Пример #1
0
 public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref Structs.SECURITY_ATTRIBUTES lpProcessAttributes, ref Structs.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref Structs.STARTUPINFOEX lpStartupInfo, out Structs.PROCESS_INFORMATION lpProcessInformation);
Пример #2
0
    public static bool SpoofParent(int parentProcessId, string binaryPath, string cmdLine)
    {
        // STARTUPINFOEX members
        const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000;

        // STARTUPINFO members (dwFlags and wShowWindow)
        const int   STARTF_USESTDHANDLES = 0x00000100;
        const int   STARTF_USESHOWWINDOW = 0x00000001;
        const short SW_HIDE = 0x0000;

        // dwCreationFlags
        const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000;
        const uint CREATE_NO_WINDOW             = 0x08000000;

        //var error = Marshal.GetLastWin32Error();

        var pInfo = new Structs.PROCESS_INFORMATION();
        var siEx  = new Structs.STARTUPINFOEX();

        // Be sure to set the cb member of the STARTUPINFO structure to sizeof(STARTUPINFOEX).
        siEx.StartupInfo.cb = Marshal.SizeOf(siEx);
        IntPtr lpValueProc          = IntPtr.Zero;
        IntPtr hSourceProcessHandle = IntPtr.Zero;

        if (parentProcessId > 0)
        {
            var lpSize  = IntPtr.Zero;
            var success = WinAPI.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
            if (success || lpSize == IntPtr.Zero)
            {
                return(false);
            }
            Console.WriteLine("successfully used InitializeProcThreadAttributeList ");

            siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
            success = WinAPI.InitializeProcThreadAttributeList(siEx.lpAttributeList, 1, 0, ref lpSize);
            if (!success)
            {
                return(false);
            }
            Console.WriteLine("successfully used InitializeProcThreadAttributeList");

            IntPtr parentHandle = WinAPI.OpenProcess(Structs.ProcessAccessFlags.CreateProcess | Structs.ProcessAccessFlags.DuplicateHandle, false, parentProcessId);
            if (parentHandle == null)
            {
                return(false);
            }

            Console.WriteLine("obtained a handle to parent process");

            // This value should persist until the attribute list is destroyed using the DeleteProcThreadAttributeList function
            lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
            Marshal.WriteIntPtr(lpValueProc, parentHandle);

            success = WinAPI.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
            if (!success)
            {
                return(false);
            }
            Console.WriteLine("successfully used UpdateProcThreadAttribute");


            IntPtr hCurrent   = System.Diagnostics.Process.GetCurrentProcess().Handle;
            IntPtr hNewParent = WinAPI.OpenProcess(Structs.ProcessAccessFlags.DuplicateHandle, true, parentProcessId);
            if (hNewParent == null)
            {
                return(false);
            }

            Console.WriteLine("successfully used OpenProcess");
        }

        siEx.StartupInfo.dwFlags     = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
        siEx.StartupInfo.wShowWindow = SW_HIDE;

        var ps = new Structs.SECURITY_ATTRIBUTES();
        var ts = new Structs.SECURITY_ATTRIBUTES();

        ps.nLength = Marshal.SizeOf(ps);
        ts.nLength = Marshal.SizeOf(ts);
        //bool ret = CreateProcess(null, command, ref ps, ref ts, true, EXTENDED_STARTUPINFO_PRESENT | CREATE_NO_WINDOW, IntPtr.Zero, null, ref siEx, out pInfo);
        Console.WriteLine("About to call create processd");
        bool ret = WinAPI.CreateProcess(binaryPath, cmdLine, ref ps, ref ts, true, EXTENDED_STARTUPINFO_PRESENT | CREATE_NO_WINDOW, IntPtr.Zero, null, ref siEx, out pInfo);

        Console.WriteLine(Marshal.GetLastWin32Error());
        if (!ret)
        {
            Console.WriteLine("[!] Proccess failed to execute!");
            return(false);
        }

        Console.WriteLine("successfully used CreateProcess");
        return(true);
    }