- asm
- create_fiber
- create_remote_thread
- create_remote_thread_native
- create_thread
- create_thread_native
- etwp_create_etw_thread
- memmap2_transmute
- nt_queue_apc_thread_ex_local
- rtl_create_user_thread
shellcode execute locally.
- link shellcode to .text section
- inline asm using asm! macro
- call shellcode
shellcode execute locally.
- convert current thread to fiber using
ConvertThreadToFiber - alloc memory using
VirtualAlloc - copy shellcode to allocated memory using
std::ptr::copy - create a fiber using
CreateFiber - jump shellcode using
SwitchToFiber - jump back
shellcode execute remotely.
inject explorer.exe by default.
- get pid by process name using crate
sysinfo - get handle using
OpenProcess - alloc remote memory using
VirtualAllocEx - copy shellcode to allocated memory using
WriteProcessMemory - change memory permission to executable using
VirtualProtectEx - execute shellcode using
CreateRemoteThread - close opened handle using
CloseHandle
shellcode execute remotely.
inject explorer.exe by default.
this is same with create_remote_thread, but without crate windows-sys
using crate libloading get functions from dlls.
shellcode execute locally.
- alloc remote memory using
VirtualAlloc - copy shellcode to allocated memory using
std::ptr::copy - change memory permission to executable using
VirtualProtect - execute shellcode using
CreateThread - waiting thread exit using
WaitForSingleObject
shellcode execute locally.
this is same with create_thread, but without crate windows-sys
using crate libloading get functions from dlls.
shellcode execute locally.
- get
EtwpCreateEtwThreadfuntion fromntdllusingLoadLibraryAandGetProcAddress - alloc remote memory using
VirtualAlloc - copy shellcode to allocated memory using
std::ptr::copy - change memory permission to executable using
VirtualProtect - execute shellcode using
EtwpCreateEtwThread - waiting thread exit using
WaitForSingleObject
shellcode execute locally.
- alloc memory using crate
memmap2 - copy shellcode using
copy_from_slicefunction fromMmapMutstruct - change memory permission to executable using
make_execfuntion fromMmapMutstruct - convert memory pointer to fn type using
transmute - ex 5C94 ecute fn
shellcode execute locally.
- get
NtQueueApcThreadExfuntion fromntdllusingLoadLibraryAandGetProcAddress - alloc remote memory using
VirtualAlloc - copy shellcode to allocated memory using
std::ptr::copy - change memory permission to executable using
VirtualProtect - get current thread handle using
GetCurrentThread - execute shellcode using
NtQueueApcThreadEx
shellcode execute remotely.
inject explorer.exe by default.
- get
RtlCreateUserThreadfuntion fromntdllusingLoadLibraryAandGetProcAddress - get pid by process name using crate
sysinfo - get handle using
OpenProcess - alloc remote memory using
VirtualAllocEx - copy shellcode to allocated memory using
WriteProcessMemory - change memory permission to executable using
VirtualProtectEx - execute shellcode using
RtlCreateUserThread - close opened handle using
CloseHandle