SnapLoader
PssCaptureSnapshot
&& PssWalkSnapshot
to allocate a place to inject your shellcode in ntdll.dll
memory address space, and taking it step further, hijacking thread without using GetThreadContext
or ResumeThread
or SuspendThread
Using HOW DOES IT WORK:
- first of all we create our target
RuntimeBroker.exe
process, and get the handles we need to proceed. - the basic work in this poc was on GetHiddenInjectionAddress, which we use
MEMORY_BASIC_INFORMATION / PSS_VA_SPACE_ENTRY
to get thentdll.dll
mapped into the target process. - then when we verify it is
EXECUTE_READ
module &&MEM_IMAGE
(and bigger than 1 MB, which is a stupid way to verify its ntdll.dll lol), but u can usePSS_VA_SPACE_ENTRY.MappedFileName
to verify it if u want to mess around . - later on we search for empty place to write the shellcode [this place must be at least equal to our shellcode size, so very big shellcodes may not work] .
- then i squeeze the base address to the start of ntdll.dll, so since the
stack grow downward
in windows, we use- ShellcodeSize * 3
here . - now, moving to running the shellcode, i used the same tech, with
PSS_THREAD_ENTRY
to get the current context of the thread here and then overwriting it with our base address and usingSetThreadContext
to set the context we modified, since our process is suspended, no need to useResumeThread
orSuspendThread
.