TheWover · jfmaes · Nov 16, 2020 · Nov 27, 2020 · Nov 28, 2020
diff --git a/DInvoke/DInvoke/DynamicInvoke/Native.cs b/DInvoke/DInvoke/DynamicInvoke/Native.cs
@@ -14,6 +14,27 @@ namespace DInvoke.DynamicInvoke
     /// </summary>
     public class Native
     {
+        public static Data.Native.NTSTATUS NtCreateProcess(
+            ref IntPtr processHandle,
+            Data.Win32.WinNT.ACCESS_MASK desiredAccess,
+            IntPtr objectAttributes,
+            IntPtr parentProcess,
+            bool InheritObjectTable,
+            IntPtr sectionHandle,
+            IntPtr debugPort,
+            IntPtr ExceptionPort
+            )
+        {
+            // Craft an array for the arguments
+            object[] funcargs =
+            {
+                processHandle,desiredAccess,objectAttributes,parentProcess,InheritObjectTable,sectionHandle,
+                debugPort,ExceptionPort
+            };
+            Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtCreateProcess", typeof(DELEGATES.NTCreateProcess), ref funcargs);
+            processHandle = (IntPtr)funcargs[0];
+            return retvalue;
+        }
         public static Data.Native.NTSTATUS NtCreateThreadEx(
             ref IntPtr threadHandle,
             Data.Win32.WinNT.ACCESS_MASK desiredAccess,
@@ -58,7 +79,7 @@ public static Data.Native.NTSTATUS RtlCreateUserThread(
             // Craft an array for the arguments
             object[] funcargs =
             {
-                Process, ThreadSecurityDescriptor, CreateSuspended, ZeroBits, 
+                Process, ThreadSecurityDescriptor, CreateSuspended, ZeroBits,
                 MaximumStackSize, CommittedStackSize, StartAddress, Parameter,
                 Thread, ClientId
             };
@@ -95,8 +116,8 @@ public static Data.Native.NTSTATUS NtCreateSection(
             }
 
             // Update the modified variables
-            SectionHandle = (IntPtr) funcargs[0];
-            MaximumSize = (ulong) funcargs[3];
+            SectionHandle = (IntPtr)funcargs[0];
+            MaximumSize = (ulong)funcargs[3];
 
             return retValue;
         }
@@ -142,8 +163,8 @@ public static Data.Native.NTSTATUS NtMapViewOfSection(
             }
 
             // Update the modified variables.
-            BaseAddress = (IntPtr) funcargs[2];
-            ViewSize = (ulong) funcargs[6];
+            BaseAddress = (IntPtr)funcargs[2];
+            ViewSize = (ulong)funcargs[6];
 
             return retValue;
         }
@@ -583,6 +604,51 @@ public static IntPtr NtOpenFile(ref IntPtr FileHandle, Data.Win32.Kernel32.FileA
             return FileHandle;
         }
 
