Recently, I encountered such a scenario in an attack and defense game. The target machine accessed the internal application system and was uniformly controlled by VPN. After connecting to VPN, the connection with the external network would be disconnected, resulting in the inability to issue commands in real time. Therefore, I had the idea of developing this small tool. By taking screenshots of the keyboard and recording the clipboard, I could obtain the target's operations after connecting to VPN, and collect sensitive information for the next step of lateral movement.

Whilst this article is designed to stand on its own, if you’re interested, you can find my previous articles on these topics here, here, here and here. Surprisingly, despite all this research being over a decade old, it’s still completely relevant today. The more things change, the more they stay the same, I guess?

hook, refers to a technique used to advance the use of api intercept and process windows messages. Such as a keyboard hook, the Trojans have a lot of this stuff, monitor your keyboard.

Lockd: This is the main Gargoyle component
sRDI-Master: This has been slightly re worked to provide a free mechanism.
test.profile: This sample profile shows required options to work
ShellcodeRDI.py: This is the altered python generator with the new sRDI assembly

DLHell is a tool for performing local and remote DCOM Windows DLL proxying. It can intercept DLLs on remote objects to execute arbitrary commands. The tool supports various authentication methods and provides capabilities for local and remote DLL proxying, as well as DCOM DLL proxying.

Security software and EDR systems register their process creation callbacks in this array using functions such as PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, and PsSetCreateProcessNotifyRoutineEx2. Each of these functions allows drivers to add their specific callbacks to the array, enabling them to monitor process creation events effectively.

An example in C/C++ of how we can remove static string & function call references by using obfuscation paired with runtime function pointers. As a result, static analysis using tools such as IDA or x64Dbg increases in time/difficulty. You may be able to hide specific API calls from anti-malware systems. On the other hand, some AVs might also flag this behavior as being malicious due to there being a lack of "real looking behavior" in the binary.

RedOps | Red Team Village | DEF CON 31

01: Introduction and Abstract
02: Prerequistes
03: Chapter 1 | Windows NT Basics
04: Chapter 2 | Windows OS System Calls
05: Chapter 2 | LAB Exercise Playbook
06: Chapter 3 | Concept of Direct Syscalls
07: Chapter 4 | Win32 APIs
08: Chapter 4 | LAB Exercise Playbook
09: Chapter 5 | Native APIs
10: Chapter 5 | LAB Exercise Playbook
11: Chapter 6 | Direct Syscalls
12: Chapter 6 | LAB Exercise Playbook
13: Chapter 7 | Indirect Syscalls
14: Chapter 7 | LAB Exercise Playbook

Hijack a file in a remote process without code injection
In three language 😂

From MDSec

"Code provided by smelly - vx-underground"

Process Injection via Component Object Model (COM) IRundown::DoCallback().