forrest-orr / phantom-dll-hollower-poc Goto Github PK

PhantomDllHollower.exe MsgBoxShellcode64.bin

• Successfully opened MsgBoxShellcode64.bin (size: 319)

• aadauthhelper.dll - image size: 487424 - .text size: 306955
• aadauthhelper.dll - mapped size: 487424

• Successfully mapped an image to hollow at 0x00007FFC43250000 (size: 487424 bytes)

• Calling 0x00007FFC43251000...

But No MessageBox Popup.

I Attach it on x64dbg,Find this exception:
First chance exception on 0x00007FFC43251037(C0000005,EXCEPTION_ACCESS_VIOLATION).

payload as follow:
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/messagebox EXITFUNC=thread TEXT="Exploit Test" -f raw -o MsgBoxShellcode64.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 319 bytes
Saved as: MsgBoxShellcode64.bin

Hey,
Thanks for you write up - I like it.
I started coding c++ like a year back, I improved from them, however I asked myself, how would I do DLL Hollowing in anothers process context?
I see NtMapViewOfSection with GetCurrentProcess() however pointing an handle from another context doesn't seem to work ->

• Failed to create mapping of section (error 0xc0000018)* AppVEntSubsystems64.dll - image size: 2060288 - .text size: 1346652
• Failed to create mapping of section (error 0xc0000018)* AppVEntVirtualization.dll - image size: 1609728 - .text size: 1069482

So what would I have to do in order to be able to make DLL Hollowing (very neat technique) in another process context?
Thanks, stay healthy.