PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

Overview

wowInjector

Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious attacks and bypass Antivirus agents at the same time, e.g. Injection, Hollowing, Dropper, etc.

It's a proof-of-concept of the talk of HITB 2021. There are more details about reversing the whole WOW64 layer by Microsoft and abuse, see Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland.

Demo

Owner
Sheng-Hao Ma
30cm.tw/me
Sheng-Hao Ma
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 119 Jul 31, 2022
Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Perfusion On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) s

Clément Labro 388 Jul 29, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 141 Aug 1, 2022
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 153 Jul 29, 2022
PoC for generating a bunch of C structs

janet-generate-structs PoC for generating a bunch of C structs Currently not possible to run as-is on other machines. trystuff.janet -- uses jpm's cge

null 6 Feb 10, 2022
Example of transferring file data over BLE using an Arduino Nano Sense and WebBLE

BLE File Transfer Example of transferring file data over BLE to an Arduino Nano Sense using WebBLE. Overview This is an example of how to use Bluetoot

Pete Warden 27 Jun 17, 2022
A small utility to set the clock on a Hayes Stack Chronograph over its serial port.

chronosync A small utility to set the clock on a Hayes Stack Chronograph over its serial port. Synopsis chronosync [-d] [-s serial speed] <serial devi

joshua stein 1 Oct 1, 2021
runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

null 25 Jul 27, 2022
iOS 10.x 32 and 64 bit jailbreak with spicy autoexecution

ap0110 ap0110 is an autoexecuting jailbreak for iOS 10.x, on 32 and 64-bit. Developed by the Athenus Dev Team and w212. <3 Credits tihmstar - h

Athenus Dev Team 23 Jul 18, 2022
CVE-­2021­-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发

CVE-2021-1732 CVE-2021-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发 受影响系统及应用版本 Windows Server, version 20H2 (Server Core Installation) Windows 10

null 74 Jun 13, 2022
PoC: Rebuild A New Path Back to the Heaven's Gate (HITB 2021)

wowGrail Rebuild a new to Abuse the conversion layer embedded in WOW64(Windows 32 on Windows 64), that makes malware able to launch 32-bit NTAPI inter

Sheng-Hao Ma 72 Jul 8, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 225 Jul 29, 2022
Full VAC Bypass. Inject detected cheats and not get VAC banned.

VAC-Bypass Full VAC Bypass Run steam as administrator, this is so that steamservice.exe isn't loaded, instead the steamservice.dll (VAC) is loaded int

null 107 Aug 7, 2022
wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

Axel Souchet 961 Aug 8, 2022
ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

Fivem-Bypass ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only Not Working? Run as admin and disable your antivirus. How to use 1. Put y

Sarnax 30 Jul 23, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 123 Jun 30, 2022
How to exploit a vulnerable windows driver. Exploit for AsrDrv104.sys

Exploit and Proof of Concept (PoC) for CVE-2020-15368. Asrock repackaged rweverything driver for their RGB controller configuration tool and signed it. They "protect" it by encrypting their ioctls...lol. We found this CVE by accident last summer, and afaik the driver still isn't patched. The impact is of course arbitrary code execution in kernel, etc. So enjoy this "0day" lol.

Stephen Tong 333 Jul 27, 2022
A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.x 32-bit devices with checkm8 BootROM exploit.

p0insettia A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.4 32-bit devices iPhone 5 with checkm8 BootROM exploit. Note All at your own risk

dora2ios 26 Jul 23, 2022
RT-AK: RT-Thread AI Kit,RT-Thread AI 套件

RT-AK 是 RT-Thread AI 团队为 RT-Thread 实时操作系统所开发的 AI 套件,能够将 AI 模型一键部署到 RT-Thread 项目中。

RT-Thread 56 Aug 1, 2022
Thread pool - Thread pool using std::* primitives from C++17, with optional priority queue/greenthreading for POSIX.

thread_pool Thread pool using std::* primitives from C++11. Also includes a class for a priority thread pool. Requires concepts and C++17, including c

Tyler Hardin 75 Jul 13, 2022
Thread-pool - Thread pool implementation using c++11 threads

Table of Contents Introduction Build instructions Thread pool Queue Submit function Thread worker Usage example Use case#1 Use case#2 Use case#3 Futur

Mariano Trebino 614 Aug 8, 2022
Thread-pool-cpp - High performance C++11 thread pool

thread-pool-cpp It is highly scalable and fast. It is header only. No external dependencies, only standard library needed. It implements both work-ste

Andrey Kubarkov 533 Jul 17, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 663 Jul 27, 2022
log4cplus is a simple to use C++ logging API providing thread-safe, flexible, and arbitrarily granular control over log management and configuration. It is modelled after the Java log4j API.

% log4cplus README Short Description log4cplus is a simple to use C++17 logging API providing thread--safe, flexible, and arbitrarily granular control

null 1.3k Jul 31, 2022
A library of type safe sets over fixed size collections of types or values, including methods for accessing, modifying, visiting and iterating over those.

cpp_enum_set A library of type safe sets over fixed size collections of types or values, including methods for accessing, modifying, visiting and iter

Carl Dehlin 22 Jun 16, 2022
I was tired of copy-pasting the same boilerplate code over and over across my projects.

Gui Since I was tired of copy-pasting the same boilerplate code over and over across my projects, I decided to make this wrapper that actually also ad

Simone Coco 5 Jan 10, 2022