A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

Overview

WindowsPermsPoC

A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build it using Visual Studio.

Writing non-writable memory

This simple program, allocate a non-writable piece of memory using VirtualAlloc and writes a shellcode inside of it, using WriteProcessMemory.

This is made possible by the fact that WriteProcessMemory is a function designed for debuggers so, under the hood, it changes permissions (calling syscall NtVirtualProtectMemory) and restores them at the end.

Executing non-executable memory

At the end of our program, the permissions of the allocated memory is changed to READ_ONLY, and the shellcode is executed. How is this possible?

The execution of code in a non-executable memory area in modern operating systems is prevented by a protection system called DEP (Data Execution Prevention). However, this mechanism is not enforced by the operating system, but it is up to the developer decide whether to enable it or not in his program, e.g. by setting the NXCOMPAT flag in VisualStudio. More details about this, here.

You might also like...
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

This repository contains toy ImPlot applications that demonstrate some of the library's functionality
This repository contains toy ImPlot applications that demonstrate some of the library's functionality

ImPlot Demos This repository contains toy ImPlot applications that demonstrate some of the library's functionality.

Demonstrate ability to read memfd_secret() data from the kernel

nosecmem This project demonstrates the newly-added memfd_secret Linux system call, and a kernel module which can dump the contents of these so-called

C#-like properties for C++20. This was made to demonstrate a bug in ClangFormat.

cpp20-property C#-like properties for C++20. Example usage #include iostream #include Propery.hpp class ProperyTest { public: zsl::Property

A simple processor emulator written in c++ that can parse and execute x32 code. x32 is binary code made by me for this processor.

A SIMPLE PROCESSOR EMULATOR AND CODE EXECUTOR The Repository This is a fairly new project and is still heavy in development. If you find and bugs feel

A simple, funky, horrible fluid simulator, made possible by OLC's Pixel Game Engine
A simple, funky, horrible fluid simulator, made possible by OLC's Pixel Game Engine

flOwie A simple, funky, horrible fluid simulator, made possible by OLC's Pixel Game Engine! Not meant for usefulness. The big O is in the name because

A Simple tool to execute shellcode with the ability to detect mouse movement
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

Comments
  • it not work after change DEP to NO

    it not work after change DEP to NO

    It's still not work after I modify the DEP to NO,but if i change "PAGE_READONLY" to "PAGE_EXECUTE",all is just good. (i did not change DEP flag of os,test in windows10)

    opened by FunnyWolf 4
Owner
Lorenzo Maffia
CyberSecurity enthusiast and CTF player in @ZenHackTeam
Lorenzo Maffia
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 50 Dec 13, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 6 Oct 19, 2022
RemixDB: A read- and write-optimized concurrent KV store. Fast point and range queries. Extremely low write-amplification.

REMIX and RemixDB The REMIX data structure was introduced in paper "REMIX: Efficient Range Query for LSM-trees", FAST'21. This repository maintains a

Xingbo Wu 81 Dec 3, 2022
CVE-2021-4034 POC and Docker and Analysis write up

CVE-2021-4034 POC and Docker and Analysis write up

breeze 9 Oct 22, 2022
CVE-2021-3156 POC and Docker and Analysis write up

CVE-2021-3156 [toc] 漏洞简介 漏洞编号: CVE-2021-3156 漏洞产品: sudo 影响版本: 1.8.2-1.8.31sp12; 1.9.0-1.9.5sp1 利用后果: 本地提权 源码获取: https://www.sudo.ws/getting/source/ 环境

breeze 1 Oct 22, 2022
CVE-2022-0185 POC and Docker and Analysis write up

CVE-2022-0185 linux 内核提权(逃逸) [toc] 漏洞简介 漏洞编号: CVE-2022-0185 漏洞评分: 漏洞产品: linux kernel - fsconfig syscall 影响范围: linux kernel 5.1-rc1 ~ 5.16.2 利用条件: linu

breeze 25 Dec 4, 2022
C++ POC to write addintional credentials into LSASS process

LSASS_Injection_CreateProcessWithLogonW C++ POC to write addintional credentials into LSASS process Usage: LSASS_Injection_CreateProcessWithLogonW USE

null 3 Feb 9, 2022
Android PoC to read/write Huawei's NVME image

hisi-nve Android PoC to read/write Huawei's NVME image Disclaimers Use this tool at your own risk and always backup NVME. This tool was made for educa

Roger Ortiz 19 Dec 15, 2022
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Charlie Wolfe 137 Jan 3, 2023
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 761 Jan 9, 2023