-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add inject-shellcode-using-extra-window-memory.yml and inject-shellco…
…de-using-window-subclass-procedure.yml
- Loading branch information
Showing
2 changed files
with
57 additions
and
0 deletions.
There are no files selected for viewing
27 changes: 27 additions & 0 deletions
27
host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| rule: | ||
| meta: | ||
| name: inject shellcode using extra window memory | ||
| namespace: host-interaction/process/inject | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] | ||
| mbc: | ||
| - Defense Evasion::Process Injection [E1055] | ||
| references: | ||
| - https://unprotect.it/technique/extra-window-memory-injection/ | ||
| - https://github.com/SafeBreach-Labs/pinjectra/blob/master/Pinjector/SetWindowLongPtrA.cpp | ||
| examples: | ||
| - 592cfd22bba96ef3aab566fe7bf82aff5e1b4130856d1f7f847d03d4689af7e7:0x1400010C0 | ||
| features: | ||
| - and: | ||
| - match: find taskbar | ||
| - match: open process | ||
| - match: write process memory | ||
| - or: | ||
| - api: SetWindowLong | ||
| - api: SetWindowLongPtr | ||
| - or: | ||
| - api: PostMessage | ||
| - api: SendNotifyMessage |
30 changes: 30 additions & 0 deletions
30
host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| rule: | ||
| meta: | ||
| name: inject shellcode using window subclass procedure | ||
| namespace: host-interaction/process/inject | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Defense Evasion::Process Injection [T1055] | ||
| mbc: | ||
| - Defense Evasion::Process Injection [E1055] | ||
| references: | ||
| - https://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/ | ||
| - https://modexp.wordpress.com/2018/08/23/process-injection-propagate/ | ||
| - https://github.com/Fahersto/code_injection/blob/master/shellcode_injection/propagate_injection.cpp | ||
| examples: | ||
| - 6c440a5ce8509984dcc4e703d0e4dd9bffc4efd769dc8543f8d2e0cd86452822:0x25D7F1425 | ||
| features: | ||
| - and: | ||
| - match: find graphical window | ||
| - match: open process | ||
| - match: write process memory | ||
| - api: SetProp | ||
| - or: | ||
| - api: PostMessage | ||
| - api: SendNotifyMessage | ||
| - string: "UxSubclassInfo" | ||
| - or: | ||
| - string: "ToolbarWindow32" | ||
| - string: "SHELLDLL_DefView" |