cobbr · salu90 · Sep 23, 2020 · Sep 24, 2020 · Sep 24, 2020 · Sep 30, 2020
diff --git a/SharpSploit/Execution/PlatformInvoke/Win32.cs b/SharpSploit/Execution/PlatformInvoke/Win32.cs
@@ -177,6 +177,45 @@ IntPtr hProcess
             public static extern void GetNativeSystemInfo(
                 ref Execute.Win32.Kernel32.SYSTEM_INFO lpSystemInfo
             );
+
+            [DllImport("kernel32.dll", SetLastError = true)]
+            public static extern bool InitializeProcThreadAttributeList(
+                IntPtr lpAttributeList,
+                int dwAttributeCount,
+                int dwFlags,
+                ref IntPtr lpSize
+            );
+
+            [DllImport("kernel32.dll", SetLastError = true)]
+            public static extern bool UpdateProcThreadAttribute(
+                IntPtr lpAttributeList,
+                uint dwFlags,
+                IntPtr Attribute,
+                IntPtr lpValue,
+                IntPtr cbSize,
+                IntPtr lpPreviousValue,
+                IntPtr lpReturnSize
+            );
+
+            [DllImport("kernel32.dll", SetLastError = true)]
+            public static extern bool DeleteProcThreadAttributeList(
+                IntPtr lpAttributeList
+            );
+
+            [DllImport("kernel32.dll")]
+            public static extern bool CreateProcess(
+             string lpApplicationName,
+             string lpCommandLine,
+             ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpProcessAttributes,
+             ref Execute.Win32.WinBase._SECURITY_ATTRIBUTES lpThreadAttributes,
+             bool bInheritHandles,
+             Execute.Win32.Advapi32.CREATION_FLAGS dwCreationFlags,
+             IntPtr lpEnvironment,
+             string lpCurrentDirectory,
+             ref Execute.Win32.ProcessThreadsAPI._STARTUPINFOEX lpStartupInfoEx,
+             out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInformation
+            );
+
         }
 
         public static class User32
@@ -387,7 +426,7 @@ public static extern bool CreateProcessWithTokenW(
                 ref Execute.Win32.ProcessThreadsAPI._STARTUPINFO lpStartupInfo,
                 out Execute.Win32.ProcessThreadsAPI._PROCESS_INFORMATION lpProcessInfo
             );
-
+	        
             [DllImport("advapi32.dll", SetLastError = true)]
             public static extern Boolean CredEnumerateW(
                 String Filter,
@@ -531,7 +570,7 @@ public static extern Int32 RegQueryInfoKey(
                 IntPtr lpSecurityDescriptor,
                 IntPtr lpftLastWriteTime
             );
-
+			
             [DllImport("advapi32.dll", SetLastError = true)]
             public static extern Boolean RevertToSelf();
 

