DbgNexum: Shellcode injection using the Windows Debugging API
DbgNexum is a Proof-of-Concept for injecting shellcode using the Windows Debugging API and Shared Memory (File Mapping). It avoids writing and reading remote memory directly, instead using context manipulation to force the target process to load and execute the payload itself.
The injector attaches to a target process and creates a suspended thread. Through a debug loop, it sets a Hardware Breakpoint to trap execution at a specific return address. At each trap, the injector modifies the CPU registers to mimic function calls, orchestrating a sequence of Windows API function calls inside of the target process.
Features
- No
WriteProcessMemory/VirtualAllocEx: The payload is transferred viaCreateFileMappingandMapViewOfFile. - No
ReadProcessMemory: The approach gets all the key information from the thread context.
How It Works
The execution flow is a constant back and forth between the injector’s Debug Loop and the target process.
Injection Stages
The DebugLoop function contains the main injection logic and orchestrates the “state machine”:
0. Preparation:
- The injector saves the current stack pointer to reuse for each stage
- To get the return address of the anchored stack, we set a trap flag and set execution to an instant
retcall.
1. Allocation:
- Set HWBP on the return address of the anchored stack, to get notified when a called function returns.
- Prepare and force thread to call
LocalAllocto (obviously) allocate a small buffer.
2. Data Setup:
- Prepare and force thread to call
memcpyto copy the stringMZinto the previously allocated buffer.
3. Stack Prep:
- Force thread to call
memsetto zero out a stack slot. This is in preparation of stage 5, which will callMapViewOfFile. Since the function will use >4 arguments, the 5th arg is passed via the stack (which we set here).
4. Open Mapping:
- Force thread to call
OpenFileMappingAusing theMZname, “created” in stage 2 & 3.
5. Map Payload:
- Forces the target to call
MapViewOfFile. This maps the shared memory section (containing the shellcode) into the target’s address space withEXECUTEpermissions.
6. Execution:
- Redirects
RIPto the address returned byMapViewOfFile. - Clears debug registers and detaches.
Download & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
