A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC

A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build it using Visual Studio.

Writing non-writable memory

This simple program, allocate a non-writable piece of memory using VirtualAlloc and writes a shellcode inside of it, using WriteProcessMemory.

This is made possible by the fact that WriteProcessMemory is a function designed for debuggers so, under the hood, it changes permissions (calling syscall NtVirtualProtectMemory) and restores them at the end.

Executing non-executable memory

At the end of our program, the permissions of the allocated memory is changed to READ_ONLY, and the shellcode is executed. How is this possible?

The execution of code in a non-executable memory area in modern operating systems is prevented by a protection system called DEP (Data Execution Prevention). However, this mechanism is not enforced by the operating system, but it is up to the developer decide whether to enable it or not in his program, e.g. by setting the NXCOMPAT flag in VisualStudio. More details about this, here.

Owner
Lorenzo Maffia
CyberSecurity enthusiast and CTF player in @ZenHackTeam
Lorenzo Maffia
Similar Resources

Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

Nov 1, 2022

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Nov 26, 2022

This repository contains toy ImPlot applications that demonstrate some of the library's functionality

This repository contains toy ImPlot applications that demonstrate some of the library's functionality

ImPlot Demos This repository contains toy ImPlot applications that demonstrate some of the library's functionality.

Nov 22, 2022

Demonstrate ability to read memfd_secret() data from the kernel

nosecmem This project demonstrates the newly-added memfd_secret Linux system call, and a kernel module which can dump the contents of these so-called

Oct 3, 2022

C#-like properties for C++20. This was made to demonstrate a bug in ClangFormat.

cpp20-property C#-like properties for C++20. Example usage #include iostream #include Propery.hpp class ProperyTest { public: zsl::Property

Jun 9, 2022

Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

Nov 25, 2022

A simple, funky, horrible fluid simulator, made possible by OLC's Pixel Game Engine

A simple, funky, horrible fluid simulator, made possible by OLC's Pixel Game Engine

flOwie A simple, funky, horrible fluid simulator, made possible by OLC's Pixel Game Engine! Not meant for usefulness. The big O is in the name because

Jan 21, 2022

A simple processor emulator written in c++ that can parse and execute x32 code. x32 is binary code made by me for this processor.

A SIMPLE PROCESSOR EMULATOR AND CODE EXECUTOR The Repository This is a fairly new project and is still heavy in development. If you find and bugs feel

Jan 20, 2022

Programming language that compiles into a x86 ELF executable.

ocean Programming language that compiles into a x86 ELF executable. The main goal at the moment is to create a C compiler, which can atleast compile i

Jul 27, 2022
Comments
  • it not work after change DEP to NO

    it not work after change DEP to NO

    It's still not work after I modify the DEP to NO,but if i change "PAGE_READONLY" to "PAGE_EXECUTE",all is just good. (i did not change DEP flag of os,test in windows10)

This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process
This PoC uses two diferent technics for stealing  the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

Oct 31, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

Oct 19, 2022
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Nov 21, 2022
RemixDB: A read- and write-optimized concurrent KV store. Fast point and range queries. Extremely low write-amplification.

REMIX and RemixDB The REMIX data structure was introduced in paper "REMIX: Efficient Range Query for LSM-trees", FAST'21. This repository maintains a

Nov 1, 2022
CVE-2021-4034 POC and Docker and Analysis write up
CVE-2021-4034 POC and Docker and Analysis write up

CVE-2021-4034 POC and Docker and Analysis write up

Oct 22, 2022
CVE-2021-3156 POC and Docker and Analysis write up

CVE-2021-3156 [toc] 漏洞简介 漏洞编号: CVE-2021-3156 漏洞产品: sudo 影响版本: 1.8.2-1.8.31sp12; 1.9.0-1.9.5sp1 利用后果: 本地提权 源码获取: https://www.sudo.ws/getting/source/ 环境

Oct 22, 2022
CVE-2022-0185 POC and Docker and Analysis write up
CVE-2022-0185 POC and Docker and Analysis write up

CVE-2022-0185 linux 内核提权(逃逸) [toc] 漏洞简介 漏洞编号: CVE-2022-0185 漏洞评分: 漏洞产品: linux kernel - fsconfig syscall 影响范围: linux kernel 5.1-rc1 ~ 5.16.2 利用条件: linu

Nov 24, 2022
C++ POC to write addintional credentials into LSASS process

LSASS_Injection_CreateProcessWithLogonW C++ POC to write addintional credentials into LSASS process Usage: LSASS_Injection_CreateProcessWithLogonW USE

Feb 9, 2022
Android PoC to read/write Huawei's NVME image

hisi-nve Android PoC to read/write Huawei's NVME image Disclaimers Use this tool at your own risk and always backup NVME. This tool was made for educa

Nov 19, 2022
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Nov 19, 2022