+        public static Data.Native.NTSTATUS NtOpenKey(
+            ref IntPtr keyHandle,
+            Data.Win32.WinNT.ACCESS_MASK desiredAccess,
+            ref Data.Win32.WinNT.OBJECT_ATTRIBUTES objectAttributes)
+        {
+            object[] funcargs =
+            {
+                keyHandle,desiredAccess,objectAttributes
+            };
+            Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenKey", typeof(DELEGATES.NtOpenKey), ref funcargs);
+            keyHandle = (IntPtr)funcargs[0];
+            return retvalue;
+        }
+
+
+        public static Data.Native.NTSTATUS NtSetValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName, int titleIndex, Data.Win32.WinNT.REGISTRY_TYPES type, IntPtr data, int dataSize)
+        {
+            object[] funcargs =
+            {
+                keyHandle,valueName,titleIndex,type,data,dataSize
+            };
+            Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtSetValueKey", typeof(DELEGATES.NtSetValueKey), ref funcargs);
+            return retvalue;
+        }
+
+        public static Data.Native.NTSTATUS NTDeleteValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName)
+        {
+            object[] funcargs =
+            {
+               keyHandle,valueName
+            };
+            Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtDeleteValueKey", typeof(DELEGATES.NtDeleteValueKey), ref funcargs);
+            return retvalue;
+        }
+
+
+        public static Data.Native.NTSTATUS NtClose(IntPtr handle)
+        {
+            object[] funcargs = { handle };
+            Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtClose", typeof(DELEGATES.NtClose), ref funcargs);
+            return retvalue;
+        }
+
+
+
         /// <summary>
         /// Holds delegates for API calls in the NT Layer.
         /// Must be public so that they may be used with SharpSploit.Execution.DynamicInvoke.Generic.DynamicFunctionInvoke
@@ -606,6 +672,17 @@ public static IntPtr NtOpenFile(ref IntPtr FileHandle, Data.Win32.Kernel32.FileA
         public struct DELEGATES
         {
             [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Data.Native.NTSTATUS NTCreateProcess(
+                  ref IntPtr processHandle,
+            Data.Win32.WinNT.ACCESS_MASK desiredAccess,
+            IntPtr objectAttributes,
+            IntPtr parentProcess,
+            bool InheritObjectTable,
+            IntPtr sectionHandle,
+            IntPtr debugPort,
+            IntPtr ExceptionPort
+                );
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
             public delegate Data.Native.NTSTATUS NtCreateThreadEx(
                 out IntPtr threadHandle,
                 Data.Win32.WinNT.ACCESS_MASK desiredAccess,
@@ -666,7 +743,7 @@ public delegate UInt32 LdrLoadDll(
                 UInt32 dwFlags,
                 ref Data.Native.UNICODE_STRING ModuleFileName,
                 ref IntPtr ModuleHandle);
-            
+
             [UnmanagedFunctionPointer(CallingConvention.StdCall)]
             public delegate void RtlInitUnicodeString(
                 ref Data.Native.UNICODE_STRING DestinationString,
@@ -782,6 +859,22 @@ public delegate UInt32 NtOpenFile(
                 ref Data.Native.IO_STATUS_BLOCK IoStatusBlock,
                 Data.Win32.Kernel32.FileShareFlags ShareAccess,
                 Data.Win32.Kernel32.FileOpenFlags OpenOptions);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Data.Native.NTSTATUS NtOpenKey(
+               ref IntPtr keyHandle,
+               Data.Win32.WinNT.ACCESS_MASK desiredAccess,
+               ref Data.Win32.WinNT.OBJECT_ATTRIBUTES objectAttributes);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Data.Native.NTSTATUS NtSetValueKey(
+                IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName, int titleIndex, Data.Win32.WinNT.REGISTRY_TYPES type, IntPtr Data, int DataSize);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Data.Native.NTSTATUS NtDeleteValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Data.Native.NTSTATUS NtClose(IntPtr keyHandle);
         }
     }
 }
diff --git a/DInvoke/DInvoke/DynamicInvoke/Win32.cs b/DInvoke/DInvoke/DynamicInvoke/Win32.cs
@@ -32,6 +32,87 @@ public static IntPtr OpenProcess(Data.Win32.Kernel32.ProcessAccessFlags dwDesire
                 typeof(Delegates.OpenProcess), ref funcargs);
         }
 
+        public static Boolean CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Data.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref Data.Win32.ProcessThreadsAPI.STARTF lpStartupInfo, out Data.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInformation)
+        {
+            lpProcessInformation = new Data.Win32.ProcessThreadsAPI._PROCESS_INFORMATION();
+            object[] funcargs =
+            {
+                lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,
+                lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation
+            };
+            Boolean success = (Boolean)Generic.DynamicAPIInvoke(@"kernel32.dll", @"CreateProcessA", typeof(Delegates.CreateProcess), ref funcargs);
+            lpProcessInformation = (Data.Win32.ProcessThreadsAPI._PROCESS_INFORMATION)funcargs[9];
+            return success;
+        }
+
+
+        public static IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect)
+        {
+            object[] funcargs =
+            {
+                hProcess,lpAddress,dwSize,flAllocationType,flProtect
+            };
+            IntPtr retval = (IntPtr)Generic.DynamicAPIInvoke(@"kernel32.dll", @"VirtualAllocEx", typeof(Delegates.VirtualAllocEx), ref funcargs);
+            return retval;
+        }
+
+
+        public static bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten)
+        {
+            lpNumberOfBytesWritten = UIntPtr.Zero;
+            object[] funcargs =
+            {
+                hProcess,lpBaseAddress,lpBuffer,nSize,lpNumberOfBytesWritten
+            };
+            bool success = (bool)Generic.DynamicAPIInvoke(@"kernel32.dll", @"WriteProcessMemory", typeof(Delegates.WriteProcessMemory), ref funcargs);
+            return success;
+        }
+
+
+        public static IntPtr OpenThread(Data.Win32.Kernel32.ThreadAccess dwDesiredAccess, bool bInheritHandle,
+        int dwThreadId)
+        {
+            object[] funcargs =
+            {
+                dwDesiredAccess,bInheritHandle,dwThreadId
+            };
+            IntPtr retvalue = (IntPtr)Generic.DynamicAPIInvoke(@"kernel32.dll", @"OpenThread", typeof(Delegates.OpenThread), ref funcargs);
+            return retvalue;
+        }
+
+
+        public static Boolean VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect)
+        {
+            lpflOldProtect = 0;
+            object[] funcargs =
+            {
+                hProcess,lpAddress,dwSize,flNewProtect,lpflOldProtect
+            };
+            Boolean retval = (Boolean)Generic.DynamicAPIInvoke(@"kernel32.dll", @"VirtualProtectEx", typeof(Delegates.VirtualProtectEx), ref funcargs);
+            return retval;
+        }
+
+        public static IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData)
+        {
+            object[] funcargs =
+            {
+                pfnAPC,hThread,dwData
+            };
+            IntPtr retval = (IntPtr)Generic.DynamicAPIInvoke(@"kernel32.dll", @"QueueUserAPC", typeof(Delegates.QueueUserAPC), ref funcargs);
+            return retval;
+        }
+
+        public static uint ResumeThread(IntPtr hThread)
+        {
+            object[] funcargs =
+            {
+                hThread
+            };
+            uint retval = (uint)Generic.DynamicAPIInvoke(@"kernel32.dll", @"ResumeThread", typeof(Delegates.ResumeThread), ref funcargs);
+            return retval;
+
+        }
+
         public static IntPtr CreateRemoteThread(
             IntPtr hProcess,
             IntPtr lpThreadAttributes,
@@ -71,7 +152,7 @@ public static bool IsWow64Process(IntPtr hProcess, ref bool lpSystemInfo)
 
