Пример #1
0
 public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref STRUCTS.SECURITY_ATTRIBUTES lpProcessAttributes, ref STRUCTS.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, STRUCTS.ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STRUCTS.STARTUPINFOEX lpStartupInfo, out STRUCTS.PROCESS_INFORMATION lpProcessInformation);
Пример #2
0
        public static IntPtr SpawnNewProtectedProcess(string parentProcess, string processName, string demoProcessToSpawn)
        {
            /*allocating memory shenanigans*/
            STRUCTS.STARTUPINFOEX       startInfoEx = new STRUCTS.STARTUPINFOEX();
            STRUCTS.PROCESS_INFORMATION processInfo = new STRUCTS.PROCESS_INFORMATION();
            startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx);
            IntPtr lpValue = Marshal.AllocHGlobal(IntPtr.Size);

            STRUCTS.SECURITY_ATTRIBUTES processSecurity = new STRUCTS.SECURITY_ATTRIBUTES();
            STRUCTS.SECURITY_ATTRIBUTES threadSecurity  = new STRUCTS.SECURITY_ATTRIBUTES();
            processSecurity.nLength = Marshal.SizeOf(processSecurity);
            threadSecurity.nLength  = Marshal.SizeOf(threadSecurity);

            /*initializing the attributelist*/
            var lpSize = IntPtr.Zero;

            IMPORTS.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
            startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
            IMPORTS.InitializeProcThreadAttributeList(startInfoEx.lpAttributeList, 2, 0, ref lpSize);

            /*writing the mitigation policy*/
            Marshal.WriteIntPtr(lpValue, new IntPtr((long)STRUCTS.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE));
            IMPORTS.UpdateProcThreadAttribute(
                startInfoEx.lpAttributeList,
                0,
                (IntPtr)STRUCTS.ProcThreadAttribute.MITIGATION_POLICY,
                lpValue,
                (IntPtr)IntPtr.Size,
                IntPtr.Zero,
                IntPtr.Zero
                );

            /*spoofing Parent*/
            IntPtr parentHandle = Process.GetProcessesByName(parentProcess)[0].Handle;

            lpValue = Marshal.AllocHGlobal(IntPtr.Size);
            Marshal.WriteIntPtr(lpValue, parentHandle);
            IMPORTS.UpdateProcThreadAttribute(
                startInfoEx.lpAttributeList,
                0,
                (IntPtr)STRUCTS.ProcThreadAttribute.PARENT_PROCESS,
                lpValue,
                (IntPtr)IntPtr.Size,
                IntPtr.Zero,
                IntPtr.Zero
                );

            IMPORTS.CreateProcess(
                null,
                "\"" + processName + "\"" + " " + demoProcessToSpawn,
                ref processSecurity,
                ref threadSecurity,
                false,
                STRUCTS.ProcessCreationFlags.CREATE_NEW_CONSOLE | STRUCTS.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT,
                IntPtr.Zero,
                null,
                ref startInfoEx,
                out processInfo
                );

            /*mem cleaning */
            IMPORTS.DeleteProcThreadAttributeList(startInfoEx.lpAttributeList);
            Marshal.FreeHGlobal(startInfoEx.lpAttributeList);
            Marshal.FreeHGlobal(lpValue);

            Console.WriteLine("{0} started", processInfo.dwProcessId);
            return(processInfo.hProcess);
        }