Implementing an injection method mentioned by @Hexacorn.
This version of Christmas uses an Indirect Syscalls method to avoid EDR/XDR Hooks.
This PoC creates multiple processes, where each process performs a specific task as part of the injection operation. Each child process will spawn another process and pass the required information via the command line. The program follows the steps below:
- The first child process creates the target process where the payload will be injected. The handle is inherited among all the following child processes.
- The second child process will allocate memory in the target process.
- The third child process will change the previously allocated memory permissions to RWX.
- Following that, for every 1024 bytes of the payload, a process will be created to write those bytes.
- Lastly, another process will be responsible for payload execution.
The PoC uses the RC4 encryption algorithm to encrypt a Havoc Demon payload. The program, ChristmasPayloadEnc.exe
, will be responsible for encrypting the payload, and padding it to be multiple of 1024 (as required by the injection logic).
https://github.com/Maldev-Academy/Christmas