-
Notifications
You must be signed in to change notification settings - Fork 32
/
index.html
401 lines (375 loc) · 30.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
---
layout: default
---
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Process Injection</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #000;
color: #fff;
margin: 0;
padding: 0;
}
header {
text-align: center;
padding: 50px 0;
background-color: #333;
color: white;
}
.content-section {
width: 90%;
max-width: 1200px;
margin: 20px auto;
padding: 20px;
}
.content-section h2 {
color: #fff;
border-bottom: 2px solid #fff;
padding-bottom: 10px;
margin-bottom: 20px;
}
.content-section p {
line-height: 1.6;
color: #ccc;
}
.card-container {
display: flex;
flex-wrap: wrap;
gap: 20px;
justify-content: center;
}
.card {
width: 100%;
max-width: 600px;
background-color: #fff;
border: 1px solid #ddd;
border-radius: 8px;
box-shadow: 0 2px 8px rgba(0, 0, 0, 0.1);
overflow: hidden;
position: relative;
padding: 20px;
color: #000;
transition: transform 0.3s;
}
.card:hover {
transform: scale(1.05);
}
.card h3 {
font-size: 1.5em;
margin: 0;
margin-bottom: 10px;
color: #000;
}
.card img.technique-image {
width: 200px;
height: 200px;
object-fit: cover;
float: left;
margin-right: 20px;
}
.card img.windows-icon {
position: absolute;
top: 20px;
right: 20px;
width: 24px;
height: 24px;
opacity: 0.7;
}
.card p {
font-size: 1em;
color: #008080;
margin-left: 120px;
}
body {
font-family: Arial, sans-serif;
background-color: #000;
color: #fff;
margin: 20px;
}
.heatmap {
display: grid;
grid-template-columns: repeat(4, 1fr);
gap: 10px;
max-width: 1200px;
margin: 0 auto;
}
.heatmap-item {
background-color: #fff;
color: #000;
border: 1px solid #ddd;
border-radius: 5px;
padding: 10px;
text-align: center;
position: relative;
transition: background-color 0.3s, color 0.3s;
}
.heatmap-item:hover {
background-color: #f0f0f0;
color: #000;
}
/* Color coding for heatmap items */
.low-intensity { background-color: #ffcccc; } /* Light Red */
.medium-intensity { background-color: #ff9966; } /* Medium Orange */
.high-intensity { background-color: #ff6600; } /* Dark Orange */
.very-high-intensity { background-color: #cc0000; } /* Dark Red */
.heatmap-item::after {
content: attr(data-tooltip);
position: absolute;
bottom: 100%;
left: 50%;
transform: translateX(-50%);
background-color: #333;
color: #fff;
padding: 5px;
border-radius: 3px;
white-space: nowrap;
opacity: 0;
transition: opacity 0.3s;
font-size: 14px;
}
.heatmap-item:hover::after {
opacity: 1;
}
</style>
</head>
<body>
<div align="center">
<img width="400px" src="Assets/PE.jpg" alt="Injection Series" />
<br />
</div>
<div class="content-section">
<h2>C:\Users\Offensive-Panda>whoami</h2>
<p> <B>Usman Sikander</B> (a.k.a Offensive-Panda) is a seasoned security professional passionate to identifying and researching advanced evasion techniques, to develop a comprehensive understanding of threat tactics, techniques, and procedures (TTPs) through in-depth analysis of real-world attack scenarios, prominent Advanced Persistent Threat (APT) campaigns, and emerging evasion tactics for validating security postures through emulations. With a proven track record in developing exploits aligned with MITRE ATT&CK tactics and automating exploit processes, I excel in conducting comprehensive simulations within controlled environments that include all security controls. My primary objective is to identify the weaknesses, mis-configuration, vulnerabilities, validate the security controls, incident response capabilities and identify areas for improvement, deliver detailed threat analysis for proactive threat hunting, providing adversary attack paths, indicators of attack (IOAs), indicators of compromise (IOCs), and actionable mitigation strategies to strengthen and enhance an organisation's detection engineering capabilities. </p>
<h2>Purpose</h2>
<p>The purpose of the Process Injection Series is to share valuable knowledge with the cybersecurity community, particularly those eager to learn about malware development and advanced evasion techniques. Through this series, I aim to not only expand my own expertise but also provide a centralized resource for all tactics, techniques, and procedures (TTPs) related to process injection. By doing so, I hope to empower others with the skills and understanding needed to navigate and contribute to the evolving landscape of cybersecurity.</p>
<h2>Shellcode</h2>
<p>Throughout the series, I will be using my custom-generated shellcode, which displays a message box with the text "Hello from Offensive Panda." This shellcode serves as a consistent and straightforward payload for demonstrating various process injection techniques. However, you are encouraged to experiment with different shellcodes tailored to your needs, allowing you to explore and apply the concepts in ways that best suit your learning objectives or project requirements.</p>
<h2>Process Injection Techniques Heatmap</h2>
<div class="heatmap">
<div class="heatmap-item low-intensity" data-tooltip="Injects code into a local process’s memory space.">Classic Code Injection Local Process</div>
<div class="heatmap-item medium-intensity" data-tooltip="Injects code into a remote process’s memory space.">Classic Code Injection Remote Process</div>
<div class="heatmap-item high-intensity" data-tooltip="Injects code with obfuscated API calls to avoid detection.">Classic Code Injection with API Obfuscation</div>
<div class="heatmap-item high-intensity" data-tooltip="Uses VirtualProtect to modify memory protection and inject code.">Classic Code Injection VirtualProtect</div>
<div class="heatmap-item medium-intensity" data-tooltip="Injects a DLL into a process’s address space.">Classic DLL Injection</div>
<div class="heatmap-item high-intensity" data-tooltip="Injects and loads a DLL into memory without standard API functions.">Reflective DLL Injection</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Injects and loads a DLL into a process’s memory without relying on the traditional Windows API functions.">Unhook NTDLL.DLL (Lagos Island)</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Creates a process in a suspended state, replaces its code with malicious code">Process Hollowing</div>
<div class="heatmap-item medium-intensity" data-tooltip="Injects a PE file into a process for execution.">PE Injection</div>
<div class="heatmap-item low-intensity" data-tooltip="Modifies the entry point address of an executable for code injection.">AddressOfEntryPoint Injection</div>
<div class="heatmap-item medium-intensity" data-tooltip="Uses APCs to execute code within a process’s thread.">APC Injection</div>
<div class="heatmap-item high-intensity" data-tooltip="Injects code early in the process’s execution.">Early Bird Injection</div>
<div class="heatmap-item medium-intensity" data-tooltip="Searches for RWX memory regions to inject and execute code.">RWX Hunting and Injection</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Process Ghosting works by exploiting a gap in how the Windows operating system handles process creation and image loading.">Process Ghosting</div>
<div class="heatmap-item low-intensity" data-tooltip="This technique used to inject malicious code into the address space of another process and execute it by hijacking one of its threads.">Remote Thread Hijacking</div>
<div class="heatmap-item medium-intensity" data-tooltip="Execute malicious code within a legitimate process by overwriting the memory of a loaded module (typically a DLL) without altering its disk image.">Module Stomping</div>
<div class="heatmap-item low-intensity" data-tooltip="Walks through the PEB to locate and inject code.">PEB Walk Injection</div>
<div class="heatmap-item medium-intensity" data-tooltip="Combines PEB walking with obfuscation techniques.">PEB Walk and APIs Obfuscation Technique</div>
<div class="heatmap-item medium-intensity" data-tooltip="Uses NtCreateThread and NtMapViewOfSection for code injection.">NtCreateSection and NtMapViewOfSection</div>
<div class="heatmap-item high-intensity" data-tooltip="Advanced injection technique with sophisticated methods.">Mokingjay</div>
<div class="heatmap-item high-intensity" data-tooltip="Uses the Fork API to create a child process and inject code.">Fork API Injection</div>
<div class="heatmap-item low-intensity" data-tooltip="Injects code using fibers, a lightweight thread-like construct.">Injection through Fibers</div>
<div class="heatmap-item medium-intensity" data-tooltip="Uses low-level NT Native API functions for code injection.">NT API Injection</div>
<div class="heatmap-item high-intensity" data-tooltip="Executes system calls directly for code injection.">Direct Syscalls</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Uses indirect methods like function pointers for system calls.">Indirect Syscalls</div>
</div>
</div>
<div class="content-section">
<h2>Process Injection Series</h2>
<div class="card-container">
<!-- Example of a Card -->
<a href="Classic_Code_Injection_Local" class="card">
<h3>PE 1 - Classic Code Injection Local Process</h3>
<img src="Assets/classic-local.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover classic code injection in local process technique. This technique uses Windows API calls to allocate memory in local Process, write the shellcode to the allocated memory, and then execute it.</p>
</a>
<a href="Classic_Code_Injection_Remote" class="card">
<h3>PE 2 - Classic Code Injection Remote Process</h3>
<img src="Assets/classic-remote.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover classic code injection in remote process. This is one of the most straightforward forms of process injection technique also known as Remote Thread Injection. This method involves creating a new thread in a remote process and executing the payload or shellcode within that context. This is often done using Windows API functions such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.</p>
</a>
<a href="Classic_Code_Injection_API_Obfuscate" class="card">
<h3>PE 3 - Classic Code Injection with API Obfuscation</h3>
<img src="Assets/api-obf.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover the remote thread injection technique with APIs obfuscation. To evade static detection mechanisms used by AV/EDR solutions, we will implement API call obfuscation throughout the process. By the end of this lab, we'll demonstrate the difference in the import table of a sample program both before and after API obfuscation, highlighting how these changes can help to bypass static analysis.</p>
</a>
<a href="Classic_Code_Injection_Remote_VP" class="card">
<h3>PE 4 - Classic Code Injection VirtualProtect</h3>
<img src="Assets/ccvp_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover classic code injection in remote process using VirtualProtect. This is the same technique, we discussed in last lab but one extra step is involved in this lab which is to change the permission of allocated memory with Windows API VirtualProtect. Allocating RWX region at a same time is great indicator for AV/EDR solutions, so to avoid RWX region detection, we first create RW and before executing shellcode we change it to RX.</p>
</a>
<a href="Classic_DLL_Injection" class="card">
<h3>PE 5 - Classic DLL Injection</h3>
<img src="Assets/classic-dll.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover a DLL injection technique that targets a process (in this case, explorer.exe) to load a malicious DLL (panda.dll) from the Downloads folder. DLL injection is a method used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library (DLL).</p>
</a>
<a href="Reflective_DLL_Injection" class="card">
<h3>PE 6 - Reflective DLL Injection</h3>
<img src="Assets/rdll_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover a Reflective DLL Injection technique. This technique allows to execute code within the context of another process without writing the DLL to disk. By loading the DLL directly from memory without touching the disk, it evades common detection mechanisms, making it a preferred method for sophisticated malware and offensive security operations.</p>
</a>
<a href="Reflective_DLL_Loading_Lagos_Island" class="card">
<h3>PE 7 - Unhook NTDLL.DLL (Lagos Island)</h3>
<img src="Assets/lagos_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover a Reflective DLL Loading technique. This technique to manually load and execute a DLL from disk into memory, often referred to as reflective DLL loading. This is useful in scenarios where loading a DLL without registering it in the process's module list is required, a common tactic in malware evasion and advanced threat emulation. </p>
</a>
<a href="Process_Hollowing" class="card">
<h3>PE 8 -Process Hollowing</h3>
<img src="Assets/ph_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Process Hollowing Technique. Process Hollowing is a stealthy process injection technique where a legitimate process (usually a system or trusted application) is started in a suspended state, and its memory is replaced with malicious code. The malicious code then executes within the context of the trusted process, evading detection by security solutions that might rely on the legitimacy of the process. </p>
</a>
<a href="PE_Code_Injection" class="card">
<h3>PE 9 - PE Injection</h3>
<img src="Assets/pei_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover PE (Portable Executable) Injection into another process, specifically targeting explorer.exe. PE injection involves injecting an entire PE (itself) into the memory of a target process and then executing it.</p>
</a>
<a href="AddressOfEntryPoint_Code_Injection" class="card">
<h3>PE 10 - AddressofEntryPoint Injection</h3>
<img src="Assets/wpm_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover AddressOfEntryPoint Injection technique, This lab utilize the AddressOfEntryPoint of process which is RX region and WriteProcessMemory internal magic to change the permission and write the shellcode. This technique is avoiding the usage of VirtualAlloc, VirtualProtect APIs directly inside the code. The working of VirtualProtect will be covered by WPM magic.</p>
</a>
<a href="APC_QUEUE_INJECTION" class="card">
<h3>PE 11 - APC Injection</h3>
<img src="Assets/apc_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Asynchronous Procedure Call (APC) injection. Asynchronous Procedure Call (APC) injection is a technique used to execute code in the context of another process's thread. This method leverages the Windows APC mechanism, which allows for deferred execution of functions in the context of a thread's execution.</p>
</a>
<a href="EarlyBird_Code_Injection" class="card">
<h3>PE 12 - Early Bird Injection</h3>
<img src="Assets/ebird_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover EarlyBird Injection technique, EarlyBird Injection is a process injection technique used to inject code into a target process early in its lifecycle, often before the process has fully initialized. This technique exploits the fact that the process is in a suspended state, allowing for more control and less detection. EarlyBird Injection allows you to inject code at a much earlier stage compared to APC injection.</p>
</a>
<a href="RWX_Hunting_Injection" class="card">
<h3>PE 13 - RWX Hunting and Injection</h3>
<img src="Assets/rwx_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover RWX hunting technique to avoid RWX memory detection of AV/EDR solutions, RWX hunt technique involves locating a target process, identifying writable and executable memory regions within that process, injecting shellcode into the identified memory, and then executing the shellcode.</p>
</a>
<a href="Process_Ghosting" class="card">
<h3>PE 14 - Process Ghosting</h3>
<img src="Assets/PG_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p> In this lab, we cover Process ghosting technique, Process ghosting is a technique in which an attacker creates a file (malware), mark it for deletion (delete-pending state), copies/maps a malware into the memory (image section), close the handle (which deletes it from the disk), then create a process from the now-fileless section.</p>
</a>
<a href="Module_Stomping" class="card">
<h3>PE 15 - Module Stomping</h3>
<img src="Assets/MS_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Module stomping technique, module stomping is to inject malicious code into a legitimate process without the usual red flags that traditional injection techniques might raise. Instead of loading custom or suspicious DLLs, attackers overwrite parts of a legitimate module with their own code, effectively hiding in plain sight. </p>
</a>
<a href="Remote_Thread_Hijacking" class="card">
<h3>PE 16 - Remote Thread Hijacking</h3>
<img src="Assets/RTH_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Remote Thread Hijacking technique, Remote Thread Hijacking is a method of injecting code into a process by hijacking an existing thread in that process. Unlike traditional code injection methods (e.g., using CreateRemoteThread or NtCreateThreadEx), this technique manipulates an already-running thread to execute malicious payloads.</p>
</a>
<a href="PEB_WALK_INJECTION" class="card">
<h3>PE 17 - PEB Walk Injection</h3>
<img src="Assets/peb_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover PEB Walk and Injection, By using the PEB, the code directly traverses the list of loaded modules to find kernel32.dll, bypassing static analysis methods that rely on import table inspection. Once kernel32.dll is identified, the technique resolves necessary API functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread dynamically at runtime.</p>
</a>
<a href="PEB_WALK_API_OBFUSCATION" class="card">
<h3>PE 18 - PEB Walk and APIs Obfuscation Technique</h3>
<img src="Assets/pebwalk_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover PEB Walk and API Obfuscation Injection, By using the PEB, the code directly traverses the list of loaded modules to find kernel32.dll, bypassing static analysis methods that rely on import table inspection. Once kernel32.dll is identified, the technique resolves necessary API functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread dynamically at runtime. </p>
</a>
<a href="NtCreateSection_MapViewOfSection" class="card">
<h3>PE 19 - NtCreateSection and NtMapViewOfSection</h3>
<img src="Assets/ntthreat_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover NtCreateSection and NtMapViewOfSection code Injection, This code injection technique utilizing Native APIs such as NtCreateSection, NtMapViewOfSection. The process begins by creating a new memory section with read, write, and execute (RWX) protection using NtCreateSection.</p>
</a>
<a href="Mokingjay" class="card">
<h3>PE 20 - Mokingjay</h3>
<img src="Assets/mok_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Mokingjay code Injection, This code injection technique utilize vulnerable DLLs. Vulnerable DLLs meaning here the DLL which has RWX memory region. So this technique avoid detection of RWX memory allocation which is big indication for security controls. This technique can be self inject or remote inject. In our lab, we use self inject using msys-2.0.dll for our operation.</p>
</a>
<a href="DV_NEW" class="card">
<h3>PE 21 - Fork API Injection</h3>
<img src="Assets/fork_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Dirty Vanity code Injection, Dirty Vanity is a new code-injection technique that abuses forking, a lesser-known mechanism that exists in Windows operating systems. Forking a process is the act of creating a new process from the calling process. The name fork originates from the UNIX system calls of process creation – fork and exec.</p>
</a>
<a href="Injection_Through_Fiber" class="card">
<h3>PE 22 - Injection through Fibers</h3>
<img src="Assets/fiber_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover Injection through fibers technique, Fibers are a form of cooperative threading where a single thread can switch between multiple execution contexts (fibers), allowing the program to manually manage which fiber is active at any given time. This technique can be used for executing arbitrary shellcode, especially in situations where the attacker wants to execute the shellcode without creating a new thread.</p>
</a>
<a href="NTAPI_Injection" class="card">
<h3>PE 23 - NT API Injection</h3>
<img src="Assets/nt_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover remote process injection using NT APIs, NT APIs are located inside ntdll.dll which are the last instance can be hooked by AV/EDRs solutions. Before we used windows APIs which are located inside kernel32.dll and well documented. But in this lab, we use undocumented native api's NtOPenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateRemoteThread to achieve remote process injection.</p>
</a>
<a href="DirectSyscalls" class="card">
<h3>PE 24 - Direct Syscalls</h3>
<img src="Assets/direct_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover remote process injection using direct syscalls, Most of the AV/EDR’s hooked on Windows and Native API’s and redirect the flow of program whenever a application calls these function in order to see the malicious behavior of program. When new process spawned EDR’s load their DLL’s in process memory to inspect the behavior of program. In this lab, we used direct calls which involves direct transit to kernel.</p>
</a>
<a href="IndirectSyscalls" class="card">
<h3>PE 25 - Indirect Syscalls</h3>
<img src="Assets/indirect_AI.jpg" alt="Technique Image" class="technique-image">
<img src="Assets/windows-icon.png" class="windows-icon" alt="Windows Icon">
<p>In this lab, we cover remote process injection using indirect syscalls, Most of the AV/EDR’s detects direct syscalls by looking syscall instruction in stub by static analysis, also syscall and return instructions are normally never executed outside the memory area of ntdll.dll. So these are big indicator for EDRs solutions. The indirect syscall technique is more or less an evolution of the direct syscall technique compared to direct syscalls. </p>
</a>
</div>
</div>
<div class="references">
<h2>References</h2>
<ul style="list-style-type: none; padding: 0;">
<li style="margin-bottom: 10px;">
<a href="https://attack.mitre.org/techniques/T1055/" style="text-decoration: none; color: #007bff;">https://attack.mitre.org/techniques/T1055/</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://www.linkedin.com/in/usman-sikander13/" style="text-decoration: none; color: #007bff;">https://www.linkedin.com/in/usman-sikander13/</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://github.com/deepinstinct/Dirty-Vanity" style="text-decoration: none; color: #007bff;">https://github.com/deepinstinct/Dirty-Vanity</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution" style="text-decoration: none; color: #007bff;">https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://www.ired.team/" style="text-decoration: none; color: #007bff;">https://www.ired.team/</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://github.com/jthuraisamy/SysWhispers2" style="text-decoration: none; color: #007bff;">https://github.com/jthuraisamy/SysWhispers2</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://github.com/klezVirus/SysWhispers3" style="text-decoration: none; color: #007bff;">https://github.com/klezVirus/SysWhispers3</a>
</li>
<li style="margin-bottom: 10px;">
<a href="hhttps://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop" style="text-decoration: none; color: #007bff;">https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://cytomate.net" style="text-decoration: none; color: #007bff;">https://www.cytomate.net</a>
</li>
<!-- Add more references as needed -->
</ul>
</div>
<div class="disclaimer">
<h2>Disclaimer</h2>
<p>The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.</p>
</div>
</body>
</html>