Remote Thread Injection by C# Delegate
Remote Thread Injection by C# Delegate
Related Links for “Mitre ATT&CK”:
Process Injection: Portable Executable Injection ==> https://attack.mitre.org/techniques/T1055/002/
Process Injection: Dynamic-link Library Injection ==> https://attack.mitre.org/techniques/T1055/001/
Your Payload Should be Msfvenom Payload …
Code1: NativePayload_TId.exe [TPID] [PAYLOAD]Code2: NativePayload_TIdnt.exe [TPID] [PAYLOAD]EXAMPLE: NativePayload_TId.exe 2452 "FC,48,83,00,..."EXAMPLE: NativePayload_TIdnt.exe 2452 "FC,48,83,00,..."
Article [1]: https://damonmohammadbagher.github.io/Posts/11Feb2021x.html
Article [2]: https://www.linkedin.com/pulse/bypassing-anti-virus-creating-remote-thread-target-mohammadbagher
step by step => Chapter 14 : C# Delegate & Remote Thread Injection Technique (Part2)
online eBook, (chapters): https://damonmohammadbagher.github.io/Posts/ebookBypassingAVsByCsharpProgramming/
Code1 step1: NativePayload_TId2.exe [TPID] [PAYLOAD]Code2 step2: NativePayload_TId3.exe [TPID] [VAx-addr or VirtualAllocEx Address from step1]EXAMPLE: NativePayload_TId2.exe 2452 "FC,48,83,00,..."EXAMPLE: NativePayload_TId3.exe 2452 1bfc0190000
step by step => Chapter 14 : C# Delegate & Remote Thread Injection Technique (Part3)
NativePayload_TImd.exe [steps 1 or 2] [delay 2000] [MemoryProtection/mode 0 or 1] [TPID 4716] [payload fc,48,..]example: NativePayload_TImd.exe 1 2000 0 4716 fc,48,56,...example: NativePayload_TImd.exe 2 6721 1 4716 fc,48,56,...step = 1 you will have 4 steps (default)step = 2 you will have 28 stepsMemoryProtection = 0 API::VirtualAllocEx set to MemoryProtection.ExecuteReadWriteMemoryProtection = 1 API::VirtualAllocEx set to MemoryProtection.Execute
step by step => Chapter 14 : C# Delegate & Remote Thread Injection Technique (Part3)
