Skip to content
This repository has been archived by the owner on Oct 25, 2023. It is now read-only.

Dll injection through code page id modification in registry. Based on jonas lykk research

Notifications You must be signed in to change notification settings

NtQuerySystemInformation/NlsCodeInjectionThroughRegistry

Repository files navigation

NlsCodeInjectionThroughRegistry

Dll injection through registry modification of NLS code page ID.

It requieres administrator privileges, but it definetely works.

How does it work?

It is based on jonas lykk discovery here: https://twitter.com/jonaslyk/status/1352729173631135751?lang=en

What I did is looking around the binaries related, from where I found SetConsoleCp/SetConsoleOutputCP are the main parts involved in the dll loading, you dont care about exports at all.

If the process is not console based, you can allocate one with AllocConsole, payload will still get triggered.

For this reason, to make it to work, I had to create position independent shellcode and inject it to a remote process, which works as a stager to the actual loading of the dll. This is just meant for demostration purposes.

(Writeup will be updated soon in this repository.)

How to use?

Compile the project in release x64, it uses the default jonas payload, which spawns a shell when loaded. ShellcodeInjection is just an additional project I used to convert C to shellcode, using hasherezade method described here: https://github.com/vxunderground/VXUG-Papers/blob/main/From%20a%20C%20project%20through%20assembly%20to%20shellcode.pdf

Only x64, tested in Windows 11.

About

Dll injection through code page id modification in registry. Based on jonas lykk research

Resources

Stars

Watchers

Forks

Packages

No packages published