cd ../$RANDOM

Windows Process Injection: Poisoned Explorer

1 minute read

IDEA

Explorer process uses LoadLibraryW function to load additional libraries at runtime, what if we overwrite the code of LoadLibraryW and redirect it to our shellcode?! Every time the Explorer process calls LoadLibraryW, our code will be called without any trigger from the attacker’s side. (We can use any other function, some even more frequently used by the Explorer process, also call overwritten function to avoid crashes)

API_monitor

If our shellcode’s size is less than the original code’s size, only two process interaction related calls are enough: OpenProcess and WriteProcessMemory

Proof of Concept

DEMO

whoami: @_qaz_qaz