KitPloit - PenTest Tools!
RemoteTLSCallbackInjection - Utilizing TLS Callbacks To Execute A Payload Without Spawning Any Threads In A Remote Process
April 10^th 2024 at 12:30

RemoteTLSCallbackInjection - Utilizing TLS Callbacks To Execute A Payload Without Spawning Any Threads In A Remote Process

By: Zion3R

This method utilizes TLS callbacks to execute a payload without spawning any threads in a remote process. This method is inspired by Threadless Injection as RemoteTLSCallbackInjection does not invoke any API calls to trigger the injected payload.

Quick Links

Maldev Academy Home

Maldev Academy Syllabus

Related Maldev Academy Modules

New Module 34: TLS Callbacks For Anti-Debugging

New Module 35: Threadless Injection

Implementation Steps

The PoC follows these steps:

Create a suspended process using the CreateProcessViaWinAPIsW function (i.e. RuntimeBroker.exe).
Fetch the remote process image base address followed by reading the process's PE headers.
Fetch an address to a TLS callback function.
Patch a fixed shellcode (i.e. g_FixedShellcode) with runtime-retrieved values. This shellcode is responsible for restoring both original bytes and memory permission of the TLS callback function's address.
Inject both shellcodes: g_FixedShellcode and the main payload.
Patch the TLS callback function's address and replace it with the address of our injected payload.
Resume process.

The g_FixedShellcode shellcode will then make sure that the main payload executes only once by restoring the original TLS callback's original address before calling the main payload. A TLS callback can execute multiple times across the lifespan of a process, therefore it is important to control the number of times the payload is triggered by restoring the original code path execution to the original TLS callback function.

Demo

The following image shows our implementation, RemoteTLSCallbackInjection.exe, spawning a cmd.exe as its main payload.

Download RemoteTLSCallbackInjection

The Hacker News
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry
December 18^th 2023 at 09:29

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

By: Newsroom

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. "Targets

The Hacker News
Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware
December 4^th 2023 at 04:20

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

By: Newsroom

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector. The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (

The Hacker News
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
July 14^th 2023 at 07:40

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

By: THN

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year. "This makes AVrecon one

The Hacker News
Emotet Rises Again: Evades Macro Security via OneNote Attachments
March 20^th 2023 at 05:51

Emotet Rises Again: Evades Macro Security via OneNote Attachments

By: Ravie Lakshmanan

The notorious Emotet malware, in its return after a short hiatus, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems. Emotet, linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down. A

Naked Security
S3 Ep59: Emotet, an FBI hoax, Samba bugs, and a hijackable suitcase [Podcast]
November 18^th 2021 at 15:00

S3 Ep59: Emotet, an FBI hoax, Samba bugs, and a hijackable suitcase [Podcast]

By: Paul Ducklin

Latest episode - listen now!

Naked Security
Emotet malware: “The report of my death was an exaggeration”
November 16^th 2021 at 14:13

Emotet malware: “The report of my death was an exaggeration”

By: Paul Ducklin

"Old malware rarely dies." The best way to predict the future is to look at the past... if it worked before, it will probably work again.