![\"\"](\"https:\/\/hacktarus.fr\/wp-content\/uploads\/2022\/06\/image.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Ensuite il n’y a plus qu’\u00e0 lancer mavinject.exe (il se trouve dans C:\\windows\\System32 et C:\\windows\\SysWOW64) avec le PID cible et le chemin de la DLL \u00e0 injecter :<\/p>\n\n\n\n <\/p>\n\n\n\n Et boum la DLL est charg\u00e9e dans l’espace m\u00e9moire de l’explorateur de fichiers comme on peut le voir ci-dessous (injectme64.dll pr\u00e9sent dans la liste des DLL charg\u00e9es par le processus explorer.exe) :<\/p>\n\n\n\n <\/p>\n\n\n\n et forc\u00e9ment le code de la DLL est ex\u00e9cut\u00e9e (DllMain) :<\/p>\n\n\n\n <\/p>\n\n\n\n Moralit\u00e9, il s’agit d’une technique extr\u00eamement simple fournie par Microsoft pour tout acteur malveillant qui souhaite cacher du code dans des processus et par la m\u00eame occasion bypasser les solutions de contr\u00f4les d’applications (comme Applocker par exemple), pas mal non ?<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Si vous n’\u00eates pas un f\u00e9ru des LOLBins – vous savez les binaires Microsoft qui d\u00e9tourn\u00e9s de leur usage standard peuvent r\u00e9aliser des actions malveillantes (https:\/\/lolbas-project.github.io\/) – alors vous n’avez probablement jamais entendu parl\u00e9 de mavinject.exe. Cette ex\u00e9cutable est utilis\u00e9 par la technologie App-V de Microsoft, de la virtualisation d’applications, chose que l’on ne rencontre … Continuer la lecture de Mavinject o\u00f9 comment Microsoft facilite l’injection de code malveillant<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-995","post","type-post","status-publish","format-standard","hentry","category-pentest"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=995"}],"version-history":[{"count":24,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/995\/revisions"}],"predecessor-version":[{"id":1024,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/995\/revisions\/1024"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/hacktarus.fr\/wp-content\/uploads\/2022\/06\/image-4.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hacktarus.fr\/wp-content\/uploads\/2022\/06\/image-3.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hacktarus.fr\/wp-content\/uploads\/2022\/06\/image-2.png\")
<\/figure>\n\n\n\n