Disclaimer
The code provided is "as is" and will not be supported.
CSharp SetThreadContext Shellcode Runner Example
This project is a C# port of the work @xpn did in his blog post here:
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
We only tackle the SetThreadContext portion here, though the building blocks to perform all three tasks are here.
This project first determines a suitable executable to spawn, decrypts shellcode using a predefined key, then uses CreateRemoteThread and SetThreadContext to ensure that the remote thread is backed by a file on disk, effectively evading Get-InjectedThread
.
Usage
The solution file is in Cryptor\ThreadContextRunner.sln
. Open this and view the two projects. If you wish to change the encryption key, you'll need to change it both in Cryptor
and Runner
projects.
Right click Cryptor
in the solution pane and click "Build". This will build the executable, Cryptor.exe
, that will encrypt your shellcode. Run this by: Cryptor.exe C:\Path\To\Shellcode.bin
. This generates a new file, encrypted.bin
.
Next, right click the Runner
project in the Solution Explorer on the right hand side and click "Properties". Go to Resources then add a new File resource. Navigate to the folder where encrypted.bin
was generated and add it as a resource. Then, click this new resource in the Solution Explorer and ensure that the Build Action is set to "Embedded Resource".
Now you can rebuild the entire solution. Runner.exe
will be generated and should be suitable to run your shellcode when double clicked.
Special Thanks
@xpn and @its_a_feature for their excellent blog and teaching me C/C++ respectively.