Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hasherezade/thread_namecalling

Process Injection using Thread Name
https://github.com/hasherezade/thread_namecalling

processinjection redteam shellcode-injection shellcode-injector

Last synced: 4 days ago
JSON representation

Process Injection using Thread Name

Host: GitHub
URL: https://github.com/hasherezade/thread_namecalling
Owner: hasherezade
Created: 2024-07-24T00:36:34.000Z (6 months ago)
Default Branch: master
Last Pushed: 2024-08-30T14:31:48.000Z (4 months ago)
Last Synced: 2024-12-25T12:04:00.951Z (11 days ago)
Topics: processinjection, redteam, shellcode-injection, shellcode-injector
Language: C
Homepage: https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/
Size: 111 KB
Stars: 243
Watchers: 5
Forks: 32
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Thread Name-Calling Injection

[![Build status](https://ci.appveyor.com/api/projects/status/k4ff2bndq4juwnpc?svg=true)](https://ci.appveyor.com/project/hasherezade/thread-namecalling)

Remote shellcode injection technique, using Thread Name (a.k.a. Thread Description)

The code to be injected is passed as a thread description to the target (with `SetThreadDescription`). Then, a function `GetThreadDescription` is called remotely on the target, via APC, causing the description buffer to be copied into the target’s working set. After making the buffer executable, it is run using another APC call.

**Details: https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/**

## Remote write via Thread Name

The buffer is injected into the remote process without the need of having the [write access right (`PROCESS_VM_WRITE`)](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights).

![](img/animation.gif)

## Modules

+ `thread_namecaller` - implementation of Thread Name-Calling injection. Injects a shellcode that pops a calc into a process selected by the PID
+ `dll_inj` - a DLL injection variant. The path to the DLL is written into the remote process via Thread Name
+ `thread_receive` - a demo target application, with a [set of various mitigation policies](https://github.com/hasherezade/thread_namecalling/blob/master/thread_receive/main.cpp#L11)

### Demo

`thread_namecaller` in action:
+ https://www.youtube.com/watch?v=JjVSMin8kFU

`dll_inj` in action:
+ https://www.youtube.com/watch?v=8cSNgE3gZxY