DInjector – Collection Of Shellcode Injection Techniques Packed In A D/Invoke Weaponized DLL
273
This repository is an accumulation of my code snippets for various shellcode injection techniques using fantastic D/Invoke API by @TheWover and @FuzzySecurity.
Features:
Fully ported to D/Invoke API
Encrypted payloads which can be invoked from a URL or passed in base64 as an argument
Built-in AMSI bypass
PPID spoofing and block non-Microsoft DLLs (stolen from TikiTorch, write-up is here)
Sandbox detection & evasion
Based on my testings the DInvoke NuGet package itself is being flagged by many commercial AV/EDR solutions when incuded as an embedded resource via Costura.Fody (or similar approaches), so I’ve shrinked it a bit and included from source to achieve better OpSec.
module_name: 'functionpointer' description: | Allocates a RWX memory region, copies the shellcode into it and executes it like a function. calls: - ntdll.dll: 1: 'NtAllocateVirtualMemory (PAGE_READWRITE)' 2: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)' opsec_safe: false references: - 'http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/' - 'https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis' - 'https://www.fergonez.net/post/shellcode-csharp'
module_name: 'remotethreadsuspended' arguments: | /pid:1337 description: | Injects shellcode into an existing remote process and flips memory protection to PAGE_NOACCESS. After a short sleep (waiting until a possible AV scan is finished) the protection is flipped again to PAGE_EXECUTE_READ. Thread execution via NtCreateThreadEx. calls: - ntdll.dll: 1: 'NtOpenProcess' 2: 'NtAllocateVirtualMemory (PAGE_READWRITE)' 3: 'NtWriteVirtualMemory' 4: 'NtProtectVirtualMemory (PAGE_NOACCESS)' 5: 'NtCreateThreadEx (CREATE_SUSPENDED)' 6: 'NtProtectVirtualMemory (PAGE_EXECUTE_READ)' 7: 'NtResumeThread' opsec_safe: true references: - 'https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/' - 'https://github.com/plackyhacker/Suspended-Thread-Injection/blob/main/injection.cs'