Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Process injection RWX injection / Mockingjay local injection #2587

Merged
merged 3 commits into from
Nov 7, 2023
Merged

Process injection RWX injection / Mockingjay local injection #2587

merged 3 commits into from
Nov 7, 2023

Conversation

thomasxm
Copy link
Contributor

@thomasxm thomasxm commented Nov 4, 2023

Details:
This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode. The RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms that relied on API call sequences and heuristics.

The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.

The injected shellcode will open a message box and a notepad. RWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes. More details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.

The original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.

Testing:
Tested with both Windows 10 and Windows 11 fully patched. Windows defender was unaware of the process injection.
Test spawned a message box with "Atomic Red Team" and a notepad. Test will terminate the injected process.

Associated Issues:
N/A

Screenshot 2023-11-04 at 12 44 31

clr2of8
clr2of8 approved these changes Nov 7, 2023
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for provided the source code, along with the DLL and for the great description.

@clr2of8 clr2of8 merged commit d133634 into redcanaryco:master Nov 7, 2023
3 checks passed
@thomasxm thomasxm deleted the process_injection_mockingjay_local_injection branch November 9, 2023 19:48
@yoyocircle yoyocircle mentioned this pull request Nov 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clr2of8 clr2of8 clr2of8 approved these changes

Assignees

@MHaggis MHaggis

@clr2of8 clr2of8

Labels
windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thomasxm @clr2of8 @MHaggis