Code Injection, Inject malicious payload via pagetables pml4.

Related tags

Miscellaneous windows injection page-tables pagetable injection-attacks
Overview

PageTableInjection

Code Injection, Inject malicious payload via pagetables pml4.

Introduction

This is just a proof-of-concept of the page table injection technique to inject malicious code into the arbitrary user processes.
On Windows(and some modern OSes), every process has a its PML4 a.k.a Directory Table Base. Thus the process A cannot access process B without APIs. but how about if we can inject arbitrary PML4 entry? of course the PML4 entry will points to the corresponding physical address of entries, PDP, PD and PT as exact same as the backing process.

In order to inject malicious PML4 entry to the target process, we need to have an actual resident page (physical memory) that backing the malicious PML4 entry. Thus literally the resident page must be a resident, otherwise the system will crash or would become unstable, because during the MMU translating to the physical address, there is nothing that MMU expects, as well as there is nothing the windows memory manager has nothing expects.

Let's look at the both backing process and target process buffers. In this case, the buffers are:

  • Backing Process VA: 0x1A45F810000
  • Deployment Process Injected VA: 0x6EA45F810000

Before step to the next, some of you may think that the 2nd address(0x6EA45F810000) looks weird, like usually we allocated buffer via malloc or VirtualAlloc, the virtual address should look like 0x17C7CAC0000 0x23BE9D80000 0x19FE76F0000 or some sort of these. it's because the malicious PML4 entry is not involved to the memory manager of windows, and is not managed aswell. of course every virtual address on Windows 64-bit process could possibly have any value within a range of user memory range.

So if we look into the both address...

0: kd> .process ffff9803d8037080
Implicit process is now ffff9803`d8037080
0: kd> db 0x6EA45F810000 l2
00006ea4`5f810000  4d 5a       MZ

0: kd> !vtop 7968b000 0x6EA45F810000
Amd64VtoP: Virt 00006ea45f810000, pagedir 000000007968b000
Amd64VtoP: PML4E 000000007968b6e8
Amd64VtoP: PDPE 000000005849b488
Amd64VtoP: PDE 0000000059e9c7e0
Amd64VtoP: PTE 000000003251d080
Amd64VtoP: Mapped phys 0000000014306000
Virtual address 6ea45f810000 translates to physical address 14306000.

0: kd> .process ffff9803d9f6b080
Implicit process is now ffff9803`d9f6b080
0: kd> db 0x1A45F810000 l2
000001a4`5f810000  4d 5a       MZ

0: kd> !vtop 564f6000 0x1A45F810000
Amd64VtoP: Virt 000001a45f810000, pagedir 00000000564f6000
Amd64VtoP: PML4E 00000000564f6018
Amd64VtoP: PDPE 000000005849b488
Amd64VtoP: PDE 0000000059e9c7e0
Amd64VtoP: PTE 000000003251d080
Amd64VtoP: Mapped phys 0000000014306000
Virtual address 1a45f810000 translates to physical address 14306000.

Both of addresses are corresponding to the exact same page table entries, PDP, PD, PT and an physical address. Therefore if we modified backing process's buffer, the change also on the target process. This is very similar to the shared-memory on the Windows, but the diffence is that memory region on the target process will never be shown in any VAD entries of its process. but in other hand, if the backing process's buffer is freed, it means also on the target process but without cleaning target process's page table entries, which means that the memory manager will cause a bugcheck MEMORY_MANAGEMENT, or will trigger worse triple fault on the CPU.

The problem

This technique has massive stability problems as I said that the injected malicious PML4 entry does not involved to the windows memory manager nor kernels. and there is no guarantee that the backing process will be alive until the target process is terminated, or target process have nothing to do with clean-up the malicious PML4 entry when the backing process is terminating.

License

MIT copyright Kento Oki <[email protected]>

The source codes may contain external contents, such contents belong to its copyright holder.

