All-in-one kernel-based DLL injector
- Manual map a DLL into kernel memory and expose it to user mode via page table manipulation
- Re-generate a unique, encrypted executable each time it is run and delete the old one
- Store the target DLL in a compressed and encrypted form on disk (.fumo file)
- Tray icon and notifications that tell you about the status of the loader and allow you to abort the injection process
- Wait for certain modules to be loaded in the target process before injecting
- No running processes during injection (injects itself into a different process, explorer.exe by default)
- No open handles to the target process
- No new threads in the target process (injects using APCs from the kernel)
- Compatible with:
- Windows 10 20H1 to Windows 11 23H2 (x64) (in theory, only tested on W11 22H2)
- Secure boot
- PatchGuard
- Driver Signature Enforcement
- Vulnerable driver blocklist
- NOT Compatible with:
- 32-bit Windows and 32-bit processes
- Hypervisor code integrity (HVCI)
- KVA Shadowing (aka the Meltdown mitigation). Modern CPUs aren't affected, disable Meltdown protection on older ones.
- Good anti-cheats (this is designed for defeating user-mode anti-cheats)
- Probably a bunch of anti-virus software
- Old versions of Windows (before 20H1)
- Target DLL MUST NOT have:
- Thread-local storage (TLS)
- Vectored exception handlers (VEH) (adding a global handler manually is fine though)
- (Currently) it does not clean any traces of the vulnerable driver
- Reboot before loading any "decent" anti-cheat if you don't feel like being insta banned
- The target process needs to have a thread that we can schedule APCs on (this is usually not an issue outside of very simple hello world programs that only have one thread)
- You might get random DEP violations because memory above 0x7FFF'FFFFFFFF is technically not valid user-mode memory (at least as far as Windows APIs are concerned, your CPU doesn't care and will happily execute it, that's the whole idea behind this loader)
- You will have to register an exception handler in your DLL that will catch the exception and return
EXCEPTION_CONTINUE_EXECUTIONwhenever it encounters a DEP violation above 0x7FFF'FFFFFFFF
- You will have to register an exception handler in your DLL that will catch the exception and return
- Download the latest release or build it yourself
- Drag and drop a DL onto
fumo_encoder.exe - Fill out the process name
- Fill out what DLL(s) to wait for before injecting
- Drag and drop the generated .fumo file onto
fumo.exe - Wait for the success notification or error message box
- Open the target process
- Wait for the target DDL(s) to be loaded
- ...
- Profit
- Visual Studio 2022 build tools (lower might work, but not tested)
- Windows Driver Kit 10 (WDK)
- CMake
# configure the x64-windows preset
cmake --preset=x64-windows
# build the project
cmake --build --preset=ReleaseOr use the CMake integration built into your IDE of choice
- Add support for TLS
- Add support for VEH
- Add support for KVA Shadowing
- Do some trace cleaning
- KDU - the driver vulnerable mapper
- libKDU - My wrapper around KDU that turns it into a static library
- lazy_importer - inlined import resolution (used for position-independent code)
- xorstr - inlined and encrypted strings (also used for position-independent code)
- FindWDK - CMake module for building Windows drivers
- lz4 - compression for the .fumo files
- CMake - amazing build system
- @slnchyt - the tray icon
- ThePerfectInjector - the original idea for this injection method
- Blackbone - well-written kernel code that I used as a reference (and stole some code from)
