Comments (25)
Added the feature you requested to my TransactedHollowing PoC.
Check this commit.
from tangledwinexec.
My PE Injection PoCs use NtCreateProcessEx
which allows PPID for 4th parameter, ao InitializeProcThreadAttributeList
API and UpdateProcThreadAttribute
API are not required.
Additionally, I do so because I want to use only Nt APIs for PoC whenever possible.
from tangledwinexec.
Yes but is for implement block dll : BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON
from tangledwinexec.
Thanks for sharing your opinion.
Essentially, the purpose of this repository is not to provide attack tools, but to provide PoCs for research or investigation about process execution techniques.
If the current implementation is inconvenient to investigate the technique, please give me specific examples so I can consider changing it.
from tangledwinexec.
i try some solution for Ntcreate and check the integrity process before spoof the ppid for have more target , i update you later
btw
Any your poc can load .net file ? or only for native file ?
from tangledwinexec.
Thanks for your support.
Any your poc can load .net file ? or only for native file ?
I have not tried with .NET file yet.
I've been busy lately and won't have time for a while, sorry.
from tangledwinexec.
.net seem not work but i'm sure can fix
btw : https://twitter.com/_RastaMouse/status/1524761507782873088
https://offensivedefence.co.uk/posts/ntcreateuserprocess/ is c++
and atm i use this and his amazing : https://i.gyazo.com/32d08b93537801c64b256693ff16ee81.png
from tangledwinexec.
Thanks for sharing!
I will try to address this issue next week or the week after.
from tangledwinexec.
I like your poc so i want try improve a bit :)
Good luck
from tangledwinexec.
I'm happy to hear that!
I will try as soon as possible 💪
from tangledwinexec.
I started from .NET binary issue and added .NET binary support to PE file parser of TransactedHollowing PoC.
But NtCreateProcessEx
and NtMapViewOfSection
returns NTSTATUS 0x4000000E : {Machine Type Mismatch}
for .NET binary.
Do you have any idea?
from tangledwinexec.
<3 love you going test
from tangledwinexec.
I started from .NET binary issue and added .NET binary support to PE file parser of TransactedHollowing PoC. But
NtCreateProcessEx
andNtMapViewOfSection
returns NTSTATUS0x4000000E : {Machine Type Mismatch}
for .NET binary. Do you have any idea?
Not very but i can investigate
from tangledwinexec.
OK.
I will continue to investigate the .NET issue, but will work on the PPID first.
from tangledwinexec.
Added the feature you requested to my TransactedHollowing PoC. Check this commit.
Love your work !!! good job
i have tested some solutions for try add net support but nothings new from my part
from tangledwinexec.
Little issue , if i choose block dll but the ppid is 0 we can got a error like this (sorry french pc)
from tangledwinexec.
Simply fixed if you add int ppid = 0 in your parameter for method call :CreateTransactedHollowingProcess and CreateInitialProcess
from tangledwinexec.
I cannot reproduce your issue and found no issue in the code.
It seems that you tried to execute GUI required PE image.
My NtCreateUserProcess implementation is minimal so does not support GUI required PE image.
from tangledwinexec.
Is the block dll make this , cause a process try open the transacted process injected i think
from tangledwinexec.
Hey how are you ? can you check transacted on win 7 , seem the block dll not work or not implemented on win 7 so the new transacted crash but not the old , maybe just check os like this return (string)Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue("ProductName");
If i put false on the block dll the NtCreateUserProcess crash on the processparameter
from tangledwinexec.
Hi.
Currently, my interest lies in other projects and not interested in Windows 7 things so much.
So it will take some time, but will deal with it in due time.
from tangledwinexec.
Hello how are you ?
i'm back to work and i'm find this : https://github.com/Shrfnt77/DynamicSyscalls/tree/main/Examples/ProcessHollowing
Is a simply processhollow very light and work for .net payload with NtApi (ppid spoof and PROCESS_CREATION_MITIGATION_POLICY) but only for x64
Maybe this can help you for find how add or fix your poc's for support .net payload
from tangledwinexec.
Thanks for sharing!
I am busy these days and will check when it comes (maybe after April).
from tangledwinexec.
I can try reduce a maximum for more simply if you need/want
And put normal api vs syscall
from tangledwinexec.
How i can contact you please ? I trying twitter but seem your dm not opened
from tangledwinexec.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tangledwinexec.