable ios root access tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our

null 58 Nov 22, 2021
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 188 Dec 26, 2022
Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

Transacted Hollowing Transacted Hollowing - a PE injection technique. A hybrid between Process Hollowing and Process Doppelgänging. More info here Cha

hasherezade 430 Dec 24, 2022
Comments
  • CallWindowProc.cpp

    CallWindowProc.cpp 

        // CallWindowProc

    char shellcode[] =
        "\x31\xC0\x48\x0F\x88\x00\x00\x00\x00\xC3";

    PVOID fnPtr = VirtualAlloc(
        NULL, 
        sizeof(shellcode), 
        MEM_COMMIT | MEM_RESERVE, 
        PAGE_EXECUTE_READWRITE);

    memcpy(fnPtr, shellcode, sizeof(shellcode));

    bool is32bit = CallWindowProcA((WNDPROC)fnPtr, 0, 0, 0, 0);

    printf_s(
        "in 32bit env: %hs", is32bit ? "yep" : "nope"
    );

    regarded as one, maybe.

    opened by nblog 1
Owner
Chaitanya Haritash
I'll be always found learning something new all the time.
Chaitanya Haritash
GitHub
A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

Deputation 60 Dec 26, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 158 Dec 28, 2022
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 188 Dec 26, 2022
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 77 Dec 16, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 52 Dec 25, 2022
C-shellcode to hex converter, handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor

shellex WARNING: the ugliest code in the world C-shellcode to hex converter. Handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydb

David Reguera Garcia aka Dreg 90 Dec 30, 2022
Hijack Printconfig.dll to execute shellcode

printjacker Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The

Red Section 87 Dec 16, 2022
runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

null 24 Nov 9, 2022
Block unauthorized users from logging in via RDP.

RDPBlocker is a tool to prevent brute force password cracking against RDP (Remote Desktop Protocol) services. This tool is developed by cpp

null 44 Nov 11, 2022
Alternative Shellcode Execution Via Callbacks

Alternative Code Execution This is gaining more popularity than expected, so I just wanted to give a shoutout to alfarom256 for informing me about cal

null 949 Jan 1, 2023