Sharp-Suite: Penetration Testing tools in C#

by do son · October 2, 2019

Sharp-Suite

SwampThing

SwampThing lets you spoof process command line args (x32/64). Essentially you create a process in a suspended state, rewrite the PEB, resume and finally revert the PEB. The end result is that logging infrastructure will record the fake command line args instead of the real ones. Think for example about launching a wmic xsl stylesheet for code execution but faking an innocuous wmic command.

C:\>SwampThing.exe -l C:\Windows\System32\notepad.exe -f C:\aaa.txt -r C:\bbb.txt

      /

     :;                \

     |l      _____     |;

     `8o __-~     ~\   d|     Swamp

      "88p;.  -._\_;.oP         Thing

       `>,% (\  (\./)8"

      ,;%%%:  ./V^^^V'

;;;,-::::::'_::\   ||\

8888oooooo.  :\`^^^/,,~--._

 oo.8888888888:`((( o.ooo888

   `o`88888888b` )) 888b8888

     b`888888888;(.,"888b888\

....  b`8888888:::::.`8888.

 `:::. `:::OOO:::::::.`OO' ;

   `.      "``::::::''.'        ~ b33f ~



[>] CreateProcess -> Suspended

[+] PE Arch                       : 64-bit

[+] Process Id                    : 10568

[+] PEB Base                      : 0xA3C2431000

[+] RTL_USER_PROCESS_PARAMETERS   : 0x20DA9760000

[+] CommandLine                   : 0x20DA9760070

[+] UNICODE_STRING |-> Len        : 66

                   |-> MaxLen     : 68

                   |-> pBuff      : 0x20DA9760658



[>] Rewrite -> RTL_USER_PROCESS_PARAMETERS

[+] RtlCreateProcessParametersEx  : 0xEAADF0

[+] RemoteAlloc                   : 0xEA0000

[+] Size                          : 1776

[?] Success, sleeping 500ms..



[>] Reverting RTL_USER_PROCESS_PARAMETERS

[+] Local UNICODE_STRING          : 0xEBC4D0

[+] Remote UNICODE_STRING.Buffer  : 0x20DA9B10000

[+] pRTL_USER_PROCESS_PARAMETERS  : 0x20DA9870FE0

[?] Success rewrote Len, MaxLen, Buffer..

DesertNut

DesertNut is a proof-of-concept for code injection using subclassed window callbacks (more commonly known as PROPagate). The pertinent part here is that this does not use any suspect thread creation API’s, instead of as implied it hijacks window callbacks. DesertNut includes two flags: “-l” to list all potential properties that could be hijacked and “-i” to inject shellcode into explorer and execute notepad. Note that this POC is only designed for x64 (tested on Win10 RS5 & Win7) since it requires custom shellcode with a specific callback function prototype. For further details please see this post by Hexacorn and this post by modexp.

SystemProcessAndThreadsInformation

While working on a side project I had to access out-of-process thread information, to do this I used NtQuerySystemInformation -> SystemProcessAndThreadInformation. As it may be helpful for reference I wrote a small wrapper around this function to list process and thread information for a specific PID. Note that I am not extracting all available information from SYSTEM_PROCESSES and SYSTEM_THREAD_INFORMATION, feel free to extend the output with a pull request.