Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/NUL0x4C/NoRunPI

Run Your Payload Without Running Your Payload
https://github.com/NUL0x4C/NoRunPI

Last synced: 6 days ago
JSON representation

Run Your Payload Without Running Your Payload

Host: GitHub
URL: https://github.com/NUL0x4C/NoRunPI
Owner: NUL0x4C
License: mit
Created: 2022-10-16T15:45:33.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2022-10-17T05:33:06.000Z (about 2 years ago)
Last Synced: 2024-08-01T19:42:18.056Z (3 months ago)
Language: C
Size: 24.4 KB
Stars: 175
Watchers: 5
Forks: 29
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

### NoRunPI: Run Your Payload Without Running Your Payload

#### Since "SettingSyncHost.exe -Embedding" Runs a Thread On "SHCore.dll!Ordinal172+0x100", We can hijack the flow before this thread start, to do that :

- Load shcore.dll to calculate the thread's entry
- Create "SettingSyncHost.exe -Embedding" Process
- BruteForce the address calculated (stop when its valid)
- suspend the process
- inject the payload to the calculated address
- resume the process
- $$

### DEMO:
![image](https://user-images.githubusercontent.com/111295429/196046411-1adc092c-55a6-49bb-8cee-d12bf341296d.png)

![image](https://user-images.githubusercontent.com/111295429/196044925-4c8d3b1d-90a4-42cd-90f5-4f43e188c91e.png)

#### Note That This is An idea more than a stable poc on a process injection technique, you can find a lot of such processes (creating such threads) and implement your own code using the same way for the same results ... (for example on my machine, the same process have a thread on combase.dll!InternalTlsAllocData+0x70)