Description
Injects the specified shellcode into the target processes using one of a number of techniques.
Overview
This script injects the provided shellcode into another running process for the purpose of defense evasion or privilege escalation. The target process can be specified by either PID or name. If injecting by name, the first matching process will be injected, and all remaining processes will be ignored. Theoperator will need to provide the correct shellcode fir the target architecture.
Arguments
| Parameter | Type | Description |
|---|---|---|
| Process | string | The name or PID of the target process to inject Specter shellcode. If using a process name, the first matching instance will be injected with the provided shellcode while any remaining matches will be ignored. |
| Technique | string | Specifies the process injection method to use for execution in the target process. |
| Shellcode | string | The shellcode to inject in hex or base64 format. |
Techniques
| Technique | Description | Employment Considerations |
|---|---|---|
| Classic | This is the standard OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread injection method. It is heavily signaturized, but reliable. | Relatively easily detected by EDR is logged by Sysmon event ID 8. |
| SuspendInjectResume | This method is also referred to as thread hijacking. It works by injecting shellcode into the target process using the standard OpenProcess, VirtualAllocEx, and WriteProcessMemory but uses a combination of SuspendThread, GetThreadContext, SetThreadContext, and ResumeThread to modify the instruction pointer of the target thread to the shellcode we inject. | This method is not guaranteed to work. It depends upon finding a thread that can be hijacked. Ultimately, we must find a thread that is either executing or in an alertable wait state, which may not always be the case. This method will attempt to find a suitable thread, but will timeout after 30 seconds if unsuccessful. No shellcode will be injected until a suitable thread is suspended. |
| QueueUserAPC | This method injects an asynchronous procedure call into the APC queue of a target process to execute the shellcode injected with OpenProcess, VirtualAllocEx, and WriteProcessMemory. The thread will then execute that call when it is popped off of the APC queue. | This technique is also not reliable. It depends upon being able to find a thread that is in an alertable state. It is challenging to determine whether or not a thread will ever end up pulling from the APC queue. |
Dependencies
- Lateral
Limitations
- Cannot inject from a 32-bit process to a 64-bit process.
Example Text Output
Example of successful injection.
PID : 1632
Username : DESKTOP-LMCH70V\helpdesk
Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Build : https
Technique : Classic