InjectProc - Process Injection Techniques

Process injection is a very popular method to hide malicious behavior of code and are heavily used by malware authors.

There are several techniques, which are commonly used: DLL injection, process replacement (a.k.a process hollowing), hook injection and APC injection.

Most of them use same Windows API functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, for detailed information about those functions, use MSDN.

DLL injection:

• Open target process.
• Allocate space.
• Write code into the remote process.
• Execute the remote code.

Process replacement:

• Create target process and suspend it.
• Unmap from memory.
• Allocate space.
• Write headers and sections into the remote process.
• Resume remote thread.

Hook injection:

• Find/Create process.
• Set hook

APC injection:

• Open process.
• Allocate space.
• Write code into remote threads.
• "Execute" threads using QueueUserAPC.

Download
Windows x64 binary - x64 bit DEMO

Dependencies:
vc_redist.x64 - Microsoft Visual C++ Redistributable

DEMO

Download InjectProc

Read More

[Azazel] Userland Anti-debugging & Anti-detection Rootkit

Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.

Features

• Anti-debugging
• Avoids unhide, lsof, ps, ldd detection
• Hides files and directories
• Hides remote connections
• Hides processes
• Hides logins
• PCAP hooks avoid local sniffing
• Two accept backdoors with full PTY shells.
• Crypthook encrypted accept() backdoor
• Plaintext accept() backdoor
• PAM backdoor for local privesc and remote entry
• Log cleanup for utmp/wtmp entries based on pty
• Uses xor to obfuscate static strings

As with anything of this nature, it’s recommended you check the source-code/run it in a safe environment etc. But if I have to emphasise stuff like that, this is probably the wrong site for you.

Download Azazel

Read More