cd ../$RANDOM

Windows Process Injection: Poisoned Explorer

1 minute read


Explorer process uses LoadLibraryW function to load additional libraries at runtime, what if we overwrite the code of LoadLibraryW and redirect it to our shellcode?! Every time the Explorer process calls LoadLibraryW, our code will be called without any trigger from the attacker’s side. (We can use any other function, some even more frequently used by the Explorer process, also call overwritten function to avoid crashes)


If our shellcode’s size is less than the original code’s size, only two process interaction related calls are enough: OpenProcess and WriteProcessMemory

Proof of Concept


whoami: @_qaz_qaz