Thread Name-Calling Injection

Remote shellcode injection technique, using Thread Name (a.k.a. Thread Description)

The code to be injected is passed as a thread description to the target (with SetThreadDescription). Then, a function GetThreadDescription is called remotely on the target, via APC, causing the description buffer to be copied into the target’s working set. After making the buffer executable, it is run using another APC call.

Details: https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/

Remote write via Thread Name

The buffer is injected into the remote process without the need of having the write access right (PROCESS_VM_WRITE).

Modules

• thread_namecaller - implementation of Thread Name-Calling injection. Injects a shellcode that pops a calc into a process selected by the PID
• dll_inj - a DLL injection variant. The path to the DLL is written into the remote process via Thread Name
• thread_receive - a demo target application, with a set of various mitigation policies

Demo

thread_namecaller in action:

• https://www.youtube.com/watch?v=JjVSMin8kFU

dll_inj in action:

• https://www.youtube.com/watch?v=8cSNgE3gZxY