malware EL84 Injector - A simple shellcode injection tool

[el84]

I released the code previously in the thread I was using to write about the injector and the changes I made until reaching this first version. The goal of the project was very basic, make a injector and change it until it can inject code without being detected(only defender was used on tests), also let the code easy to use for other people just include their payload and build.

Since its very simple I will list the "features" from the injector:

• Uses API hashing to locate needed WinAPI functions
• Encode WinAPI function pointers with a random 64bit value (XOR)
• FCALL macro to make WinAPI calls more easy
• Custom(very basic) encode/decode method

The usage is also very straight, the shellcode should be save in the same directory as the project with the name 'shellcode.bin', then running build.sh the injector.exe will be the output. The injector execution is also very simple, it just receives the process ID of the target process on command line, here is a demo, where I injected msfvenom payload to run notepad.exe. I used CalculatorApp.exe as the target and procmonitor to show the event.

I described almost all steps of development on this Thread Evolving from basic

Download Link: https://xss.pro/attachments/77058/

 

[anarchy4eva]

great content

 

[Lmorena]

Does not work. Either I'm doing bin incorrectly. I take the powershell file script.ps1 and simply rename it to script.bin. How else can I get bin from ps1?

 

[voldemort]

Does not work. Either I'm doing bin incorrectly. I take the powershell file script.ps1 and simply rename it to script.bin. How else can I get bin from ps1?

I think you probably need an actual shellcode not a powershell script you can get it from msvenom or Cobalt Strike

 

[el84]

great content

Thanks, hopefully it will help someone.

Does not work. Either I'm doing bin incorrectly. I take the powershell file script.ps1 and simply rename it to script.bin. How else can I get bin from ps1?

As voldemort said, the tool is prepared to be used with raw payload(64-bit), it can be easily adapted to support 32-bit too. But in case you really need/want to stick with your original powershell script you can try convert your code using other projects, for instance combining PS2EXE and pe_to_shellcode you probably can use the script you was trying.

 

[sekurlsa]

Cool, i tried use to bypass crowdstrike and works

 

[elice]

Does not work. Either I'm doing bin incorrectly. I take the powershell file script.ps1 and simply rename it to script.bin. How else can I get bin from ps1?

Дополню комментатора, есть еще софт, легко впринципе использовать, https://github.com/TheWover/donut

 

[el84]

Дополню комментатора, есть еще софт, легко впринципе использовать, https://github.com/TheWover/donut

What is the difficult to use the provided code here?

 

[elice]

I do not know, I just decided to share the software, as I am trying to figure out this topic myself.

What is the difficult to use the provided code here?

 

[el84]

I do not know, I just decided to share the software, as I am trying to figure out this topic myself.

I recommend to read the original thread (https://xss.pro/threads/99994/) since the description is more detailed. Also feel free to ask me any questions here or on the other thread.