- Utilize encrypted shellcode
- Option to include the shellcode within the executable or download shellcode from URL
- Ability to quickly switch which Windows API call is used for execution
- Ability to spawn a specifed process (default: iexplore.exe) for shellcode to be injected into (for remote injection methods)
- Ability to spoof the parent process (default: explorer.exe) of target process that will be injected into (for remote injection methods)
This solution has two projects: ScEncryptor and SharpInjector. The ScEncryptor project will allow you to encrypt a .bin file containing your shellcode. The SharpInjector project will be compiled with the resulting encrypted shellcode and inject it into memory. The shellcode the project comes with simply opens calc.
- Set the encryption key in ScEncryptor\Program.cs (the key must be 16/24/32 bytes)
- Build the ScEncryptor project
- Use the resulting executable to encrypt your shellcode:
ScEncryptor.exe C:\Temp\shellcode.bin(The encrypted shellcode will be automatically inserted in SharpInjector\Shellycode.cs) - Optional: set
EncSc = ""within SharpInjector\Shellycode.cs and instead host the shellcode string on the web. Set theShellcodeUrlvariable in SharpInjector\Program.cs to the URL of theEncScstring - Set the decryption key in SharpInjector\Program.cs
- Set the
exeMethod,ParentName, andProgramPathvariables in SharpInjector\Program.cs to desired values - Build the SharpInjector project (set to x64 before building)
Current options for shellcode execution include the following Windows API calls:
- CreateFiber
- CreateRemoteThread
- CreateRemoteThreadEx
- CreateThread
- EtwpCreateEtwThread
- QueueUserAPC
- RtlCreateUserThread