This method utilizes TLS callbacks to execute a payload without spawning any threads in a remote process. This method is inspired by Threadless Injection as RemoteTLSCallbackInjection does not invoke any API calls to trigger the injected payload.
New Module 34: TLS Callbacks For Anti-Debugging
New Module 35: Threadless Injection
The PoC follows these steps:
CreateProcessViaWinAPIsW
function (i.e. RuntimeBroker.exe
).g_FixedShellcode
and the main payload.The g_FixedShellcode
shellcode will then make sure that the main payload executes only once by restoring the original TLS callback’s original address before calling the main payload. A TLS callback can execute multiple times across the lifespan of a process, therefore it is important to control the number of times the payload is triggered by restoring the original code path execution to the original TLS callback function.
The following image shows our implementation, RemoteTLSCallbackInjection.exe
, spawning a cmd.exe
as its main payload.