* ) ) * ) )
` ) /( ( ( /( ( ` ) /( ( ( /(
( )(_)) )\ )\()) )\ ( )(_)) ( )( ( )\())
(_(_()) ((_) ((_)\ ((_) (_(_()) )\ (()\ )\ ((_)\
|_ _| (_) | |(_) (_) |_ _| ((_) ((_) ((_) | |(_)
| | | | | / / | | | | / _ \ | '_| / _| | ' \
|_| |_| |_\_\ |_| |_| \___/ |_| \__| |_||_|
TikiTorch was named in homage to CACTUSTORCH by Vincent Yiu. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, writes shellcode into that region, and then uses CreateRemoteThread to execute said shellcode. Both the process and shellcode are specified by the user. The primary use case is as a JavaScript/VBScript loader via DotNetToJScript, which can be utilised in a variety of payload types such as HTA and VBA.
TikiTorch takes this a step further by offering more advanced processs spawning and injection:
- Spawn x86 and x64 processes.
- PPID Spoofing and BlockDLLs.
- Supports Module Stomping and Process Hollowing for injection.
- Utilises DInvoke to call Nt* APIs, or optionally use Syscalls.
The TikiTorch solution has 2 projects:
- TikiLoader
- TikiSpawn
The TikiLoader is the core DLL that handles all of the actual spawning and injection logic. TikiSpawn is a demo console app showing how to consume the TikiLoader.
using System.Diagnostics;
using TikiLoader;
var hollower = new Hollower
{
BinaryPath = @"C:\Windows\System32\notepad.exe",
WorkingDirectory = @"C:\Windows\System32",
ParentId = Process.GetProcessesByName("explorer")[0].Id,
BlockDlls = true
};
hollower.Hollow(Shellcode, true);