olevba/mraptor: keywords for shellcode injection - Githubissues

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.89k stars 564 forks source link

olevba/mraptor: keywords for shellcode injection #512

Open decalage2 opened 4 years ago

decalage2 commented 4 years ago

See https://twitter.com/NirYeho/status/1198938529725865984

decalage2 commented 3 years ago

See also:

decalage2 commented 3 years ago

Also shellcode injection using callbacks:

decalage2 commented 3 years ago

More resources about Process/DLL injection:

https://www.youtube.com/watch?v=tBR1-1J5Jec
process Injection overview infographic: http://struppigel.blogspot.com/2017/07/process-injection-info-graphic.html
Process Injection Techniques Gotta Catch Them All: https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
Atom bombing: https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows
Atom bombing: https://www.enisa.europa.eu/publications/info-notes/atombombing-2013-a-new-code-injection-attack
Process Doppelgänging: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
Hasherezade's video on creating the illusion of executing a TXT file: https://www.youtube.com/watch?v=XmWOj-cfixs
DLL injection https://en.wikipedia.org/wiki/DLL_injection
DLL Injection via LoadLibrary/CreateRemoteThread: https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces
DLL Search Order Hijacking (DLL injection that is not process injection): https://dmcxblue.gitbook.io/red-team-notes/persistence/dll-search-order-hijacking
Backdooring PE files with shellcode (code injection that is not process injection): https://www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode

decalage2 commented 3 years ago

Possibly a few more keywords: https://twitter.com/EmericNasi/status/1405911923556761609

decalage2 commented 2 years ago

See also: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

decalage2 commented 2 years ago

see also: https://twitter.com/ankit_anubhav/status/1488746204867416065

decalage2 commented 2 years ago

see also: https://www.docguard.io/running-shellcode-through-windows-callbacks-using-vba-macro/

decalage2 commented 2 years ago

PoC to resolve dynamically SSNs for syscalling in VBA: https://twitter.com/TheXC3LL/status/1566575977219645452 https://gist.github.com/X-C3LL/ba905b10163f769061ce619f26c138b8

decalage2 commented 1 year ago

getting Ring 0 using VBA by exploiting a vulnerable device driver (CVE-2018-6606) https://twitter.com/0xDISREL/status/1584546482245419009 https://disrel.com/posts/Ring0VBA-Getting-Ring0-Using-a-Goddamn-Word-Document/ https://github.com/DISREL/Ring0VBA