Awesome

MMFml

MMFml - A tool for injecting shell code into and executing from the Windows system memory map.

Purpose

The goal was to create a method for inserting either x86 or x64 (depending on your target architecture) shell into MMF (heap) and gain a pointer back to the starting position of the opcode. From there we direct CPU execution back to the target address allowing for the execution of the code living within MMF.

Prerequisites

The Powershell code requires PS v5+ to run. The Powershell code currently is designed only for 64-bit systems.

Using MMFml

The C#.NET source is a PoC that we built as the first PoC. As it stands it will launch calc.exe by making a command call to calc.exe via cmd.exe. The shell is x64 and was generated by utilizing the following msfvenom command:

msfvenom -p windows/x64/exec CMD="cmd.exe -c calc.exe" -f csharp

The powershell module utilizes Matt Graeber's function, Get-DelagateType from Invoke-Shellcode. The powershell does the same thing as the .NET portion of the project however is capable of launching more complex programs such as a meterpreter session, empire payload, etc.

Please add your own shell prior to using if you want it to execute. Please note that in its current iteration, this is designed to work on 64-bit systems.

Note

We do not intend to maintain the C# version; this code is provided as reference. Work moving forward will be performed on the Powershell code.

License

The MMFml project and all individual components are under the BSD 3-Clause license unless explicitly noted otherwise.