             bool retVal = (bool)Generic.DynamicAPIInvoke(@"kernel32.dll", @"IsWow64Process", typeof(Delegates.IsWow64Process), ref funcargs);
 
-            lpSystemInfo = (bool) funcargs[1];
+            lpSystemInfo = (bool)funcargs[1];
 
             // Dynamically load and invoke the API call with out parameters
             return retVal;
@@ -99,6 +180,29 @@ UInt32 dwProcessId
             public delegate bool IsWow64Process(
                 IntPtr hProcess, ref bool lpSystemInfo
             );
+
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Boolean CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Data.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref Data.Win32.ProcessThreadsAPI.STARTF lpStartupInfo, out Data.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInformation);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate IntPtr OpenThread(Data.Win32.Kernel32.ThreadAccess dwDesiredAccess, bool bInheritHandle,
+            int dwThreadId);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Boolean VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate uint ResumeThread(IntPtr hThhread);
         }
     }
 }
diff --git a/DInvoke/DInvoke/Injection/Allocation.cs b/DInvoke/DInvoke/Injection/Allocation.cs
@@ -289,4 +289,71 @@ public static Data.Native.NTSTATUS UnmapSection(IntPtr hProc, IntPtr baseAddr)
             return DynamicInvoke.Native.NtUnmapViewOfSection(hProc, baseAddr);
         }
     }
+
+
+
+
+    public class VirtualAllocEx : AllocationTechnique
+    {
+
+        /// <summary>
+        /// Default constructor.
+        /// </summary>
+        /// 
+        public VirtualAllocEx()
+        {
+            DefineSupportedPayloadTypes();
+        }
+
+
+        /// <summary>
+        /// States whether the payload is supported.
+        /// </summary>
+        /// <author>The Wover (@TheRealWover)</author>
+        /// <param name="Payload">Payload that will be allocated.</param>
+        /// <returns></returns>
+        public override bool IsSupportedPayloadType(PayloadType Payload)
+        {
+            return supportedPayloads.Contains(Payload.GetType());
+        }
+
+        /// <summary>
+        /// Internal method for setting the supported payload types. Used in constructors.
+        /// Update when new types of payloads are added.
+        /// </summary>
+        /// <author>The Wover (@TheRealWover)</author>
+        internal override void DefineSupportedPayloadTypes()
+        {
+            //Defines the set of supported payload types.
+            supportedPayloads = new Type[] {
+                typeof(PICPayload)
+            };
+        }
+
+        /// <summary>
+        /// Allocate the payload in the target process.
+        /// </summary>
+        /// <param name="Payload">The PIC payload to allocate to the target process.</param>
+        /// <param name="Process">The target process.</param>
+        /// <returns>Base address of allocated memory within the target process's virtual memory space.</returns>
+        /// 
+        public IntPtr Allocate(PICPayload Payload, Process Process)
+        {
+            if (!IsSupportedPayloadType(Payload))
+            {
+                throw new PayloadTypeNotSupported(Payload.GetType());
+            }
+            // Get a convenient handle for the target process.
+            IntPtr procHandle = DynamicInvoke.Win32.OpenProcess(Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_OPERATION | Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_WRITE | Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_READ, false, (uint)Process.Id);
+            //create a IntPtr to return the base address of the allocated mem
+            IntPtr alloc = DynamicInvoke.Win32.VirtualAllocEx(procHandle, IntPtr.Zero, (uint)Payload.Payload.Length, Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE, Data.Win32.WinNT.PAGE_EXECUTE_READWRITE);
+            UIntPtr bytesWritten = UIntPtr.Zero;
+            Boolean success = DynamicInvoke.Win32.WriteProcessMemory(procHandle, alloc, Payload.Payload, (uint)Payload.Payload.Length, out bytesWritten);
+            if (success)
+                return alloc;
+            else
+                throw new Exception("an error occured trying to write memory into the process.");
+        }
+    }
+
 }