6321bfc31b
- Rename agent from "Apollo" to "Ares" across documentation and configuration - Update config.json to reference Ares container image instead of Apollo - Replace Apollo logo with Ares logo in documentation - Rename workspace file from Apollo.code-workspace to Ares.code-workspace - Add ASCII art display function to agent startup sequence - Remove obsolete refactor analysis document
1.5 KiB
+++ title = "Process Injection" chapter = false weight = 102 +++
Process Injection in Ares
Ares has abstracted process injection into its own project and has the following techniques implemented:
- CreateRemoteThread
- QueueUserAPC (early bird)
- NtCreateThreadEx (via Syscalls)
As an operator, sometimes one injection technique is more desirable than another. To facilitate this, the get_injection_techniques command will list all currently loaded injection techniques the agent knows about. Similarly, set_injection_technique will update the currently used injection technique throughout all post-exploitation jobs.
Commands Leveraging Injection
All of Ares's fork and run commands use injection to inject into a sacrificial process; however, there are additional commands that inject into other processes. Those commands are:
{{% notice info %}} Some injection techniques are incompatible with the aforementioned commands. For example: If QueueUserAPC is in use, the above commands will fail as it leverages the early bird version of QueueUserAPC, not the APC bombing technique. {{% /notice %}}