{"id":17983376,"url":"https://github.com/hasherezade/thread_namecalling","last_synced_at":"2025-04-07T08:22:53.262Z","repository":{"id":250154827,"uuid":"832898028","full_name":"hasherezade/thread_namecalling","owner":"hasherezade","description":"Process Injection using Thread Name","archived":false,"fork":false,"pushed_at":"2024-08-30T14:31:48.000Z","size":114,"stargazers_count":250,"open_issues_count":0,"forks_count":35,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-31T06:09:00.588Z","etag":null,"topics":["processinjection","redteam","shellcode-injection","shellcode-injector"],"latest_commit_sha":null,"homepage":"https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hasherezade.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-24T00:36:34.000Z","updated_at":"2025-03-28T12:29:08.000Z","dependencies_parsed_at":"2024-10-29T18:39:51.282Z","dependency_job_id":null,"html_url":"https://github.com/hasherezade/thread_namecalling","commit_stats":null,"previous_names":["hasherezade/thread_namecalling"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Fthread_namecalling","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Fthread_namecalling/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Fthread_namecalling/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Fthread_namecalling/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hasherezade","download_url":"https://codeload.github.com/hasherezade/thread_namecalling/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247615644,"owners_count":20967242,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["processinjection","redteam","shellcode-injection","shellcode-injector"],"created_at":"2024-10-29T18:17:04.149Z","updated_at":"2025-04-07T08:22:53.239Z","avatar_url":"https://github.com/hasherezade.png","language":"C","readme":"# Thread Name-Calling Injection\n\n[![Build status](https://ci.appveyor.com/api/projects/status/k4ff2bndq4juwnpc?svg=true)](https://ci.appveyor.com/project/hasherezade/thread-namecalling)\n\nRemote shellcode injection technique, using Thread Name (a.k.a. Thread Description)\n\nThe code to be injected is passed as a thread description to the target (with `SetThreadDescription`). Then, a function `GetThreadDescription` is called remotely on the target, via APC, causing the description buffer to be copied into the target’s working set. After making the buffer executable, it is run using another APC call.\n\n**Details: https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/**\n\n## Remote write via Thread Name\n\nThe buffer is injected into the remote process without the need of having the [write access right (`PROCESS_VM_WRITE`)](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights).\n\n![](img/animation.gif)\n\n## Modules\n\n+ `thread_namecaller` - implementation of Thread Name-Calling injection. Injects a shellcode that pops a calc into a process selected by the PID\n+ `dll_inj` - a DLL injection variant. The path to the DLL is written into the remote process via Thread Name\n+ `thread_receive` - a demo target application, with a [set of various mitigation policies](https://github.com/hasherezade/thread_namecalling/blob/master/thread_receive/main.cpp#L11)\n\n### Demo\n\n`thread_namecaller` in action:\n+  https://www.youtube.com/watch?v=JjVSMin8kFU\n\n`dll_inj` in action:\n+  https://www.youtube.com/watch?v=8cSNgE3gZxY\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhasherezade%2Fthread_namecalling","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhasherezade%2Fthread_namecalling","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhasherezade%2Fthread_namecalling/lists"}