Immoral Fiber: Two new offensive techniques using Windows Fibers

Immoral Fiber

This repository contains two new offensive techniques using Windows Fibers:

• PoisonFiber (The first remote enumeration & Fiber injection capability POC tool)
• PhantomThread (An evolved callstack-masking implementation)

It also contains an example test program that makes use of Windows Fibers which can be used to inject into with PoisonFiber:

BasicFiber

Basic Fiber is a very simple test program that serves as a target for PoisonFiber. BasicFiber consists of:

1. Two Fibers that switch between one another.
2. A user defined Fiber Local Storage (FLS) callback function that can be triggered manually.

It waits for user input to either:

• 's' + Enter – Switch execution from the currently executing Fiber to the dormant Fiber.
• 'f' + Enter – Execute the user-defined callback.
• 'e' + Enter – Delete the current Fiber which will call ExitThread() internally.

PoisonFiber

PoisonFiber is the first tool of its kind to make remote Fiber injection available on Windows. It demonstrates two types of remote Fiber injection by either injecting into a remote Dormant Fiber object or by manipulating remote FLS callbacks.

The four sub-techniques it offers are:

• Remote Dormant Fiber injection via overwriting existing Fiber code.
• Remote Dormant Fiber injection via redirecting execution flow.
• Remote callback injection via overwriting default Fiber local storage cleanup callback.
• Remote callback injection via manipulating user-defined callbacks with a malicious callback.

There are two different pieces of shellcode inside the PoisonFiber POC

1. Custom shellcode that returns normally. This is stored and loaded from the resources section of the binary
2. A smaller piece of shellcode that pops calc.exe and exits via SEH. This has been generated using msfvenom.

Only Dormant Fiber Injection via overwriting uses the second piece of shellcode since there is no point in returning to the original Fiber code as it has been overwritten and will crash if we attempt to do so. The remaining techniques use the first piece as it allows normal program flow to continue after it has been executed.

Download & Use

Copyright (c) 2024 Daniel Jary