SingleDose is a framework to build shellcode load/process injection techniques. SingleDose doesn't actually perform the load or inject, but rather it takes your configuration and technique and will compile an .exe which will only contain the technique you specified. The executables are C#, which gives users the flexibility to execute in-memory with execute-assembly or the like.
I am not the original author for most of these techniques, I just rewrote them using C# to make them compatible with SingleDose's build process. Please check out the description for each technique for links to the author or blog I referenced. This is done with describe <technique> from the Main menu. To see the available techniques type show techniques the main menu.
Boosters are just plugins for SingleDose. They implement additional techniques or triggers without overwhelming the basic framework. These can be loaded from the Main or Triggers menus.
Usage: [Main]-> load .\PoisonTendy.dll
A tutorial is included for basic building without triggers. Just run SingleDose with -t to start the tutorial mode.
Note: To see all available options, type help in each menu.
- Enter the Settings menu with:
settings - Select the mode:
mode static - Set the output directory:
output C:\path\to\output\directory - If both of these modes have been successfully set, exit the settings menu to go back to Main Menu. Type
exit - To see what techniques are available. In Main Menu, type
show techniques
- The left column is for shellcode loaders, and the right column is for the process injection techniques. - Start a build with:
build L3 - It will ask you for the path to your shellcode, so just type the path and SingleDose will format it and embed it as a byte array in the .cs file.
Triggers allow you to configure pre-execution checks or conditions to meet before continuing the technique's execution. We'll use the ProcWatch trigger.
- Complete steps 1-4 of the Basic Usage.
- Enter the Triggers menu with:
triggers - Type
helpto see the available triggers. The next few steps will walk through the "procwatch" trigger. - Type
use procwatchyou will be prompted to enter a process id and/or name. - Type
notepad.exe. This will prevent the technique from being executed while a "notepad.exe" is a process. Procwatch supports CSV format when specifying multiple items. - Once you see that
ProcWatchis set in the panel as the trigger, typeexitin the Triggers Menu to return to Main Menu. - From here, you can build like step 6 in Basic Usage.
- If you try to execute the technique with a notepad.exe process running, the technique will enter a "sleep" before checking if notepad.exe is running again. The sleep time is randomly generated between 90 - 300 seconds, and the exact time will be displayed in the console window.
Note: Triggers are not erased after a build. Type clear triggers to clear the triggers you've set.
Open the .sln in Visual Studio, select Debug or Release at the top and build.
- https://github.com/SafeBreach-Labs/pinjectra
- https://github.com/monoxgas/sRDI
- https://www.ired.team/offensive-security/code-injection-process-injection/
- https://vx-underground.org/papers.html -> Windows VX -> Injection
- https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
- References per technique can be seen with
describe <technique>