Red Team Codex
  • Welcome to Red Team Codex (RTC)
  • Posts
    • Red Teaming
      • Initial Foothold Reconnaissance
  • Active Directory Enumeration
    • Overview
    • Domain Enumeration
      • Domain Name
      • Domain Forest Trusts
      • Password Policy
    • Computer Enumeration
      • Domain Controllers
    • User Enumeration
    • Group Enumeration
    • AppLocker Enumeration
  • Payload Development
    • VBA Macros and the Windows API
      • Windows Defender
  • AV / EDR
    • Windows Advanced Threat Protection (ATP)
  • Remote Process Injection
    • CreateRemoteThread()
    • QueueUserAPC()
    • QueueUserAPC() + NtTestAlert()
    • SetWindowsHookEx()
    • SetThreadContext()
    • Process Hollowing
  • My Config Files
    • Windows Terminal
    • Tmux Configuration
    • .bashrc and PS1 Environment
Powered by GitBook
On this page

Was this helpful?

  1. Remote Process Injection

SetWindowsHookEx()

Using SetWindowsHookEx() to perform Remote Process Injection

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexa

HHOOK SetWindowsHookExA(
  int       idHook,
  HOOKPROC  lpfn,
  HINSTANCE hmod,
  DWORD     dwThreadId
);

  • Using a process ID get a thread ID which we want to hook into

    • GetThreadID()

  • Load the DLL library, and get the address of the exported function you are going to call

    • LoadLibrary()

    • LoadLibraryEx()

    • GetProcAddress()

  • Find a Window associated with the process name

    • FindWindow()

  • Get the Window Thread ID

    • GetWindowThreadProcessId()

  • Set a Hook into this thread ID so that when the event triggers, our DLL exported function gets called

    • SetWindowsHookEx()

  • Optionally Unhook

    • UnhookWindowsHookEx()

PreviousQueueUserAPC() + NtTestAlert()NextSetThreadContext()

Last updated 4 years ago

Was this helpful?