KCTHIJACK ; KernelCallbackTable Hijack; is a known technique used to run the shellcode after injection, sometimes in other processes, basically using something like KeUserModeCallback or pacthing __fnCOPYDATA in KERNELCALLBACKTABLE struct, However i based this code on something else, this paper to be more specific, this part here:
HOW DOES IT WORK:
first thing, for anyone that didnt play with KERNELCALLBACKTABLE yet, u wont be able to find the pointer to it in peb unless you are loading user32.dll or targeting a gui process (with window), thats why a lot of code can be found targeting explorer.exe, at least thats what happened to me, so i loaded it here
Next thing was to get the address of WMIsAvailableOffline that is in wmvcore.dll So i loaded it and used the typicall GetProcAddress to do its job
the malware used NtQueryInformationProcess to get to the peb, and i know it can be done easier than what i did, but i used PssCaptureSnapshot && PssQuerySnapshot which i will use too in later projects ;p
after overwriting WMIsAvailableOffline's address with our calc.exe shellcode, the next step was to patch __fnDWORD address and let it point to our WMIsAvailableOffline, which is our shellcode ...
of course, managing the memory part ;0, so dont forget about the read/write permissions ...
now at the end all was left to do was to trigger the shellcode, i used MessageBoxA to do so
btw i added this function here, to print out kct.__fnDWORD's value after overwriting so u can see if it is really working
THANKS FOR:
kct which represent the kernalcallbacktable hijacking method, done on explorer.exe
This is not a code to bypass Av's as is, but a method used to do so, instead of using createthread for example, at the other hand to see how KeUserModeCallback method work u can check this