Injection and Hijacking


Windows Warzone.

While Windows has many concepts familiar to those seen in Windows, the win32 API and windows security model is quite different and allows for scenarios uncommon in Linux. This module will explore some classic Windows injection and hijacking techniques that allow code to be executed in the context of another process, such as DLL injection, process hollowing, and thread hijacking. As an added twist, a rudimentary Endpoint Detection and Response (EDR) system will be used to detect and block these techniques. Can you bypass the EDR and execute your code in the context of another process?

Note: This dojo is slowly being developed, including iterating on infrastructure support. Functionality is subject to change!


Lectures and Reading

Shortly into this series of challenges, our custom EDR, "robdefender" will start up inside the window VM. Over the course of many challenges, robdefender will be updated to detect and block various techniques. The EDR is not perfect, and there are many ways to bypass it. The EDR implmentation resides in C:\challenge\RD as an implementation detail. The "rd_rules.txt" can provide some insight as to what hooks are enabled.

ROBDEFENDER IS NOT THE INTENDED TARGET FOR THESE CHALLENGES! The running challenge process is where you should focus.

Fair Warning: It is not recommended to spend time understanding the EDR implementation and it is subject to change without notice.


Challenges

No tricks here, just a simple calculator. Can you obtain the flag?

A simple hello world program. Can you obtain the flag?

Some virtual allocations are suspect and will result in process termination by the EDR. Can you obtain the flag?

Some virtual allocations are suspect and will result in process termination by the EDR. Can you obtain the flag?

Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag?

Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag?

Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag?

Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag?


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score