A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses

Related tags

Miscellaneous Jektor
Overview

Jektor Toolkit v1.0

This utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victim system

  • Dynamically resolves API functions to evade IAT inclusion
  • Includes usage of undocumented NT Windows API functions
  • Supports local shellcode execution via CreateThread
  • Supports remote shellcode execution via CreateRemoteThread
  • Supports local shellcode injection via QueueUserAPC
  • Supports local shellcode injection via EnumTimeFormatsEx
  • Supports local shellcode injection via CreateFiber

9ada2d9a23bb4fe7a91b5089a262b44d

Anti-virus detection?:

Pre-pending a set of NOPs to a Msfvenom XOR encrypted shellcode payload while using dynamic function address resolutions seems to bypass Windows Defender.

IAT Import Evasion

Jektor makes use of dynamic function address resolutions using LoadLibrary and GetProcessAddress to make static analysis more difficult.

Important functions such as VirtualAlloc are not directly called which makes debugging and dumping the shellcode through breakpoints more difficult.

Local shellcode execution via CreateThread

On Windows when you want to create a new thread for the current process you can call the CreateThread function, this is the most basic technique for executing malicious code or shellcode within a process. You can simply allocate a region of memory for your shellcode, move your shellcode into the allocated region, and then call CreateThread with a pointer to the address of the allocated region. When you call CreateThread you pass the lpStartAddress parameter which is a pointer to the application-defined function that will be executed by the newly created thread.

f78e209597194051a4ebb74d3f519c5a

  1. Allocate a region of memory big enough for the shellcode using VirtualAlloc
  2. Move the globally defined shellcode buffer into the newly allocated memory region with memcpy/RtlCopyMemory
  3. Create a new thread that includes the base address of the allocated memory region with CreateThread
  4. Wait for the new thread to be created/executed with WaitForSingleObject to ensure the payload detonates

After the memory region for the shellcode payload is allocated as RWX and the payload is moved into it, you can easily discover this region of memory by looking for any region of memory in the process that is marked as RWX, then if you inspect it you can seen the shellcode payload was moved into it, highlighted below are the first five bytes of the shellcode payload that executes a calculator on the victim system.

image

Hunting for RWX regions of memory is a quick way to identify potentially malicious activity on your system.

image

Remote shellcode execution via CreateRemoteThread

Another technique to create threads for shellcode execution is to call the CreateRemoteThread function, this will allow you to create threads remotely in another process. But the catch is that you will also want to allocate and write the shellcode payload into the remote process as well, since you’ll create a thread remotely that executes the payloads address that’s allocated within that process. In order to allocate the payload remotely, you’ll need to use the VirtualAllocEx function, this function is different from VirtualAlloc in that it can allocate memory regions in remote processes. To do this, Jektor creates a new process with the CREATE_NO_WINDOW flag set using CreateProcessW, this is used to spawn a new hidden notepad process. One the new process is spawned it remotely allocated memory in it and then uses WriteProcessMemory to write the shellcode payload into the allocated memory region. After this it calls CreateRemoteThread to execute the shellcode payload.

  1. Spawn a new process using CreateProcessW with CREATE_NO_WINDOW set
  2. Open a HANDLE to the newly spawed process by PID with OpenProcess and dwProcessId from PROCESS_INFORMATION
  3. Allocate memory remotely in the spawned process for the shellcode with VirtualAllocEx
  4. Write the shellcode payload into the allocated memory region with WriteProcessMemory
  5. Detonate the remotely created shellcode payload with CreateRemoteThread and the HANDLE from OpenProcess

48dda89e4b0a4102b0a57dc115d9e2ee

Local shellcode execution via EnumTimeFormatsEx

  1. Allocate memory locally for the shellcode payload with VirtualAlloc
  2. Move the shellcode payload into the newly allocated region with memcpy/RtlCopyMemory
  3. Detonate the shellcode by passing it as the lpTimeFmtEnumProcEx parameter for EnumTimeFormatsEx

