djhohnstein/CSharpSetThreadContext djhohnstein/CSharpSetThreadContext

  • Stars
    star
    119
  • Rank 296,406 (Top 6 %)
  • Language
    C#
  • Created over 5 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
djhohnstein/CSharpSetThreadContext
github

djhohnstein

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread

Disclaimer

The code provided is "as is" and will not be supported.

CSharp SetThreadContext Shellcode Runner Example

This project is a C# port of the work @xpn did in his blog post here:

https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/

We only tackle the SetThreadContext portion here, though the building blocks to perform all three tasks are here.

This project first determines a suitable executable to spawn, decrypts shellcode using a predefined key, then uses CreateRemoteThread and SetThreadContext to ensure that the remote thread is backed by a file on disk, effectively evading Get-InjectedThread.

Usage

The solution file is in Cryptor\ThreadContextRunner.sln. Open this and view the two projects. If you wish to change the encryption key, you'll need to change it both in Cryptor and Runner projects.

Right click Cryptor in the solution pane and click "Build". This will build the executable, Cryptor.exe, that will encrypt your shellcode. Run this by: Cryptor.exe C:\Path\To\Shellcode.bin. This generates a new file, encrypted.bin.

Next, right click the Runner project in the Solution Explorer on the right hand side and click "Properties". Go to Resources then add a new File resource. Navigate to the folder where encrypted.bin was generated and add it as a resource. Then, click this new resource in the Solution Explorer and ensure that the Build Action is set to "Embedded Resource".

Now you can rebuild the entire solution. Runner.exe will be generated and should be suitable to run your shellcode when double clicked.

Special Thanks

@xpn and @its_a_feature for their excellent blog and teaching me C/C++ respectively.

More Repositories

1

SharpChromium

.NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.
C#
590
star
2

SharpWeb

.NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
C#
456
star
3

SharpShares

Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
C#
244
star
4

WireTap

.NET 4.0 Project to interact with video, audio and keyboard hardware.
C#
192
star
5

EventLogParser

Parse PowerShell and Security event logs for sensitive information.
C#
117
star
6

SharpLogger

Keylogger written in C#
C#
115
star
7

SharpSearch

Search files for extensions as well as text within.
C#
114
star
8

cliProxy

Proxy Unix applications in the terminal
Go
113
star
9

1PasswordSuite

Utilities to extract secrets from 1Password
C
107
star
10

ScatterBrain

Suite of Shellcode Running Utilities
VBScript
105
star
11

.NET-Profiler-DLL-Hijack

Implementation of the .NET Profiler DLL hijack in C#
C#
97
star
12

ProcessReimaging

Process reimaging proof of concept code
C++
94
star
13

macos_shell_memory

Execute MachO binaries in memory using CGo
C
79
star
14

KittyLitter

Credential Dumper
C#
74
star
15

TSMSISrv_poc

C# POC code for the SessionEnv dll hijack by utilizing called functions of TSMSISrv.dll
C#
54
star
16

wlbsctrl_poc

C++ POC code for the wlbsctrl.dll hijack on IKEEXT
C
49
star
17

SharpSC

Simple .NET assembly to interact with services.
C#
35
star
18

HookDetector

Playing with PE's and Building Structures by Hand
C++
22
star
19

SharpScreenshot

Dead simple C# project to take a screenshot.
C#
17
star
20

CSharpCreateThreadExample

C# code to run PIC using CreateThread
C#
17
star
21

spfwalker

Tool to walk SPF records for relevant domain names and Whois information.
Go
16
star
22

librarian

Shared library loading application for Linux written in Go.
Go
16
star
23

SharpEdge

C# Implementation of Get-VaultCredential
C#
14
star
24

GitSecrets

Script to help enumerate and dig through Github and Github Enterprise installations.
Python
14
star
25

gosharedlib

Shared library example to be loaded by the github.com/djhohnstein/librarian application
Go
10
star
26

ghidorah

Golang Brute Force Tool
Go
9
star
27

portscanner

Golang portscanning tool
Go
5
star
28

essdp_fork

Fork of Evil SSDP from InitString. Adds base64 authentication, redirect urls and customizable realm options for internal phishing.
Python
4
star
29

polarbearrepo

C++
3
star
30

CPPWebClient

Web client to wrap GET and POST requests in C++
C++
3
star
31

PowerShell-Book-Labs

PowerShell labs from various books
PowerShell
2
star
32

DerbyCon2019

Code & Slides For DerbyCon 2019
C#
2
star
33

Vuln-Server-Exploits

Exploits for Vuln Server (http://www.thegreycorner.com/2010/12/introducing-vulnserver.html)
Python
1
star
34

all-MiniLM-L6-v2-tfjs

all-MiniLM-L6-v2-tfjs
1
star