Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry

Dll injection through code page id modification in registry. Based on jonas lykk research
https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry

Last synced: about 1 month ago
JSON representation

Dll injection through code page id modification in registry. Based on jonas lykk research

Awesome Lists containing this project

README 

        
# NlsCodeInjectionThroughRegistry

Dll injection through registry modification of NLS code page ID.



It requieres administrator privileges, but it definetely works.

 

# How does it work?

It is based on jonas lykk discovery here: https://twitter.com/jonaslyk/status/1352729173631135751?lang=en



What I did is looking around the binaries related, from where I found SetConsoleCp/SetConsoleOutputCP

are the main parts involved in the dll loading, you dont care about exports at all.



If the process is not console based, you can allocate one with AllocConsole, payload will still get triggered.



For this reason, to make it to work, I had to create position independent shellcode and inject it to a remote process, which works as a stager to the actual loading of the dll.

This is just meant for demostration purposes.



(Writeup will be updated soon in this repository.)



# How to use?

Compile the project in release x64, it uses the default jonas payload, which spawns a shell when loaded.

ShellcodeInjection is just an additional project I used to convert C to shellcode, using hasherezade method described here:

https://github.com/vxunderground/VXUG-Papers/blob/main/From%20a%20C%20project%20through%20assembly%20to%20shellcode.pdf



Only x64, tested in Windows 11.