icon
Sorunuz mu var?
Tel: 0850 800 1483
Tools

Bless Memory Injection Tool

Normally the programs you execute runs in memory, but it is possible to see them with tools such as Task Manager. During the course of computer use, it is usually a task manager in one of the places that are looked at any time of doubt. Running processes are analyzed there and the software that causes the problem is tried to be detected. Then the suspicious file on the disk is deleted at most of the cases.

With memory injection, it is quite difficult to predict threads with such methods. In the case of Memory Injection, the event takes a different course. . When the user runs an application, it actually activates a carrier program. We can call them Trojans. The difference here is that there is an active trojan in another trojan. While the program takes on the role of the carrier, it holds the materials we call executable code (shellcode). The process takes place when the carrier program is activated, and it includes itself in memory via a vulnerable operating system file. During this inclusion event, any action that is visible is not performed.

Bless memory injection tool works as a creation tool for creating this kind of carrier programs. Bless can get shellcode of selected program to inject and export it as a text file.

As shown in screenshot, drag-drop method used to get export. Shellcode gets uploaded to the target FTP server after Bless creates it. Also GitHub, GitHub gist and GitLab can be used alternatively.

GitHub used for uploading shellcode. What to do after this stage? First, select “Raw” then copy the web address from address bar then paste it to the specified field on Bless program then press “Generate Payload” button so carrier program will be created.

When we create carrier program, it can inject itself to memory by using vulnerable system files on the operating system and after this, there won’t be any errors when we try to delete carrier program because shellcode has been already injected to memory so we are done with carrier program. Also, users cannot see the process on task manager because it runs as a subprocess of a vulnerable program.

When we think what we can abuse by using this tool, it runs inside memory so some AV solutions can be bypassed. We can merge malwares with this tool then inject them to systems.

InfinitumIT
// For secure days…
infinitumit.com.tr