Skip to content

ddemaid/EarlyCascade

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Properties
Properties
 
 
EarlyCascade.csproj
EarlyCascade.csproj
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 
Shellcode.cs
Shellcode.cs
 
 

Repository files navigation

EarlyCascade

POC for Early Cascade Injection technique to spawn a Message Box. Only NT APIs.

NtCreateUserProcess: create suspended process
NtQueryInformationProcess: get NTDLL address + functions
NtAllocateVirtualMemory: allocate memory
NtWriteVirtualMemory: write memory
NtResumeThread: resume suspended thread
What to expect?
PS Z:\pi\new\EarlyCascade\bin\Debug\net9.0> .\EarlyCascade.exe
[^] PROCESS HANDLE:                      2B0
[^] THREAD HANDLE:                       2AC
[^] g_ShimsEnabled ADDRESS:              7FFF7F15D194
[^] g_pfnSE_DllLoaded ADDRESS:           7FFF7F171268
[^] STUB ADDRESS:                        22EC1FB0000
[^] SHELLCODE ADDRESS:                   22EC1FB0185
[^] Enjoy!

alt text

To-Do
  • Find g_ShimsEnabled and g_pfnSE_DllLoaded dinamically.
  • Include user input for shellcode file.
References

About

POC for Early Cascade Injection technique.

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages