2 - CreateThread
2 - CreateThread
injecting the shellcode into the injector itself. This is amongst the easiest and most basic type of
injection.
1. Download the shellcode from the Team Server using the HttpClient class. This is disposable,
so wrap it in a using statement or call the Dispose() method. We also have to use
the ServerCertificateCustomValidationCallback to ignore the self-signed SSL error.
2. Use VirtualAlloc to allocate a new region of memory within this process. The region has to
be large enough to accommodate the shellcode, so we can just use the shellcode's length as a
parameter. The API will typically round up, which is fine. We also allocate the region with RW
permission so we can avoid RWX.
3. Now we can copy the shellcode into this region. Because it's our own process, we can
use Marshal.Copy instead of the WriteProcessMemory API (saves a bit of time).
// Execute shellcode
var hThread = Win32.CreateThread(
IntPtr.Zero,
0,
baseAddress,
IntPtr.Zero,
0,
out _);
6. CreateThread is not a blocking call, so to prevent the process from exiting we can wait on this
thread. WaitForSingleObject will block for as long as the thread is running.