Syringe: Windows injection utility

SecureState released Syringe, a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well as execution of shellcode.

It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs.
Syringe lead developer Spencer McIntyre observed that many security focused sites and mailing lists were abuzz with the release of a new tool called ShellCodeExec that boasts the ability to execute alpha numerically created shellcode (as commonly generated with the Metasploit Framework).

He was particularly interested in how this new tool worked; and the author, Bernardo Damele, was kind enough to release it under an open source license allowing him to review the source.  The source is all written in C and supports both Linux and Windows operating systems. McIntyre had never had the need to execute shell code to bypass antivirus on Linux, so he focused on the Windows portion.

The method that this tool uses is a simple one that opens a location in its address space with a call to VirtualAlloc with permissions of read, write, and execute. VirtualAlloc is a Windows specific call that reserves a region of memory with the specified permissions. The read and write permissions are required because the alpha numeric shell code will change itself as it is being executed. ShellCodeExec then copies the user supplied shellcode string into the resulting memory buffer from VirtualAlloc.

Finally, ShellCodeExec executes the shellcode via an Assembly stub that takes a pointer to the shell code as its only parameter before calling it. One of the very nice features of this tool is that the stub used to execute the shell code is wrapped in a Structured Exception Handler (SEH) block, allowing the program to execute gracefully, even if the shellcode encounters an error.
One feature that greatly complements ShellCodeExec is the ability to inject the shellcode into a process ID of the user’s choosing. This can be particularly useful when on a host that only permits certain processes to initiate outbound connections. With this goal in mind, McIntyre set out to implement these techniques in his own general purpose injection utility, which he dubbed Syringe.
The final code used to generate the assembly stub for injection into remote processes can be found on Spencer’s blog . The source code to Syringe can be found here.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss