DynWin32-ShellcodeProcessHollowing.ps1 performs shellcode based process hollowing using
dynamically looked up Win32 API calls. The script obtains the methods GetModuleHandle,
GetProcAddress and CreateProcess by using reflection. Afterwards it utilizes GetModuleHandle
and GetProcAddress to obtain the addresses of the other required Win32 API calls.
When all required Win32 API calls are looked up, it starts svchost.exe in a suspended state
and overwrites the entrypoint with the specified shellcode. Afterwards, the thread is resumed
and the shellcode is executed enveloped within the trusted svchost.exe process.
This script should be used for educational purposes only. It was only tested on Windows 10 (x64)
and is probably not stable or portable. It’s only purpose is to demonstrate the usage of reflective
lookups of Win32 API calls. See it as just an silly experiment 🙂
License: GPL-3.0 License
Error: GetModuleHandle and GetProcAddress must be initialized first!
Class, Public, Sealed, AnsiClass, AutoClass
RTSpecialName, HideBySig, Public
Public, HideBySig, NewSlot, Virtual
Obtain the required types via reflection
Obtain the required functions via reflection: GetModuleHandle, GetProcAddress and CreateProcess
Obtain the function addresses of the required hollowing functions
Create the delegate types to call the previously obtain function addresses
Instantiate the required structures for CreateProcess and use them to launch svchost.exe
Obtain the required handles from the PROCESS_INFORMATION structure
Create a buffer to hold the PROCESS_BASIC_INFORMATION structure and call ZwQueryInformationProcess
Locate the image base address. The address of the PEB is the second element within the PROCESS_BASIC_INFORMATION
structure (e.g. offset 0x08 within the $processBasicInformation buffer on x64). Within the PEB, the base image
addr is located at offset 0x10.
Use ReadProcessMemory to read the required part of the PEB. We allocate already a buffer for 0x200
bytes that we will use later on. From the PEB we actually only need 0x08 bytes, as $imageBaseAddrPEB
already points to the correct memory location. We parse the obtained 0x08 bytes as Int64 and IntPtr.
Now that we have the base address, we can read the first 0x200 bytes to obtain the PE file format header.
The offset of the PE header is at 0x3c within the PE file format header. Within the PE header, the relative
entry point address can be found at an offset of 0x28. We combine this with the $imageBaseAddr and have finally
found the non relative entry point address.
PE header offset
Relative entrypoint
Absolute entrypoint
Overwrite the entrypoint with shellcode and resume the thread.
Close powershell to remove it as the parent of svchost.exe
