peperunas / Injectopi
Programming Languages
Projects that are alternatives of or similar to Injectopi
What is this?
Injectopi is a set of tutorials that I've decided to write down in order to learn about various injection techniques in the Windows' environment. The idea came to my mind when I noticed these awesome sources by Hasherezade.
Why "Injectopi"?
Here is what I thought:
"Is there anything better than a mighty animal with multiple arms swinging poisonous pointy weapons?"
Getting Started
This tutorial shows how you can create a program that, when run, will inject code into an existing process. We will show multiple techniques of increasing complexity discovered by security researchers and malware coders. It has to be noted that these list is not complete as it only shows the main techniques!
Techniques overview
| Name | Description | Main WINAPI |
|---|---|---|
| CreatePatched | Spawns a benign process with its Entrypoint patched with a shellcode |
CreateProcess, VirtualProtectEx, ReadProcessMemory
|
| CreateSection | Creates a new executable section, containing a shellcode, in an existing process |
CreateProcess, ZwCreateSection, NtMapViewOfSection, ZwCreateThreadEx
|
| CreateSectionAPC | Same as CreateSection: this time asynchronous procedure calls will be used. |
CreateProcess, ZwCreateSection, NtMapViewOfSection, NtQueueApcThread
|
| FullCopy | Allocates an executable memory region in an existing process and copies itself in that region |
ZwCreateSection, NtMapViewOfSection
|
Requisites
If you want to compile each binary it is suggested to use:
- Visual Studio 2017 (Community will suffice)
- Windows 7+
Building
Just open Injectopi.sln with Visual Studio!
Visual Studio 2017
Make sure to have the Desktop C++ x86 and x64 components enabled with your Visual Studio installation!
You should be ready to go!
What are you running with that shellcode?
I have commented what the shellcode does in the file SHELLCODE.md.
Further reading
Here below you can find a list of interesting articles / websites / papers which I found useful while writing down Injectopi!
ReactOS
From their website:
Imagine running your favorite Windows applications and drivers in an open-source environment you can trust. That's ReactOS. Not just an Open but also a Free operating system.
ReactOS is an awesome project which aims at open-sourcing the Windows OS by reverse engineering it. The documentation you find on their website is pure gold.
Windows shellcoding
skape's "Understanding Windows Shellcode" paper is a great resource that will surely help you understand how Windows' internals work and how to use them to write shellcode.
The shellcode I use in these examples uses some techniques shown in the paper!
Contributions
Any contribution is very welcome! Feel free to open issues and pull requests!
Credits
This project idea was born thanks to Hasherezade's demo repository and the constant support of my instructor Federico Maggi.
Special thanks to my friends Francesco and Giancarlo that helped me review everything!
License
Copyright 2017 Giulio De Pasquale
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or
substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.