A new shellcode injection technique. Given as C++ header, standalone Rust program or library.

Overview

FunctionStomping

image image image

Description

This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities. As to this date (23-01-2022) also hollows-hunter doesn't find it.

The big advantage of this technique is that it isn't overwritting an entire module or pe, just one function and the target process can still use any other function from the target module.

The disadvantage is that it won't work for every function in the wild (but it will work for most of them), the exact explanation is in my blog: The Good, The Bad And The Stomped Function.

NOTE: It is possible that AV will flag this, if the signature is a signature of msfvenom/metasploit it is fine! you just need to change the shellcode or encrypt it.

Usage

You either include the header to your program like this:

#include "functionstomping.hpp"

int main() {
    // Just get the pid in any way and pass it to the function.
    DWORD pid = 3110;
    FunctionStomping(pid);
    return 0;
}

Or use the rust program:

cd functionstomping
cargo b
functionstomping.exe <pid>

After you ran this program you MUST call the function from the remote process! (If you used the default function CreateFile then you must call to it from the remote process!).

Setup

Currently, the shellcode to run is just to pop a calculator, but all you need to do is replace the unsigned char shellcode[] with your shellcode. I used C++ 17 and VS2019 to compile the program with the C++ header and rust version 2021 to compile the rust program (you can see the dependencies in the Cargo.toml).

POC

Disclaimer

I'm not responsible in any way for any kind of damage that is done to your computer / program as cause of this project. I'm happily accept contribution, make a pull request and I will review it!
If you found someone that published about this method before today (23-01-2022) please let me know so I can add an acknowledgment.

Acknowledgments

https://github.com/countercept/ModuleStomping
https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners

You might also like...
QuickCheck bug hunting in Rust standard library data structures

BugHunt, Rust This project is aiming to provide "stateful" QuickCheck models for Rust's standard library. That is, we build up a random list of operat

Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order).

Mundane Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order). Issues and

A simple rust library for working with ZIP archives

rust-zip A simple rust library to read and write Zip archives, which is also my pet project for learning Rust. At the moment you can list the files in

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

Extended precision integer Rust library. Provides signed/unsigned integer 256 to 2048.

Extended precision integer Rust library. Provides signed/unsigned integer 256 to 2048.

Linux anti-debugging and anti-analysis rust library
Linux anti-debugging and anti-analysis rust library

DebugOff Library Linux anti-analysis Rust library The goal of this library is to make both static and dynamic (debugging) analysis more difficult. The

An R interface to Rust's h3o library
An R interface to Rust's h3o library

h3o h3o is a system-dependency free package to interact with the H3 Geospatial Indexing system by Uber. h3o utilizes the Rust library h3o with is a pu

A rust library for sharing and updating arbitrary slices between threads, optimized for wait-free reads

atomicslice A Rust library for thread-safe shared slices that are just about as fast as possible to read while also being writable. Overview Use Atomi

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode
unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode. It is essentially a reimplementation of the Python VM with taint tracking.

Comments
  • Possible with .net assembly ?

    Possible with .net assembly ?

    Hi , is your beautiful peace of work working with .net assembly ?

    Im trying to run a .net assembly shellcode generated with the donuts tools from TheWover. https://github.com/TheWover/donut

    the .net PE i converted is a asyncrat PE, when i try to inject it inside a process (i had to remove the max shellcode lengh because shellcode is 147k bytes long) but i get no connection back / the asssembly is not starting ?

    is this even possible to work with a .net PE?

    sorry for retarded question but im really noy good with shellcode stuff.

    opened by Kalvelign 2
  • [BUG]  Failed to change protection [0]

    [BUG] Failed to change protection [0]

    Hello, I'm currently studying some codes and I ended up here.

    I use windows x64, I had to compile the cpp using the "-DUNICODE" flag to be able to compile, but when I run the console it does not inject any pid and brings this error:

    [+] Got process handle! [+] Got function base! [-] Failed to change protection: 0

    I tried in notepad and others, in rust when I compile it says that this program is compatible with 32bits and not x64, so the normal "cargo b" instruction doesn't work.

    I tried various processes from notepad to others and it doesn't work Screenshot_128 .

    Edit: I was able to resolve the architecture error(Windows 10 x64) in rust by running the following commands: rustup target add x86_64-pc-windows-gnu cargo build --target x86_64-pc-windows-gnu

    After the test, the calc does not open but in the console everything seems normal, I will continue the tests The message shows the following Screenshot_130 :

    opened by ghost 2
  • [QUESTIONS] Some victim processes crash without execution

    [QUESTIONS] Some victim processes crash without execution

    First of all, thanks for your work and publishing it along with the very interesting blog post.

    I've been playing a bit with your POC, especially the Rust version, and there is something I'm not fully getting. Depending on the victim process, I get the following results:

    • Majority of processes (e.g notepad): when the stomped function is called the shelllcode executes (calc pops open) and the victim process crashes with an access violation error.
    • Some processes (e.g explorer.exe): when the stomped function is called the process crashes with an access violation error, but the shellcode does not seem to execute (nothing happens, no calc).

    I've tried with a custom shellcode and by changing the targeted function in kernel32.dll but I always get the same results. So my questions are:

    • Do you know why for some process the shellcode will not execute, the process will just crash ? (function used ? bad shellcode ?)
    • Do you have an idea to get reliable shellcode execution on all processes ?
    bug help wanted good first issue 
    opened by Scaum 1
  • Possible to have > 0x1000 size?

    Possible to have > 0x1000 size?

    Hello, neat idea you found there. Is it possible to have more then 4096 bytes available for the shellcode or is it max? If more is not possible, would it be possible to split it across more functions to achieve the goal?

    enhancement 
    opened by rohybnol 1
Owner
Ido Veltzman
Security researcher that also likes to create some stuff
Ido Veltzman
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

ENDGAME 712 Nov 28, 2022
Finds matching solidity function signatures for a given 4 byte signature hash and arguments.

Finds matching solidity function signatures for a given 4 byte signature hash and arguments. Useful for finding collisions or 0x00000000 gas saving methods (though there are better techniques for saving gas on calldata)

null 73 Dec 22, 2022
A rust program to bruteforce ZIP, PDF and some popular hashes.

Veldora A program to bruteforce zips, pdfs and some popular hashes. This is basically a rust version of bruttle, but a lot faster. Installation: git c

Aquib 30 Dec 28, 2022
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
Whole program static stack analysis

cargo-call-stack Static, whole program stack analysis Other examples: Embedded CoAP / IPv4 server (source) "Hello, world!" HEADS UP: This tool relies

Jorge Aparicio 457 Dec 22, 2022
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
CVEs for the Rust standard library

Rust CVE Preface This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to sec

Yechan Bae 26 Dec 4, 2022
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
Rust library for developing safe canisters.

IC Kit This library provides an alternative to ic-cdk that can help developers write canisters and unit test them in their Rust code. Install Add this

Psychedelic 26 Nov 28, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023