You might also like...
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 307 Dec 28, 2022
A DLL & Code Injection C++ library for Windows.
A DLL & Code Injection C++ library for Windows.

syringe - A DLL & Code Injection C++ library for Windows. syringe is a DLL & Code Injection C++ library for Windows that contains different techniques

null 5 Jul 28, 2022
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

null 12 Dec 26, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 72 Dec 26, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 203 Dec 20, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
Inject a DLL into any program using this C++ program

DLL-Injection-Cpp Inject a DLL into any process using this C++ program Installation Go into a folder and open up Command Prompt. In command prompt run

n0 5 Sep 12, 2022
Inject dll to cmd.exe to prevent file execution.

Console-Process-Execution Inject dll to cmd.exe to prevent file execution. Requierments: Microsoft Detours Library - https://github.com/microsoft/Deto

null 5 Sep 25, 2022
(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)
(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)

Marathon-Fortnite-Cheat-Fix-Leak Fortnite Marathon Cheat v18.20 FIXED [Leak] Getting started Open .sln with Visual Studio 2019 Compile batch build to

LUCIFER ® 2 Dec 13, 2021
Comments
  • Crash on call DllMain

    Crash on call DllMain

    Hello! Thanks for the POC and that you share it with us! I tried to adopt your POC and do some tryings altough whenever I try to call the actual DLLMain Entrypoint it just seems to crash, any idea? Here is how I did it:

    print_info("Payload is now mapped to the target process VA: 0x%llX\n", deployment_va.Value);
try_read_deployed_image((u64)deployment_va.Value, target_process_id);
DWORD ep_rva = get_entry_point_rva(file_buffer.data());
printf("%llu \r\n", ep_rva);
int ret = run_implant(deployment_va.Value, ep_rva);
printf("return: %i \r\n", ret);

int run_implant(PVOID mapped, DWORD ep_rva)
{
	ULONG_PTR implant_ep = (ULONG_PTR)mapped + ep_rva;
	BOOL(*dll_main)(HINSTANCE, DWORD, LPVOID) = (BOOL(*)(HINSTANCE, DWORD, LPVOID))(implant_ep);
	return dll_main((HINSTANCE)mapped, DLL_PROCESS_ATTACH, 0);
}
    opened by rohybnol 21
Owner
Kento Oki
Kento Oki
GitHub https://www.godeye.club/
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

null 1.4k Dec 28, 2022
Code Injection via Memory Mapped Files

MMFCodeInjection This technique leverages File Mapping and APC(s) to execute shellcode into another process. By leveraging file mapping we would not h

null 52 Dec 28, 2022
PS4 kernel hooking library / payload.

PS4 KHook PS4 KHook is a minimalist kernel hooking payload. It targets 5.05 but it can be used with any firmware (or even non-PS4 systems) with modifi

Specter 48 Dec 27, 2022
It includes our specialized binary payload DSL (parser and schemas), clients and sdks.

Symbol Monorepo In Q1 2021, we consolidated a number of projects into this repository. It includes our specialized binary payload DSL (parser and sche

Symbol 23 Dec 15, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 238 Dec 9, 2022
The purpose of these streams is to be educational and entertaining for viewers to learn about systems architecture, reverse engineering, software security, etc., and NOT to encourage nor endorse malicious game hacking.

Memestream This repository holds the code that I develop during my live game "modding" ?? sessions. When I stream, I like to speedrun making a success

Stephen Tong 28 Jul 6, 2022
Protect your Discord token from malicious grabbers!

Discord Token Protector Protect your Discord token from malicious grabbers! This project is still under development! You might face some unstability i

Andro24 198 Jan 2, 2023
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
Jaws is an invisible programming language! Inject invisible code into other languages and files! Created for security research -- see blog post

Jaws is an invisible interpreted programming language that was created for antivirus research. Since Jaws code is composed entirely of whitespace char

C.J. May 208 Dec 9, 2022
Inject code into remote python process.

python-inject Inject code into remote python process. Table of Contents About The Project Built With Getting Started Prerequisites Installation Usage

Sarnax 6 Jan 10, 2022