9875383125f74cc090c749fd95aef4f8

Local shellcode execution via CreateFiber

  1. Get a HANDLE to the current thread using GetCurrentThread
  2. Convert the main thread to a Fiber using ConvertThreadToFiber
  3. Allocate memory for the shellcode payload with VirtualAlloc
  4. Copy the shellcode buffer into the newly allocated memory region with memcpy
  5. Create a new fiber with the base address of the allocated memory region as the lpStartAddress parameter for CreateFiber
  6. Detonate the shellcode by scheduling the fiber with SwitchToFiber
  7. Perform cleanup by deleting the created fiber with DeleteFiber

6e69f015c6df47a9a63393400be44309

Local shellcode execution via QueueUserAPC

  1. Allocate memory for the shellcode buffer with VirtualAlloc
  2. Get a handle to the current process with GetCurrentProcess
  3. Write the shellcode payload into the newly allocated memory region with WriteProcessMemory
  4. Get a handle to the current thread with GetCurrentThread
  5. Queue a new APC routine pass the address of the allocated memory region as the pfnAPC parameter to QueueUserAPC
  6. Trigger the shellcode payload by calling the undocumented NtTestAlert function which clears the APC queue for the current thread
  7. Perform cleanup by closing the handles to the current thread and current process

116365f5725f46e09e7c37ca14bfe78d

Owner
Exploit & Malware Researcher
null
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 137 Aug 3, 2022
A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn

Nobelium PdfDownloadRunAesMalware A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn 1. Download PDF file f

boku 94 Jul 26, 2022
A demonstration of various different techniques for implementing 'threaded code,' a technique used in Forth and in virtual machines like the JVM.

Threaded code is a technique used in the implementation of virtual machines (VMs). It avoids the overhead of calling subroutines repeatedly by 'thread

null 24 Jul 24, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
Demonstrates implementation of the Windows 10 Acrylic Effect on C++ Win32 Apps using DWM Private APIs and Direct Composition

Win32 Acrylic Effect A Demonstration of Acrylic Effect on C++ Win32 applications using Direct Composition and DWM private APIs. Table of Contents Over

Selastin 96 Jul 22, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 86 Jul 27, 2022
raincoat is a shellcode injector that uses direct syscall invoking.

raincoat is a shellcode injector that uses direct syscall invoking. by liz @realhaxorleet & ellyysium @ellyysium opening the code may cause brain dama

null 5 Jan 29, 2022
`lv_lib_100ask` is a reference for various out of the box schemes based on lvgl library or an enhanced interface for various components of lvgl library.

Introduction lv_lib_100ask is a reference for various out of the box schemes based on lvgl library or an enhanced interface for various components of

100askTeam 21 Aug 11, 2022
Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

null 131 Jul 2, 2022
Orca - Advanced Malware with multifeatures written in ASM/C/C++ , work on all windows versions ! (some features still under developing and not stable)

About Orca Orca is an Advanced Malware with multifeatures written in ASM/C/C++ features Run in Background (Hidden Mode) Records keystrokes and saves t

anas 166 Aug 3, 2022
This is a prank windows malware, is only for fun, it's just for fun, it's not harmful

DBUSTER-PRO (C) 2021-2022 DioBrando This is a prank windows malware, just for fun, nothing harmful. I will teach you how to compile, and remove malwar

Dio brando 8 Apr 15, 2022
A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

TrustedInjector This is a LoadLibrary injector for Counter-Strike: Global Offensive. Information It automatically bypasses trusted mode by removing ho

Brandon 18 Jul 17, 2022
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 4 Oct 5, 2021
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 175 Aug 1, 2022
RR4J is a tool that records java execution and later allows developers to replay locally.

RR4J [Record Replay 4 Java] RR4J is a tool that records java execution and later allows developers to replay locally. The tool solves one of the chall

Kartik  kalaghatgi 15 Aug 7, 2022
This is a very short tool that predicts the number of cycles and execution time in Fulcrum when the operands and operations are known.

fulcrum-analytical-tool This is a very short tool that predicts the number of cycles and execution time in Fulcrum when the operands and operations ar

null 2 Feb 6, 2022
OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

offensiveph OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. Usage Comp

Red Section 260 Jul 25, 2022
Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation

Sloth ?? Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch

Chaithu 74 Jul 26, 2022
A user-mode emulator for the mhyprot2.sys driver

mhynot2 Cheating is bad, but I think requiring a kernel driver to play a (mostly) single-player game is worse. mhynot2 is a hook DLL which hooks into

Khangaroo 76 Aug 7, 2022