Shellcode Injection

Both the commands support Parent Process ID Spoofing and Dynamic Injection techniques.

Shellcode Injection with Fork&Inject

The shinject command takes a position independent shellcode in either an executable or in a binary blob format as an argument. It uses the configured child process with the set_child command to create a new suspended process and injects the shellcode into it. The badger will wait for the injected thread’s HANDLE to return post injection. Once the HANDLE returns, it will resume the suspended process to allow it to complete. This command does not capture any output from the remote process. It simply does the following:

  • Create a New Process and get the Handle
  • Inject the shellcode into the new process using the configured set_malloc and set_threadex commands
  • Wait for the HANDLE of the injected thread to return
  • Resume the thread once the thread returns

NOTE: If you are injecting badger’s shellcode using shinject and the QAPC technique, it is important to note that the badger’s shellcode quickly returns after executing the main payload. This means if you create a new process and wait for the HANDLE to complete so that it can be resumed, the new process’s thread in which the badger was injected will quickly return. If you resume the process post the thread execution, the process will continue to run the main thread with badger running as queued APC. This means if your process is something like werfault.exe or searchprotocolhost.exe which quickly returns from the main thread, then the badger’s shellcode will exit as the main thread has exited. It is not recommended to use QAPC and shinject with a process which quickly returns, because if you do, the process will simply return before the shellcode completes executing. If you want to use QAPC with shellcode injection, it’s recommended to use it with a process which runs even after resuming it, eg.: notepad.exe.

Shellcode Injection into Existing Process

The shinject_ex command on the other hand takes a process ID as the first argument and a position independent shellcode in either an executable or in a binary blob format as the second argument. It does not create a new process and only injects into an existing one. The operator needs to have privileges to get a HANDLE of the target process.