A beacon object file implementation of the process injection proof-of-concept from my blog post Control Flow Hijacking via Data Pointers.
Hijacks control flow via overwriting combase.dll's Control Flow Guard function pointers called by COM proxying functions.
- From my testing,
explorer.exeis the current best candidate in terms of an easy triggering mechanism due to its heavy reliance on COM proxying. Would recommend experimenting. - Make sure shellcode is 64-bit as this BOF only supports 64-bit beacons & target processes.
- This has only been tested on windows versions
Win10 21H2 (19044.5737)&Win11 24H2 (26100.3775).
datainject <pid> <shellcode path>
For sake of example, all process id's have been assumed to be 1234
Inject into explorer.exe, execute shellcode upon COM call (can be triggered by right clicking or opening file explorer)
datainject 1234 C:\users\attacker\payloads\beacon_x64.bin
- Control Flow Hijacking via Data Pointers - My blog post teaching my methodology to weaponising this.
- Threadless Inject - The project that inspired me to start this research.