GithubHelp home page GithubHelp logo

kcthijack's Introduction

KCTHIJACK

WHAT IS THIS:

KCTHIJACK ; KernelCallbackTable Hijack; is a known technique used to run the shellcode after injection, sometimes in other processes, basically using something like KeUserModeCallback or pacthing __fnCOPYDATA in KERNELCALLBACKTABLE struct, However i based this code on something else, this paper to be more specific, this part here:

image image

HOW DOES IT WORK:

  • first thing, for anyone that didnt play with KERNELCALLBACKTABLE yet, u wont be able to find the pointer to it in peb unless you are loading user32.dll or targeting a gui process (with window), thats why a lot of code can be found targeting explorer.exe, at least thats what happened to me, so i loaded it here
  • Next thing was to get the address of WMIsAvailableOffline that is in wmvcore.dll So i loaded it and used the typicall GetProcAddress to do its job
  • the malware used NtQueryInformationProcess to get to the peb, and i know it can be done easier than what i did, but i used PssCaptureSnapshot && PssQuerySnapshot which i will use too in later projects ;p
  • after overwriting WMIsAvailableOffline's address with our calc.exe shellcode, the next step was to patch __fnDWORD address and let it point to our WMIsAvailableOffline, which is our shellcode ...
  • of course, managing the memory part ;0, so dont forget about the read/write permissions ...
  • now at the end all was left to do was to trigger the shellcode, i used MessageBoxA to do so
  • btw i added this function here, to print out kct.__fnDWORD's value after overwriting so u can see if it is really working

THANKS FOR:

AT THE END:

This is not a code to bypass Av's as is, but a method used to do so, instead of using createthread for example, at the other hand to see how KeUserModeCallback method work u can check this

120064592-a5c83480-c075-11eb-89c1-78732ecaf8d3

STAY TUNED FOR MORE

kcthijack's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.