Home / C/C++ / Miscellaneous

Thread Execution Hijacking technique

Thread-Hijacking Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can the
Information
Category: C/C++ / Miscellaneous
Watchers: 1
Star: 6
Fork: 0
Last update: Dec 31, 2021
Resource links
https://github.com/ZeroM3m0ry/Thread-Hijacking

Thread-Hijacking

Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.

TECHNICAL DETAILS

  • Open a handle targetProcessHandle to the process that we want to inject using OpenProcess
  • Allocate some executable memory ExecBuffer in the target process with VirtualAllocEx
  • Write shellcode we want to inject into the memory ExecBuffer, using WriteProcessMemory
  • Find a thread ID of the thread we want to hijack in the target process. In our case, we will fetch the thread ID of the first thread in our target process.
  • Suspend the target thread - the thread we want to hijack (threadHijacked) with SuspendThread
  • Retrieve the target thread's context with GetThreadContext
  • Update the target thread's instruction pointer (in my case x86 EIP register / x64 RIP) to point to the shellcode, which was written into the target process's memory using WriteProcessMemory
  • Commit the hijacked thread's new context with SetThreadContext
  • Resume the hijacked thread with ResumeThread

Contents

    netero1010 New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
    connormcgarr Beacon Object File (BOF) for remote process injection via thread hijacking
    mafintosh Run RPC over a MessagePort object from a Worker thread (or WebWorker)
    mgeeky Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
    sebh Unreal Engine Sky Atmosphere Rendering Technique
    Kara-4search Process inject technique "Thread hijacking" via csharp
    codebutler A Firefox extension that demonstrates HTTP session hijacking attacks.
    r00t-3xp10it Morpheus - Automating Ettercap TCP/IP (MITM-hijacking Tool)
    wietze Project for identifying executables and DLLs vulnerable to relative path DLL hijacking.
    SuperFola Sending messages by hijacking DNS requests and answers
    DreyAnd DNS hijacking via dead records automation tool
    ssh-mitm ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation
    DamonMohammadbagher NativePayload_CallBackTechniques C# Codes (Code Execution via Callback Functions Technique, without CreateThread Native API)
    nvzqz Type-safe thread-local storage in Swift
    ruuda thread-id - Get a unique thread ID
    pinojs A streaming way to send data to a Node.js Worker Thread
    pinojs A streaming way to send data to a Node.js Worker Thread
    mihneadb Trace the local context of a Python function's execution with just a decorator.
    teemu-l Tool for viewing and analyzing execution traces
    giandifra A Flutter package that recreate clustering technique in a Google Maps widget
    mobdk Execute Mimikatz with different technique
    Share this repo

    Related Repos


    Miscellaneous
    420
    For recording and retrieving metadata associated with ML developer and data scientist work...
    google ML Metadata ML Metadata (MLMD) is a library for recording and retrieving metadata associated with ML developer and data scientist workflows. NOTE: ML
     
    Miscellaneous
    100
    Hotcaml: an interpreter with watching and reloading
    let-def Hotcaml: an OCaml interpreter with watching and reloading Hotcaml is an OCaml interpreter that starts from a source file and loads its dependencies. W
     
    Miscellaneous
    50
    A React Native library for accessing an ArrayBuffer of a Blob instance.
    mrousavy react-native-blob-jsi-helper A React Native library for directly accessing an ArrayBuffer of a Blob instance. Note: This is a workaround. A long-term
     
    Miscellaneous
    14
    This is a OOSDK port of flat's ps4_remote_pkg_installer, all credit goes to them and their...
    Backporter ps4_remote_pkg_installer-OOSDK This is a OOSDK port of flat's ps4_remote_pkg_installer, all credit goes to them and their amazing work! NOTES Some fun
     
    Miscellaneous
    731
    General purpose GPU compute framework for cross vendor graphics cards (AMD, Qualcomm, NVID...
    KomputeProject General purpose GPU compute framework for cross vendor graphics cards (AMD, Qualcomm, NVIDIA & friends). Blazing fast, mobile-enabled, asynchronous and optimized for advanced GPU data processing usecases based on Vulkan compute. Backed by the Linux Foundation.
     
    Miscellaneous
    31
    An open source machine learning library for performing regression tasks using RVM techniqu...
    siavashserver Introduction neonrvm is an open source machine learning library for performing regression tasks using RVM technique. It is written in C programming la
     
    Miscellaneous
    108
    Pure C ONNX runtime with zero dependancies for embedded devices
    alrevuelta 🤖 cONNXr C ONNX Runtime A onnx runtime written in pure C99 with zero dependencies focused on embedded devices. Run inference on your machine learning
     
    Miscellaneous
    125
    Multi-armed bandit simulation library
    jkomiyama BanditLib: a simple multi-armed bandit library .-. .-') ('-. .-') _ _ .-') _ .-') _ .-. .-') \ ( OO )
     
    Miscellaneous
    466
    oneAPI Data Analytics Library (oneDAL)
    oneapi-src oneAPI Data Analytics Library Installation   |   Documentation   |   Support   |   Examples   |   Samples   |   How to Contribute    oneAPI Data Analy
     
    Miscellaneous
    1.4k
    Library for factorization machines
    srendle libFM Library for factorization machines web: http://www.libfm.org/ forum: https://groups.google.com/forum/#!forum/libfm Factorization machines (FM) a
     
    Miscellaneous
    617
    ThunderGBM: Fast GBDTs and Random Forests on GPUs
    Xtra-Computing Documentations | Installation | Parameters | Python (scikit-learn) interface What's new? ThunderGBM won 2019 Best Paper Award from IEEE Transactions o
     
    Miscellaneous
    34
    Low dependency(C++11 STL only), good portability, header-only, deep neural networks for em...
    mosdeo LKYDeepNN LKYDeepNN 可訓練的深度類神經網路 (Deep Neural Network) 函式庫。 輕量,核心部份只依賴 C++11 標準函式庫,低相依性、好移植,方便在嵌入式系統上使用。 Class diagram 附有訓練視覺化 demo 程式 訓練視覺化程式以 OpenCV
     
    Miscellaneous
    115
    Colibri core is an NLP tool as well as a C++ and Python library for working with basic lin...
    proycon Colibri Core is software to quickly and efficiently count and extract patterns from large corpus data, to extract various statistics on the extracted patterns, and to compute relations between the extracted patterns.
     
    Miscellaneous
    67
    Frog is an integration of memory-based natural language processing (NLP) modules developed...
    LanguageMachines Frog is an integration of memory-based natural language processing (NLP) modules developed for Dutch. All NLP modules are based on Timbl, the Tilburg memory-based learning software package.
     
    Miscellaneous
    14
    FoLiA library for C++
    LanguageMachines Libfolia: FoLiA Library for C++ Libfolia (c) CLS/ILK 2010 - 2022 Centre for Language Studies, Radboud University Nijmegen Induction of Linguistic Know