* ) ) * ) )
` ) /( ( ( /( ( ` ) /( ( ( /(
( )(_)) )\ )\()) )\ ( )(_)) ( )( ( )\())
(_(_()) ((_) ((_)\ ((_) (_(_()) )\ (()\ )\ ((_)\
|_ _| (_) | |(_) (_) |_ _| ((_) ((_) ((_) | |(_)
| | | | | / / | | | | / _ \ | '_| / _| | ' \
|_| |_| |_\_\ |_| |_| \___/ |_| \__| |_||_|
TikiTorch was named in homage to CACTUSTORCH by Vincent Yiu. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, then uses CreateRemoteThread
to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
This is pretty flexible as it allows an operator to run an HTTP agent in a process such as iexplore.exe
, rather than something more arbitrary like rundll32
or powershell
.
TikiTorch follows the same concept but has multiple types of process injection available, which can be specified by the user at compile time.
TikiTorch
is a Visual Basic solution, split into 8 projects.
- TikiLoader
- TikiSpawn
- TikiSpawnAs
- TikiSpawnElevated
- TikiCpl
- TikiService
- TikiThings
- TikiVader
In the first instance, please see the Wiki for usage instructions.
- Aaron Bray for Loader.cs
- James Foreshaw for C# advice
- Vincent Yiu for inspiration
- Kevin Mitnick for letting me test in his lab
- Steve Borosh for TikiCpl
- Casey Smith for AllTheThings
- Marcus Gelderman for psCompress.ps1
- Will Schroeder for Seatbelt