Wanderer – An Open-Source Process Injection Enumeration Tool Written In C#

July 7, 2023

46df90524df9cbb0c5d24f886285f20a44e7fa0b27206201d59aaa5589748fd0


Wanderer is an open-source program that collects information about running processes. This information includes the integrity level, the presence of the AMSI as a loaded module, whether it is running as 64-bit or 32-bit as well as the privilege level of the current process. This information is extremely helpful when building payloads catered to the ideal candidate for process injection.

This is a project that I started working on as I progressed through Offensive Security’s PEN-300 course. One of my favorite modules from the course is the process injection & migration section which inspired me to be build a tool to help me be more efficient in during that activity. A special thanks goes out to ShadowKhan who provided valuable feedback which helped provide creative direction to make this utility visually appealing and enhanced its usability with suggested filtering capabilities.


Usage

Injection Enumeration >> https://github.com/gh0x0st Usage: wanderer [target options] <value> [filter options] <value> [output options] <value> Target Options: -i, –id, Target a single or group of processes by their id number -n, –name, Target a single or group of processes by their name -c, –current, Target the current process and reveal the current privilege level -a, –all, Target every running process Filter Options: –include-denied, Include instances where process access is denied –exclude-32, Exclude instances where the process architecture is 32-bit –exclude-64, Exclude instances where the process architecture is 64-bit –exclude-amsiloaded, Exclude instances where amsi.dll is a loaded process module –exclude-amsiunloaded, Exclude instances where amsi is not loaded process module –exclude-integrity, Exclude instances where the process integrity level is a specific value Output Options: –output-nested, Output the results in a nested style view -q, –quiet, Do not output the banner Examples: Enumerate the process with id 12345 C:\> wanderer –id 12345 Enumerate all processes with the names process1 and processs2 C:\> wanderer –name process1,process2 Enumerate the current process privilege level C:\> wanderer –current Enumerate all 32-bit processes C:\wanderer –all –exclude-64 Enumerate all processes where is AMSI is loaded C:\> wanderer –all –exclude-amsiunloaded Enumerate all processes with the names pwsh,powershell,spotify and exclude instances where the integrity level is untrusted or low and exclude 32-bit processes C:\> wanderer –name pwsh,powershell,spotify –exclude-integrity untrusted,low –exclude-32″ dir=”auto”>
PS C:\> .\wanderer.exe

     >> Process Injection Enumeration
     >> https://github.com/gh0x0st
     
Usage: wanderer [target options] <value> [filter options] <value> [output options] <value>

Target Options:

-i, --id, Target a single or group of processes by their id number
-n, --name, Target a single or group of processes by their name
-c, --current, Target the current process and reveal the current privilege level
-a, --all, Target every running process

Filter Options:

--include-denied, Include instances where process access is denied
--exclude-32, Exclude instances where the process architecture is 32-bit
--exclude-64, Exclude instances where the process architecture is 64-bit
--exclude-amsiloaded, Exclude instances where amsi.dll is a loaded proces   s module
--exclude-amsiunloaded, Exclude instances where amsi is not loaded process module

--exclude-integrity, Exclude instances where the process integrity level is a specific value

Output Options:

--output-nested, Output the results in a nested style view
-q, --quiet, Do not output the banner

Examples:

Enumerate the process with id 12345
C:\> wanderer --id 12345

Enumerate all processes with the names process1 and processs2
C:\> wanderer --name process1,process2

Enumerate the current process privilege level
C:\> wanderer --current

Enumerate all 32-bit processes
C:\wanderer --all --exclude-64

Enumerate all processes where is AMSI is loaded
C:\> wanderer --all --exclude-amsiunloaded

Enumerate all processes with the names pwsh,powershell,spotify and exclude instances where the integrity level is untrusted or low and exclude 32-bit processes
C:\> wanderer    --name pwsh,powershell,spotify --exclude-integrity untrusted,low --exclude-32

Screenshots

Example 1

f207f03a646e38ed4093e6c141c058908b2fe3b484b4f24246f8d592a6a2de58

Example 2

f175165c9225f8f6e6092107e75f9c2598b2e912ee31eb925c8787474e5b0b8a

Example 3

d038920da4622023310637b139c17f624126c8fa7301f58edd3dca84658c1bcb

Example 4

73ad3ff662e3d1e2f038ece4b25c88120ab2480268bd50f4efdf10f07fc6b480

Example 5

be4e3babef17ad3032ac9b2c2ef16c6ddbbe12df38f48228b28a48535aaebdea



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

You may have missed

covenant

CovenantC2 Detected – 58[.]65[.]172[.]131:7443

November 25, 2024
image

[SAFEPAY] – Ransomware Victim: titlenine[.]com

November 24, 2024
image 1

CVE Alert: CVE-2024-11362

November 24, 2024
image 1

CVE Alert: CVE-2024-10874

November 24, 2024
image 1

CVE Alert: CVE-2024-10961

November 24, 2024