public static void ProcessInjection(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1055"); //logger.TimestampInfo(String.Format("Starting T1055 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { Process proc = new Process(); proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe"; proc.StartInfo.UseShellExecute = false; proc.Start(); logger.TimestampInfo(String.Format("Process {0}.exe with PID:{1} started for the injection", proc.ProcessName, proc.Id)); DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger); //DefenseEvasionHelper.ProcInjection_APC(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger); //DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Lib.Static.msf_meter, not); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void PortableExecutableInjection(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1055.002"); try { Process proc = new Process(); proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe"; proc.StartInfo.UseShellExecute = false; proc.Start(); logger.TimestampInfo(String.Format("Process {0}.exe with PID:{1} started for the injection", proc.ProcessName, proc.Id)); DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }