{"id":13840913,"url":"https://github.com/Kara-4search/MappingInjection_CSharp","last_synced_at":"2025-07-11T09:33:57.138Z","repository":{"id":136107006,"uuid":"399383104","full_name":"Kara-4search/MappingInjection_CSharp","owner":"Kara-4search","description":"MappingInjection via csharp","archived":false,"fork":false,"pushed_at":"2021-11-19T22:14:23.000Z","size":117,"stargazers_count":37,"open_issues_count":0,"forks_count":13,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-19T03:48:34.033Z","etag":null,"topics":["bypass-antivirus","bypassedr","csharp","mappinginject","mapviewoffile2","pentest","processinjection","redteam","shellcode"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-08-24T08:01:08.000Z","updated_at":"2024-08-12T20:15:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"0efbaed5-dfd5-433a-bc94-5fdd629895a2","html_url":"https://github.com/Kara-4search/MappingInjection_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FMappingInjection_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FMappingInjection_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FMappingInjection_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FMappingInjection_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/MappingInjection_CSharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712817,"owners_count":17512495,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-antivirus","bypassedr","csharp","mappinginject","mapviewoffile2","pentest","processinjection","redteam","shellcode"],"created_at":"2024-08-04T17:00:59.446Z","updated_at":"2024-11-21T10:30:56.919Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# MappingInjection_CSharp\n\nBlog link: working on it\n\n- Mapping-Injection: Just another Windows Process Injection.\n- Mapping injection is a process injection technique that avoids the usage of common monitored syscall VirtualAllocEx and WriteProcessMemory.\n- This can be achieved by using the Syscall MapViewOfFile2() and some preliminary steps to “prepare” the memory with the required shellcode.\n- Works fine both on x64/x86.\n- Supported OS: \n\t* **Windows 10 / Windows Server 2016, version 1703 (build 10.0.15063) and above versions.**\n- The function \"MapViewOfFile2()\", I could not find any definition of it even in the p/invoke website.\n\t* So I convert the [original version](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapviewoffile2) to C#,\n\t* But, unluckily, that is not working.\n\t* The [page](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapviewoffile2) show that \"MapViewOfFile2()\" is in kernel32.dll, but actually you'll get the error: cannot find the entry point of the function.\n\t* Looking at the definition of MapViewOfFile2() in the \"memoryapi.h\" and I just noticed that it's just a wrapper for the function MapViewOfFileNuma2().\n\t* **The function MapViewOfFileNuma2() is imported from Kernelbase.dll or Api-ms-win-core-memory-l1-1-5.dll.**\n\t* I have no idea the differences of \"MapViewOfFileNuma2\" between these two DLLs, feel free to tell me~\n\t* In this project, I use Kernelbase.dll.\n- And here is the definition of MapViewOfFileNuma2\n```\n// MapViewOfFile2 is just an inline function that calls MapViewOfFileNuma2 with\nWINBASEAPI PVOID WINAPI MapViewOfFileNuma2(HANDLE aFileMapping, HANDLE aProcess,\n ULONG64 aOffset, PVOID aBaseAddress,\n SIZE_T aViewSize,\n ULONG aAllocationType,\n ULONG aPageProtection,\n ULONG aPreferredNode);\n\n```\n- Comparing with MapViewOfFile2, you could see there are, indeed a little different - ULONG aPreferredNode.\n- **Its preferred node set to NUMA_NO_PREFERRED_NODE and NUMA_NO_PREFERRED_NODE = 0xffffffff;**\n- **The original shellcode is a messagebox - \"Hello via syscall\", but is not syscall actually~**\n```\n /* Messagebox shellcode */\n byte[] buf1 = new byte[328] {\n 0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00,\n 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65,\n 0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b,\n 0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a,\n 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02,\n 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52,\n 0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48,\n 0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0,\n 0x74, 0x6f, 0x48, 0x01, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44,\n 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e,\n 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31,\n 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75,\n 0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6,\n 0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41,\n 0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x3e,\n 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e,\n 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20,\n 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12,\n 0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x00, 0x00, 0x00,\n 0x00, 0x3e, 0x48, 0x8d, 0x95, 0x1a, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d,\n 0x85, 0x35, 0x01, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83,\n 0x56, 0x07, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6,\n 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c,\n 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,\n 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x48, 0x65, 0x6C, 0x6C, 0x6F,\n 0x20, 0x77, 0x6F, 0x72, 0x6C, 0x64, 0x20, 0x76, 0x69, 0x61, 0x20, 0x73,\n 0x79, 0x73, 0x63, 0x61, 0x6C, 0x6C, 0x00, 0x41, 0x50, 0x49, 0x20, 0x54,\n 0x65, 0x73, 0x74, 0x00\n };\n```\n\n\n## Usage\n1. Replace the shellcode with your own.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/MappingInject_shellcode.png)\n2. Set the process name you want to inject\n\t* default name in the project is Powershell.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/MappingInject_processname.png)\n3. And the messagebox show up.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/MappingInject_messagebox.png)\n\t\n## TO-DO list\n- Update with \"Early Bird\" - DONE\n\t* Base on my another project(https://github.com/Kara-4search/EarlyBirdInjection_CSharp)\n\t* All in \"MappingEarlyBirdInjection.cs\".\n\n\n## Update history\n- Update with \"Early Bird\" process injection - 20210830\n- Fix bugs for [#issues1](https://github.com/Kara-4search/MappingInjection_CSharp/issues/1)(Both MappingEarlyBirdInjection and MappingInjection) - 20211120\n\t* Haven’t test that in X86 thougth\n\n\n## Reference link:\n\t1. https://breakdev.org/defeating-antivirus-real-time-protection-from-the-inside/\n\t2. https://github.com/antonioCoco/Mapping-Injection\n\t3. https://hakin9.org/mapping-injection-just-another-windows-process-injection/\n\t4. https://idiotc4t.com/code-and-dll-process-injection/mapping-injection\n\t5. http://blog.leanote.com/post/snowming/a0366d1d01bf\n\t6. https://idiotc4t.com/defense-evasion/load-ntdll-too\n\t7. https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection\n\t8. http://pinvoke.net/default.aspx/kernel32/CreateFileMapping.html\n\t9. https://www.displayfusion.com/Discussions/View/converting-c-data-types-to-c/?ID=38db6001-45e5-41a3-ab39-8004450204b3\n\t10. https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapviewoffilenuma2\n\t11. https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapviewoffile2\n\t12. https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants\n\t13. http://pinvoke.net/default.aspx/kernel32.MapViewOfFile","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKara-4search%2FMappingInjection_CSharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKara-4search%2FMappingInjection_CSharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKara-4search%2FMappingInjection_CSharp/lists"}