Question about tangledwinexec HOT 25 OPEN

Added the feature you requested to my TransactedHollowing PoC.
Check this commit.

from tangledwinexec.

My PE Injection PoCs use NtCreateProcessEx which allows PPID for 4th parameter, ao InitializeProcThreadAttributeList API and UpdateProcThreadAttribute API are not required.

Additionally, I do so because I want to use only Nt APIs for PoC whenever possible.

from tangledwinexec.

Yes but is for implement block dll : BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON

from tangledwinexec.

Thanks for sharing your opinion.
Essentially, the purpose of this repository is not to provide attack tools, but to provide PoCs for research or investigation about process execution techniques.
If the current implementation is inconvenient to investigate the technique, please give me specific examples so I can consider changing it.

from tangledwinexec.

i try some solution for Ntcreate and check the integrity process before spoof the ppid for have more target , i update you later
btw
Any your poc can load .net file ? or only for native file ?

from tangledwinexec.

Thanks for your support.

Any your poc can load .net file ? or only for native file ?

I have not tried with .NET file yet.
I've been busy lately and won't have time for a while, sorry.

from tangledwinexec.

.net seem not work but i'm sure can fix
btw : https://twitter.com/_RastaMouse/status/1524761507782873088
https://offensivedefence.co.uk/posts/ntcreateuserprocess/ is c++
and atm i use this and his amazing : https://i.gyazo.com/32d08b93537801c64b256693ff16ee81.png

from tangledwinexec.

Thanks for sharing!
I will try to address this issue next week or the week after.

from tangledwinexec.

I like your poc so i want try improve a bit :)
Good luck

from tangledwinexec.

I'm happy to hear that!
I will try as soon as possible 💪

from tangledwinexec.

I started from .NET binary issue and added .NET binary support to PE file parser of TransactedHollowing PoC.
But NtCreateProcessEx and NtMapViewOfSection returns NTSTATUS 0x4000000E : {Machine Type Mismatch} for .NET binary.
Do you have any idea?

from tangledwinexec.

<3 love you going test

from tangledwinexec.

I started from .NET binary issue and added .NET binary support to PE file parser of TransactedHollowing PoC. But NtCreateProcessEx and NtMapViewOfSection returns NTSTATUS 0x4000000E : {Machine Type Mismatch} for .NET binary. Do you have any idea?

Not very but i can investigate

from tangledwinexec.

OK.
I will continue to investigate the .NET issue, but will work on the PPID first.

from tangledwinexec.

Added the feature you requested to my TransactedHollowing PoC. Check this commit.

Love your work !!! good job
i have tested some solutions for try add net support but nothings new from my part

from tangledwinexec.

Little issue , if i choose block dll but the ppid is 0 we can got a error like this (sorry french pc)

from tangledwinexec.

Simply fixed if you add int ppid = 0 in your parameter for method call :CreateTransactedHollowingProcess and CreateInitialProcess

from tangledwinexec.

I cannot reproduce your issue and found no issue in the code.
It seems that you tried to execute GUI required PE image.
My NtCreateUserProcess implementation is minimal so does not support GUI required PE image.

from tangledwinexec.

Is the block dll make this , cause a process try open the transacted process injected i think

from tangledwinexec.

Hey how are you ? can you check transacted on win 7 , seem the block dll not work or not implemented on win 7 so the new transacted crash but not the old , maybe just check os like this return (string)Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue("ProductName");
If i put false on the block dll the NtCreateUserProcess crash on the processparameter

from tangledwinexec.

Hi.
Currently, my interest lies in other projects and not interested in Windows 7 things so much.
So it will take some time, but will deal with it in due time.

from tangledwinexec.

Hello how are you ?
i'm back to work and i'm find this : https://github.com/Shrfnt77/DynamicSyscalls/tree/main/Examples/ProcessHollowing

Is a simply processhollow very light and work for .net payload with NtApi (ppid spoof and PROCESS_CREATION_MITIGATION_POLICY) but only for x64
Maybe this can help you for find how add or fix your poc's for support .net payload

from tangledwinexec.

Thanks for sharing!
I am busy these days and will check when it comes (maybe after April).

from tangledwinexec.

I can try reduce a maximum for more simply if you need/want
And put normal api vs syscall

from tangledwinexec.

How i can contact you please ? I trying twitter but seem your dm not opened

from tangledwinexec.