Christmas
PoC demonstrating a multi process injection chain aimed at remotely executing shellcode
Install / Use
/learn @Maldev-Academy/ChristmasREADME
Maldev Academy
Christmas
Implementing an injection method mentioned by @Hexacorn.
This PoC creates multiple processes, where each process performs a specific task as part of the injection operation. Each child process will spawn another process and pass the required information via the command line. The program follows the steps below:
- The first child process creates the target process where the payload will be injected. The handle is inherited among all the following child processes.
- The second child process will allocate memory in the target process.
- The third child process will change the previously allocated memory permissions to RWX.
- Following that, for every 1024 bytes of the payload, a process will be created to write those bytes.
- Lastly, another process will be responsible for payload execution.
The PoC uses the RC4 encryption algorithm to encrypt a Havoc Demon payload. The program, ChristmasPayloadEnc.exe, will be responsible for encrypting the payload, and padding it to be multiple of 1024 (as required by the injection logic).
Demo: Bypassing MDE using Havoc's Demon payload
</br>