diff --git a/SharpSploit/Execution/Shell.cs b/SharpSploit/Execution/Shell.cs
@@ -296,5 +296,116 @@ public static string CreateProcessWithToken(string Command, string Path, IntPtr
                 }
             }
         }
+
+        /// <summary>
+        /// Creates a process specified as argument using the Platform Invoke API.
+        /// </summary>
+        /// <author>Simone Salucci (@saim1z) & Daniel López (@attl4s)</author>
+        /// <param name="targetProcess">The target process to execute.</param>
+        /// <returns>PROCESS_INFORMATION structure.</returns>
+        /// <remarks>
+        /// Code has been kindly stolen and adapted from TikiTorch (https://github.com/rasta-mouse/TikiTorch/blob/064c60c5e23188867a0f9c5a0626dd39718750d4/TikiLoader/Generic.cs).
+        /// </remarks>	       
+        public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvoke(string targetProcess, bool blockDLL)
+        {
+            Win32.ProcessThreadsAPI._STARTUPINFOEX StartupInfoEx = new Win32.ProcessThreadsAPI._STARTUPINFOEX();
+            Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo = new Win32.ProcessThreadsAPI._PROCESS_INFORMATION(); 
+
+            StartupInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(StartupInfoEx);
+            IntPtr lpValue = Marshal.AllocHGlobal(IntPtr.Size);
+
+            Win32.WinBase._SECURITY_ATTRIBUTES pSec = new Win32.WinBase._SECURITY_ATTRIBUTES();
+            Win32.WinBase._SECURITY_ATTRIBUTES tSec = new Win32.WinBase._SECURITY_ATTRIBUTES();
+            pSec.nLength = (uint)Marshal.SizeOf(pSec);
+            tSec.nLength = (uint)Marshal.SizeOf(tSec);
+
+            StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW;
+            StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE
+            Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT | Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED;
+
+            if (blockDLL)
+            {
+                IntPtr lpSize = IntPtr.Zero;
+                PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
+                StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
+                PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize);
+                Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
+                PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
+            }
+
+                PInvoke.Win32.Kernel32.CreateProcess(
+                    targetProcess,                             
+                    null,    
+                    ref pSec,                               
+                    ref tSec,                          
+                    false,                      
+                    flags,                     
+                    IntPtr.Zero,
+                    null,                       
+                    ref StartupInfoEx,            
+                    out ProcInfo                
+                    );                       
+
+            return ProcInfo;
+        }
+
+        /// <summary>
+        /// Creates a process with the parent process ID specified as argument using the Platform Invoke API.
+        /// </summary>
+        /// <author>Simone Salucci (@saim1z) & Daniel López (@attl4s)</author>
+        /// <param name="targetProcess">The target process to execute.</param>
+        /// <param name="parentProcessId">The parent process ID of the new process executed.</param>
+        /// <returns>PROCESS_INFORMATION structure.</returns>
+        /// <remarks>
+        /// Code has been kindly stolen and adapted from TikiTorch (https://github.com/rasta-mouse/TikiTorch/blob/064c60c5e23188867a0f9c5a0626dd39718750d4/TikiLoader/Generic.cs).
+        /// </remarks>	 
+        public static Win32.ProcessThreadsAPI._PROCESS_INFORMATION CreateProcessPInvokePPID(string targetProcess, int parentProcessId, bool blockDLL)
+        {
+
+            Win32.ProcessThreadsAPI._STARTUPINFOEX StartupInfoEx = new Win32.ProcessThreadsAPI._STARTUPINFOEX();
+            Win32.ProcessThreadsAPI._PROCESS_INFORMATION ProcInfo = new Win32.ProcessThreadsAPI._PROCESS_INFORMATION();
+
+            StartupInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(StartupInfoEx);         
+            IntPtr lpValue = Marshal.AllocHGlobal(IntPtr.Size);
+
+            try
+            {
+                Win32.WinBase._SECURITY_ATTRIBUTES pSec = new Win32.WinBase._SECURITY_ATTRIBUTES();
+                Win32.WinBase._SECURITY_ATTRIBUTES tSec = new Win32.WinBase._SECURITY_ATTRIBUTES();
+                pSec.nLength = (uint)Marshal.SizeOf(pSec);
+                tSec.nLength = (uint)Marshal.SizeOf(tSec);
+
+                StartupInfoEx.StartupInfo.dwFlags = (uint)Win32.ProcessThreadsAPI.STARTF.STARTF_USESHOWWINDOW;
+                StartupInfoEx.StartupInfo.wShowWindow = 0; //SW_HIDE
+                Win32.Advapi32.CREATION_FLAGS flags = Win32.Advapi32.CREATION_FLAGS.CREATE_NO_WINDOW | Win32.Advapi32.CREATION_FLAGS.EXTENDED_STARTUPINFO_PRESENT | Win32.Advapi32.CREATION_FLAGS.CREATE_SUSPENDED;
+
+                IntPtr lpSize = IntPtr.Zero;
+                PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
+                StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
+                PInvoke.Win32.Kernel32.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 2, 0, ref lpSize);
+
+                if (blockDLL)
+                {
+                    Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32.Advapi32.BINARY_SIGNATURE_POLICY.BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
+                    PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
+                }
+
+                IntPtr parentHandle = Process.GetProcessById(parentProcessId).Handle;
+                lpValue = Marshal.AllocHGlobal(IntPtr.Size);
+                Marshal.WriteIntPtr(lpValue, parentHandle);
+
+                PInvoke.Win32.Kernel32.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)Win32.Advapi32.PROCESS_THREAD_ATTRIBUTE.PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
+                PInvoke.Win32.Kernel32.CreateProcess(targetProcess, null, ref pSec, ref tSec, false, flags, IntPtr.Zero, null, ref StartupInfoEx, out ProcInfo);
+
+                return ProcInfo;
+            }
+            finally
+            {
+                PInvoke.Win32.Kernel32.DeleteProcThreadAttributeList(StartupInfoEx.lpAttributeList);
+                Marshal.FreeHGlobal(StartupInfoEx.lpAttributeList);
+                Marshal.FreeHGlobal(lpValue);
+            }
+        }
+
     }
-}
+}
diff --git a/SharpSploit/Execution/Win32.cs b/SharpSploit/Execution/Win32.cs
@@ -489,6 +489,21 @@ public enum SERVICE_ERROR
                 SERVICE_ERROR_SEVERE = 0x00000002,
                 SERVICE_ERROR_CRITICAL = 0x00000003,
             }
+
+            [Flags]
+            public enum BINARY_SIGNATURE_POLICY : ulong
+            {
+                BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000,
+                BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE = 0x300000000000
+            }
+
+            [Flags]
+            public enum PROCESS_THREAD_ATTRIBUTE : int
+            {
+                MITIGATION_POLICY = 0x20007,
+                PARENT_PROCESS = 0x00020000
+            }
+
         }
 
         public static class Dbghelp
@@ -542,7 +557,7 @@ public struct _SYSTEM_INFO
             [StructLayout(LayoutKind.Sequential)]
             public struct _SECURITY_ATTRIBUTES
             {
-                UInt32 nLength;
+                public UInt32 nLength;
                 IntPtr lpSecurityDescriptor;
                 Boolean bInheritHandle;
             };
@@ -868,8 +883,8 @@ public struct _STARTUPINFO
             [StructLayout(LayoutKind.Sequential)]
             public struct _STARTUPINFOEX
             {
-                _STARTUPINFO StartupInfo;
-                // PPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
+                public _STARTUPINFO StartupInfo;
+                public IntPtr lpAttributeList;
             };
 
             //https://msdn.microsoft.com/en-us/library/windows/desktop/ms684873(v=vs.85).aspx